Mon Jan 1, 0001

Connected Cars and IoT Surveillance

Connected Cars

GM / LexisNexis (March 2024)

NYT (Kashmir Hill): GM collected driving data (speed, braking, acceleration) through OnStar Smart Driver program, sold to LexisNexis Risk Solutions and Verisk Analytics. Brokers generated “risk scores” sold to insurance companies to raise premiums. Many drivers enrolled without clear understanding of consent. GM ended Smart Driver data-sharing following reporting.

What Modern Cars Collect

100+ sensors per vehicle, always-on cellular modems. Data: GPS location, speed, hard braking/acceleration, steering input, seatbelt status, paired phone data, voice commands, cabin camera footage (some models). Tesla logs granular driving telemetry for all vehicles; stores Autopilot camera footage. Sentry Mode uses exterior cameras creating persistent surveillance record.

Insurance Telematics

  • Progressive Snapshot (launched 2011)
  • State Farm Drive Safe & Save
  • Allstate Drivewise Use OBD-II dongles or smartphone apps. Monitor: speed, braking, mileage, time-of-day driving patterns.

Mozilla Foundation “Privacy Not Included” (September 2023)

Evaluated 25 major car brands. Rated cars “worst category of products for privacy” ever reviewed. All 25 earned warning label. 84% shared or sold user data. 56% would share with law enforcement without requiring warrant.

Law Enforcement Access

Multiple police departments used telematics data and infotainment system forensics in investigations. Courts have not consistently required warrants. Many automakers' privacy policies permit disclosure upon law enforcement request.

Smart Home / IoT

Ring (Amazon)

EFF and Sen. Ed Markey (2022): Ring provided video footage to law enforcement at least 11 times in 2022 without warrant or user consent, citing “emergency” circumstances. January 2023: Ring announced it would stop allowing police to request footage directly, would require warrant, court order, or consent.

Alexa

Recordings subpoenaed in multiple criminal cases. State v. Bates (Bentonville, Arkansas, 2015): prosecutors sought Alexa recordings from home where death occurred. Amazon initially resisted; defendant consented to release. 2019: New Hampshire judge ordered Amazon to turn over recordings in double-murder case.

Vizio (February 2017)

FTC settlement $2.2 million. Vizio installed automated content recognition (ACR) on 11 million smart TVs, tracking second-by-second viewing data, sold to advertisers without user knowledge or consent.

Smart Meters

Advanced metering infrastructure records electricity at 15-minute (or finer) intervals. Research shows this reveals occupancy patterns, sleep schedules, appliance usage, daily routines. Naperville Smart Meter Awareness v. City of Naperville (7th Circuit, 2018): smart meter data collection constitutes a Fourth Amendment search.

Roomba / iRobot

Roomba vacuums generate detailed floor-plan maps. Amazon announced $1.7 billion acquisition of iRobot (August 2022). EU opened investigation. Amazon abandoned acquisition January 2024, citing regulatory obstacles.

Quarkslab BYD Telematics Teardown (2025)

Researchers at Quarkslab physically tore down a BYD Seal telematics unit (Qualcomm MDM9628 modem, Micron NAND flash). Extracted memory chip via micro-soldering, dumped filesystem contents.

Data Recovered

  • Complete GPS/GNSS location history spanning factory production in China, UK operation, and Polish dismantling
  • WiFi credentials in plaintext
  • Root password hashes (SHA-256)
  • Enabled services (ADB, Telnet, FTP)
  • Boot logs and operational traces

The Facebook Accident

Researchers identified a cluster of GPS coordinates at a single UK location on May 24, 2025. Searched location + date via OSINT. Found a public Facebook post showing a car accident at “Sturry Road” matching both coordinates and timestamp. Connected embedded forensic data to a real-world event and real person.

Implication

Sensitive data persists in ECUs after accidents, resale, or scrapping. Telematics units are comprehensive data archives: movement patterns and system configurations accessible long after vehicle disposal. Anyone with physical access to the unit and basic hardware skills can extract complete location history.

Source: https://blog.quarkslab.com/tearing-down-a-car-telematic-unit-and-finding-an-accident-on-facebook.html

Sources

  • NYT, Kashmir Hill (March 2024) on GM
  • Mozilla “Privacy Not Included” (September 2023)
  • EFF / Sen. Markey on Ring (2022)
  • Naperville Smart Meter Awareness v. City of Naperville (7th Cir. 2018)
  • FTC v. Vizio (February 2017)
  • Quarkslab BYD teardown (2025)