Pentester/red teamer here, this point from the article is the key:
"Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses."
You need someone who actually understands networking tech at a deep level to accomplish anything beyond what expensive tooling/devices will offer you. Otherwise, you're always going to be limited by whatever vendor you're using and the capabilities they build in, assuming you're using the solutions to their full capability.
Yeah, I feel that. Anyone can have a good password, but it's hard to do all that networking stuff. Small teams really suffer on this one more than the other 9, at least in my experience.
I connect my phone to my 2015 Nissan's bluetooth, but just for music. GrapheneOS lets me prevent its access to my contacts, call history, active calls, text messages - anything but music audio. To me (but not the less tech literate, I know), if you're connecting your car to your phone, it's obvious that it is able to gather things about you.
That said, because I don't know much about cars, I don't know if the car is even capable of phoning home or by what means. Is it a 4G signal? Just a radio transponder? How do I even investigate without tearing my dash apart?
All new EU cars since 5 years ago are obligated to have 'eCall' which contacts emergency services in case of a crash. Most manufacturers solve that problem by including a 4G module.
Older cars also collect information. Most dealers read out the nav computer drive at service intervals so they also know where you've been, who you called etc, only a bit later.
The car companies won't let that information out to independent repair shops (except where mandated by laws). The "right to repair" movement is one attempt to make it possible.
The worst offender is John Deere and their newer farm tractors. Only authorized repair centers can get the software needed to troubleshoot the vehicles. Part of why Deere does not want details out there is that some tractor models have the exact same engine, but different power outputs based on how much the customer paid. One could "unlock" a more powerful engine without paying corporate. The really big "implements of husbandry" (as my state calls them) can cost $500k. At peak planting/harvesting time, you can wait weeks for a technician to come to your farm. Or spend a few thousand dollars having it driven to the dealership by truck.
IMHO, the decent indies are all sat on copies of either the original dealer software (by whatever means…) or copies built by companies to emulate original dealer software (VCDS for VAG for example)
One more reason I'm glad I connect my phone with a headphone jack. Just an analog connection carrying audio. The car doesn't even know what it's playing, as far as I know. Though some cars do seem to extract track names and artist names over the aux jack, so I think there's a little more than just an analog signal?
An analog jack should just be an analog signal, the beauty of it for applications like this being that it just works and for a variety of devices including the very first Sony Walkman to name just something which did not include any extra information. While in theory it is possible to encode extra and inaudible information in there, it seems more likely that if a car then knows what is playing it is just using Shazam or similar.
Possibly a side channel digital encoding of the track information, similar to how radio stations can display things like track name on your car radio. But I'm not really sure.
Do you mean the thing for reading a magnetic stripe? It's no surprise that can be trivially sent over an audio interface. That's how recording audio onto tape works in the first place.
Don't Android and iOS by default prevent bluetooth from accessing your contacts and calls. I know on Android you have to click a permission popup when connecting to bluetooth to allow contact and call access
But then you have Android Auto getting full access to the cars OBD. One more reason to use Bluetoth, but Googpe, and I assume Apple as well, aren't any better.
I dug into the article, specifically the Nissan section. It reads like the car itself _could_ be gathering information on its own. IMO, the Nissan phone app is the more likely culprit here.
Unless there's something wild going on with XM, or there's a WiFi backdoor, the only other way the car is getting data out is over OBD2. And that's all engine, tires, and performance stuff: https://www.amazon.com/Turbo3-Leaf-Spy-Pro/dp/B00PMLTPN0/?ta...
> The wireless features in your vehicle, including Over the Air Updates require use of your in-vehicle modem (if equipped). While Over the Air Updates are being made, some other wireless features may be unavailable or may require a wired connection. Please see FAQs for additional information.
Interesting. I've never connected my car to my wireless network and I've never used the Nissan app. I think I used a burner email when setting things up, but that was years ago so I don't remember the details. I'll see what happens if I try an OTA update later today and report back.
The hell! You got a 2015 Nissan with Android Auto?
I got a 2017 Infiniti that some trims did even come with Bluetooth, needless to say none had carplay or Android Auto. Damn you Nissan.
But I bought that car because its something for me to tinker with and I plan to replace that proprietary head until with an after one. And also use an Arduino 4 inch LCD to tap into the Can bus to show Hvac settings.
doesn't say android auto, just the nissan bluetooth. it has voice commands and can access your contacts if you let it, so you hit the talk button on the steering wheel and say "Call Bob D" and it will call, etc. It's kind of jank. same thing with reading out received text messages while driving.
When you connect a phone to most cars via Bluetooth, the call and general audio permissions are separate from text message and contact info. So for example, in my mom's new car, I connect my phone so that when I drive it, I can take phone calls and listen to music. But for example it can't even display the contact name of contacts who call me, because it doesn't have access to that, so it just displays the phone number.
Yeah, it's usually a cell module (older ones were 3G). Many times it's on its own daughter board and you can disconnect the bridge to the main board, or otherwise unplug it so it can't communicate with the car or towers. I did that to my car that has OnStar and the Bluetooth etc worked fine, but it couldn't transmit/connect to any network.
I always wonder to what extent those opt outs actually do something. I remember reading about the “unsubscribe” button for emails that never really did anything.
.XYZ domains were already too difficult to use for anything other than a regular site since they have such a bad reputation (however warranted it may be) as being used for spam. Not sure what the point is in paying even more for a TLD that's discriminated against by default.
.xyz is one of the most popular TLDs for crypto and web3, but it has a horrible email spam reputation and some gateways blacklist the entire TLD. With the exception of a16z, VCs aren't funding these businesses much anymore, either.
I've been using .xyz as my primary email address. Everything from banking to shopping, to governmental stuff. The number of sites that gave me problems is probably less than 10 that I can remember. I have around 700 accounts in my password manager so go figure.
It's not the receiving that's the problem, but the sending. Even with all necessary records in place and using a reputable email provider isn't enough in a lot of cases. You'll just end up in spam.
And even so, what are the odds that other apps will just end up back on the OS after some period of time? It's part of the Windows experience, uninstalling the garbage only to see it come back in an update a couple months later.
Any idea if the new one removed all the dependency on systemd? I know it's the most common among distributions, but plenty of popular ones are using OpenRC, for example, and can't use their client at all because of it.
It's my first comment here: don't buy any puri.sm products. Or better say, think thrice before doing so. I used to own Librem 15 v4 which I bought in April 2020. Everything was bad. Just barely usable as a laptop. In January 2022 I spilled a water on the keyboard and some keys got stuck, so it kept on typing some letters sporadically. Tried to replace keyboard –> 150$ + delivery because it's the whole top panel to replace. No. OK, disconnected the keyboard and bought a compact Lenovo keyboard (also appeared to be a trashy thing). Half a year later the battery died. No chance to replace, out-of-stock, not even on chinese eshops.
Also, I preordered Librem 5 all the way back in 2019. Decided to cancel the order a year ago – still waiting for my money to come back.
Puri.sm gave me an impression of a scam copmany, unfortunately.
I'm an owner of Librem 5, Librem 15v3 and Librem 14. First one is the best phone one can dream of: runs desktop GNU/Linux without any proprietary blobs, has a replaceable battery (and I do have a spare one), WiFi and modem, kill switches (for camera/mic, WiFi/Bluetooth, modem), lifetime updates (from mainline Linux). Runs as a desktop if you connect a screen/keyboard.
Librem 15 is an amazing machine, still my daily driver with Qubes OS. Great keyboard, upgradeable RAM and disk, doesn't require any blobs in the userland.
Librem 14 is even better, with two .m2 SSD, upgradeable and powerful. Definitely checks many boxes in TFA. Too smal for my taste but great for travelling.
Yes, Purism has problems with refunds. Don't buy if you want to cancel your order. Everything else is great. Also, forums say that first versions of their devices may have rough edges. Wait until they are well tested to be sure. Librem 14 is well tested and many early problems were solved. Same for Librem 5.
Nothing if you're mainly going to use it to watch HD movies. I don't mind the resolution on a 13-14 inch screen to much to be fair, but IMHO 16:9 is really quite awful on such a small screen (and tolerable on 15-17 inch ones)
you have probably never used a high res display on a laptop, it makes a huge difference ;-)
Macbook Pros have had high res displays since 2012 (2880x1800 for the 15" back then)
The current 14" Macbook Pro comes with 3024x1964. Some other laptops go even higher.
"Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses."
You need someone who actually understands networking tech at a deep level to accomplish anything beyond what expensive tooling/devices will offer you. Otherwise, you're always going to be limited by whatever vendor you're using and the capabilities they build in, assuming you're using the solutions to their full capability.