Information and China - Geely and spyware? What's the chances it does not report?

[Sid]

Dont forget Geely own LEVC (London Taxis), Polestar, Volvo, plus many more. If this is the case the roads are already full of spyware.

 

[ADC]

*throws a grenade into this thread*

Security flaws in GPS tracker exposing 1M vehicle locations

Researchers warn that the flaws can be exploited to track vehicles and remotely cut engines

techcrunch.com

Yet again, I find myself requesting a reaction be added to the forum.

I weep on almost a daily basis for everyone who is not in the tech industry or incredibly tech-savvy... I know how to lock down my stuff, but what chance has Joe Sixpack (er... the British equivalent escapes me... Gordon Threepints?) got?

 

[Porter]

I work in cybersecurity and privacy. I'm not claiming categorical expertise, just qualifying my statements slightly.

In my opinion, the issues raised in this thread are certainly potential ones, and there are real-world examples of both negligent security design (leading to trivial compromise) or in some very troubling cases, intentional malfeasance by certain state-connected technology vendors to create opportunities using their products for possible surveillance or data scraping of individuals, either en masse or on an individually targeted basis.

To be fair though, I'm absolutely not any more concerned about a Lotus car being used by Geely to capture individual data than I am about any other auto manufacturer's systems. Lotus cars are just not a big enough attack surface in the economy or in western society to represent a particularly worthwhile project for Chinese state surveillance, nor is it a worthwhile reputational risk for Geely as an auto manufacturer. The juice has to be worth the squeeze, and it simply isn't in this scenario.

That being said, I'm looking forward to security researchers taking a look at these cars once they do get out in the world and start connecting to services. It will be very interesting to see what they do collect and transmit... it will be something surely, just probably not the kind of privacy-related info that people typically fear.

Gut check: It's FAR easier to leverage the existing surveillance and mass data scraping opportunities they have baked into popular social media apps like TikTok, rather than the very limited data about the driver that's available from (or through) the systems in a car. The data available in that context is just too limited.

 

[ADC]

I work in cybersecurity and privacy. I'm not claiming categorical expertise, just qualifying my statements slightly.

In my opinion, the issues raised in this thread are certainly potential ones, and there are real-world examples of both negligent security design (leading to trivial compromise) or in some very troubling cases, intentional malfeasance by certain state-connected technology vendors to create opportunities using their products for possible surveillance or data scraping of individuals, either en masse or on an individually targeted basis.

To be fair though, I'm absolutely not any more concerned about a Lotus car being used by Geely to capture individual data than I am about any other auto manufacturer's systems. Lotus cars are just not a big enough attack surface in the economy or in western society to represent a particularly worthwhile project for Chinese state surveillance, nor is it a worthwhile reputational risk for Geely as an auto manufacturer. The juice has to be worth the squeeze, and it simply isn't in this scenario.

That being said, I'm looking forward to security researchers taking a look at these cars once they do get out in the world and start connecting to services. It will be very interesting to see what they do collect and transmit... it will be something surely, just probably not the kind of privacy-related info that people typically fear.

Gut check: It's FAR easier to leverage the existing surveillance and mass data scraping opportunities they have baked into popular social media apps like TikTok, rather than the very limited data about the driver that's available from (or through) the systems in a car. The data available in that context is just too limited.

Yeah, as somebody in the software industry, with a working understanding of security and threat modelling, I'd agree with everything you've said here. Caveat with the same "i'm not an expert, but I know some things", and also throw out a qualifier that, if state actors take an interest in doing something, good luck detecting it until years later.

Sure, no doubt some data around GPS destinations entered or function usage gets sent back to various parties (Geely, Google, Apple, whoever), but the notion of a (as far as we know) reputable car manufacturer having something buried in the system that scrapes the contents of a phone (without tripping any permission requests or otherwise alerting the user) and shunt it off the Big Bad PRC seems to lack something... motive? credibility? I'm not sure what term I'm fishing for.

Not intending to disrespect anyone obviously, but I don't imagine Lotus customers to be big enough fish to warrant such a blunt incursion. Doesn't strike me as "high value" enough for state surveillance. If I was anything approaching some sort of important figure, it wouldn't matter what kind of car I owned, I'd have my security detail sweep if for all kinds of shenanigans on a regular basis, so meh.

Now if you'll excuse me, I have to put my special hat back on to block out the voices radio waves...

 

[Toomanyloti]

I'm so far away from being a snow flake (see Atilla the Hun) but I believe its best to leave the long suffering Chinese out of the discussions of sh!weaselry and refer to the CCP as 'the baddies' only