privacy

86 Articles

A black PCB with a cellular modem board piggy backed on top. It has a micro-USB and DB-type connector on the end facing the camera.

Open Vehicle Monitoring System Is The Window To Your EV’s Soul

January 25, 2024 by 14 Comments

Electric cars have more widgets than ever, but manufacturers would rather you don’t have direct access to them. The Open Vehicle Monitoring System intends to change that for the user. [via Transport Evolved]

As car manufacturers hoover up user data and require subscriptions for basic features, it can be a frustrating time to make such a big purchase. Begun in 2011, OVMS now interfaces with over a dozen different EVs and gives you access to (or helps you reverse engineer) all the data you could want from your vehicle. Depending on the vehicle, any number of functions can be accessed including remote climate start or cell-level battery statistics.

The hardware connects to your car’s OBDII port and uses an ESP32 microcontroller connected to a  SIMCOM SIM7600G modem (including GPS) to provide support for 3 CAN buses as well as Wi-Fi and Bluetooth connections. This can be particularly useful for remote access to data for vehicles that can no longer phone home via their originally included cellular modems as older networks shut down.

Do you wish EVs weren’t so complicated? Read our Minimal Motoring Manifesto.

Fail Of The Week: This Flash Drive Will NOT Self-Destruct In Five Seconds

November 25, 2023 by 49 Comments

How hard can it be to kill a flash drive? Judging by the look of defeat on [Walker]’s face in the video below, pretty darn hard.

To bring you up to speed, and to give the “Mission: Impossible” reference in the title some context, it might be a good idea to look over our earlier coverage of [Walker]’s Ovrdrive project. It started way back in 2022 with the idea that some people might benefit from a flash drive that could rapidly and covertly render the data stored on it, err, “forensically unavailable.” This would require more than just erasing the data, of course, so [Walker] began looking at ways to physically kill a memory chip. First up was a voltage doubler to apply voltage much greater than the absolute maximum rating of 4.6 V for any pin on the chip. That corrupted some files on the flash chip, enough of a win to proceed to a prototype that actually succeeded in releasing the Magic Smoke.

But sadly, that puff of smoke ended up being a fluke. [Walker] couldn’t repeat the result, at least not with the reliability required by people for whom data privacy is literally a life-or-death matter. To increase the odds of a kill, he came up with an H-bridge circuit to reverse the polarity of the memory chip’s supply. Surely that would kill the chip, and from the thermal camera images, it sure looked promising. But apparently, even 167°C isn’t enough to forensically disable the chip, which kind of makes sense from the point of view of reflow survivability.

What’s next for [Walker]? He says he’s going to team up his overvoltage and reverse-polarity methods for one last shot, but after that, he’s about out of reasonable options. Sure, a thermite charge or a vial of superacid would do the trick, but neither is terribly covert. If you’re going to go that way, you might as well just buy a standard flash drive and throw it in the microwave or a blender. And we need to remember that this may be something the drive’s owner needs to do with jack-booted thugs kicking in the door, or possibly at gunpoint. It wouldn’t do to be too conspicuous under such circumstances. That’s why we like the “rapid power cycling” method of triggering the drive’s self-destruct sequence; it could easily be disguised as shaking hands in a stressful situation.

Who knew that memory chips were this robust? Kudos to [Walker] for getting the project as far as he did, and we’re still rooting for him to make it work somehow.

Continue reading “Fail Of The Week: This Flash Drive Will NOT Self-Destruct In Five Seconds”

The UK Online Safety Bill Becomes Law, What Does It Mean?

October 29, 2023 by 64 Comments

We’ve previously reported from the UK about the Online Safety Bill, a piece of internet safety legislation that contains several concerning provisions relating to online privacy and encryption. UK laws enter the statutes by royal assent after being approved by Parliament, so with the signature of the King, it has now become the law of the land as the Online Safety Act 2023. Now that it’s beyond amendment, it’s time to take stock for a minute: what does it mean for internet users, both in the UK and beyond its shores? Continue reading “The UK Online Safety Bill Becomes Law, What Does It Mean?”

Your Car Is A Privacy Nightmare On Wheels

September 12, 2023 by 116 Comments

There was a time when a car was a machine, one which only came to life when its key was turned, and functioned simply as a way to get its occupants from point A to B. For most consumers that remains the case, but unfortunately in the last decade its function has changed from the point of view of a car manufacturer. Motor vehicles have become a software product as much as a hardware one, and your car now comes with all the privacy hazards you’d expect from a mobile phone or a computer. The Mozilla Foundation have taken a look at this problem, and their disturbing finding was that every one of the 25 major automotive brands they tested had significant failings.

Their quote that the cars can collect “deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive.” had us wondering just exactly what kind of sensors they incorporate in today’s vehicles. But beyond mild amusement at some of the possibilities, it’s clear that a car manufacturer can glean a significant amount of information and has begun doing so largely without the awareness of the consumer.

We’ve railed about unnecessary over-computerisation of cars in the past, but from an obsolescence and reliability perspective rather than a privacy one, so it’s clear that the two issues are interconnected. There needs to be some level of public awareness that cars can do this to their owners, and while such things as this Mozilla investigation are great, the message needs to appear in more consumer-focused media.

As well as the summary, Mozilla also provide a detailed report broken down by carmaker.

Header: Michael Sheehan, CC BY 2.0.

Smart Doorbell Focuses On Privacy

August 18, 2023 by 11 Comments

As handy as having a smart doorbell is, with its ability to remotely see who’s at the front door from anywhere with an Internet connection, the off-the-shelf units are not typically known for keeping user privacy as a top priority. Even if their cloud storage systems were perfectly secure (which is not a wise assumption to make) they have been known to give governmental agencies and police free reign to view the videos whenever they like. Unfortunately if you take privacy seriously, you might need to implement your own smart doorbell yourself.

The project uses an ESP32-CAM board as the doorbell’s core, paired with a momentary push button and all housed inside a 3D-printed enclosure. [Tristam] provides a step-by-step guide, including printing the enclosure, configuring the ESP32-CAM to work with the popular open-source home automation system ESPHome, handling doorbell notifications automatically, and wiring the components. There are plenty of other optional components that can be added to this system as well, including things like LED lighting for better nighttime imaging.

[Tristam] isn’t much of a fan of having his home automation connected to the Internet, so the device eschews wireless connections and batteries in favor of a ten-meter USB cable connected to it from a remote machine. As far as privacy goes, this is probably the best of all worlds as long as your home network isn’t doing anything crazy like exposing ports to the broader Internet. It also doesn’t need to be set up to continuously stream video either; this implementation only takes a snapshot when the doorbell button is actually pressed. Of course, with a few upgrades to the ESP circuitry it is certainly possible to use these chips to capture video if you prefer.

Thanks to [JohnU] for the tip!

The British Government Is Coming For Your Privacy

July 30, 2023 by 77 Comments

The list of bad legislation relating to the topic of encryption and privacy is long and inglorious. Usually, these legislative stinkers only affect those unfortunate enough to live in the country that passed them. Still, one upcoming law from the British government should have us all concerned. The Online Safety Bill started as the usual think-of-the-children stuff, but as the EFF notes, some of its proposed powers have the potential to undermine encryption worldwide.

At issue is the proposal that services with strong encryption incorporate government-sanctioned backdoors to give the spooks free rein to snoop on communications. We imagine that this will be of significant interest to some of the world’s less savoury regimes, a club we can’t honestly say the current UK government doesn’t seem hell-bent on joining. The Bill has had a tumultuous passage through the Lords, the UK upper house, but PM Rishi Sunak’s administration has proved unbending.

If there’s a silver lining to this legislative train wreck, it’s that many of the global tech companies are likely to pull their products from the UK market rather than comply. We understand that UK lawmakers are partial to encrypted online messaging platforms. Thus, there will be poetic justice in their voting once more for a disastrous bill with the unintended consequence of taking away something they rely on.

Header image: DaniKauf, CC BY-SA 3.0.

Disabling Intel’s Backdoors On Modern Laptops

April 12, 2023 by 32 Comments

Despite some companies making strides with ARM, for the most part, the desktop and laptop space is still dominated by x86 machines. For all their advantages, they have a glaring flaw for anyone concerned with privacy or security in the form of a hardware backdoor that can access virtually any part of the computer even with the power off. AMD calls their system the Platform Security Processor (PSP) and Intel’s is known as the Intel Management Engine (IME).

To fully disable these co-processors a computer from before 2008 is required, but if you need more modern hardware than that which still respects your privacy and security concerns you’ll need to either buy an ARM device, or disable the IME like NovaCustom has managed to do with their NS51 series laptop.

NovaCustom specializes in building custom laptops with customizations for various components and specifications to fit their needs, including options for the CPU, GPU, RAM, storage, keyboard layout, and other considerations. They favor Coreboot as a bootloader which already goes a long way to eliminating proprietary closed-source software at a fundamental level, but not all Coreboot machines have the IME completely disabled. There are two ways to do this, the HECI method which is better than nothing but not fully trusted, and the HAP bit, which completely disables the IME. NovaCustom is using the HAP bit approach to disable the IME, meaning that although it’s not completely eliminated from the computer, it is turned off in a way that’s at least good enough for computers that the NSA uses.

There are a lot of new computer manufacturers building conscientious hardware nowadays, but (with the notable exception of System76) the IME and PSP seem to be largely ignored by most computing companies we’d otherwise expect to care about an option like this. It’s certainly still an area of concern considering how much power the IME and PSP are given over their host computers, and we have seen even mainline manufacturers sometimes offer systems with the IME disabled. The only other options to solve this problem are based around specific motherboards for 8th and 9th generation Intel desktops, or you can go way back to hardware from 2008 and install libreboot to eliminate, rather than disable, the IME.

Thanks to [Maik] for the tip!