Researchers have spilled tons of ink about connected cars and the dangers associated with them. Still, many people don’t know that their daily drivers are sending personal information to insurers and advertisers alike. Even those who do know often choose to take their chances—but not security professional Arkadiy Tetelman. He recently took all the data senders out of his 2024 Toyota RAV4, and he published the process so others know how to unplug, too.
Tetelman prefaced his walkthrough with a series of warnings. He pointed to past instances like Tesla employees sharing footage of naked customers in 2023, as well as a more recent vulnerability in Subarus that allowed anyone to remotely unlock cars while accessing real-time and historical GPS location. Paranoia is pretty well justified when the track record looks like that.
I won’t retell Tetelman’s blog blow-for-blow, but the gist is this: It’s an involved process, though that shouldn’t stop you. He lays out all of the necessary tools required to do the job on a RAV4 like his, and in 13 steps, he explains how to remove the data communication model. He also instructs folks on how to remove the Toyota’s GPS antenna in five steps. Again, you need a few hours to complete all this, but you don’t have to be a mechanic of any kind.
With both the DCM and GPS antenna removed, Tetelman’s crossover no longer sends location or telemetry data to third parties. It loses connected features like over-the-air updates and SOS calling—a safety feature that he willingly disabled—but that’s mostly it. Confirming that it worked is pretty easy, since all you have to do is check that the car has no internet connection while ensuring that the SOS calling light is off. You should still be able to make and receive phone calls through CarPlay, too, as the DCM bypass kit enables the in-car mic to remain operational for functions like that.
Now, if you want these changes to achieve their intended purpose, you can’t use Bluetooth. Should you connect to your car wirelessly, then your phone will simply send your data to Toyota instead. The solution is simple, as you can still connect your mobile device with a USB cable.
And if you have concerns about your car’s warranty after these modifications, just know that they can’t deny claims for components in the powertrain or other unrelated systems because you removed the DCM or GPS antenna. Tetelman makes this clear while citing the Magnuson-Moss Warranty Act.
Most people won’t want to pick their car apart to remove these components, but for those who are willing, it’s practically their best bet for data privacy. Tetelman warns, however, that it’s likely to become increasingly difficult as manufacturers adopt new tricks.
“Unfortunately, I think it’s only a matter of time before the modem and GPS become more deeply integrated into the car (making this blog post infeasible), or cars have more drastic failure modes when the modem/GPS is removed, or anti-right-to-repair laws get passed to further clamp down on this behavior,” he wrote. “For now, the win stands—no telemetry leaves the car. Strong federal privacy laws would make posts like this unnecessary; that’s the world I’d rather live in.”
Got a tip or question for the author? Contact them directly: caleb@thedrive.com
Read the full article here
