The reason why the car continues to monitor cell towers is to access commands via the starlink system that relies on the AT&T cell towers for things like remote start. If it lost data communication when the car is off, then this function would not work.

 

I do understand that the car's cell connection is always active.
@mufflerman1964 was referring to a cell phone being off and still pinging towers. I'd like to know the source of that information.

 

Oh sorry I got the wrong context.

It seems you can be tracked with location services turned off but if the phone itself is completely turned off, every reputable source I've looked at says it's actually off, and not pinging cell towers.

The one contrary reference that keeps coming up, but not verified, is this:

NSA Can Reportedly Track Phones Even When They're Turned Off

The NSA has a diverse range of surveillance capabilities—from monitoring Google Maps use to sifting through millions of phone call records and spying...

slate.com

So is it possible that you could be infected with something that makes your phone pretend to turn off, but not really be off?

 

 

The iPhone doesn't ping cell towers when off; besides the privacy issue that would consume way too much battery. Rather, it continues to act like an AirTag, sending an ID over BLE (Bluetooth Low Energy). Unlike your phone's IMSI/IMEI, AirTag IDs are encrypted. Other devices that you own have the decryption key, but to everyone else, the encrypted ID just looks like a new and different random number every time it's sent so it can't be used by third parties for tracking.

 

@dfranke you have such detailed knowledge it's quite impressive, and you explain things in a succinct and clear way.

 

If you don't want cell towers pinging, I'd assume just putting it on airplane mode does the trick, rather than having to turn it off, no?

 

The issue is that cellphones and most other computerized devices have their main processor but also have a baseband processor that runs it's own code and is locked away from the user and the main OS. This baseband processor is active any time the device has power, regardless of the status of the main CPU and OS. In the old days, you could remove the battery and thereby ensure that there was no power to anything. But with current phones that baseband processor will still be active even if the phone is off or in airplane mode. This is why you see people putting phones in microwaves, etc, as that works as a Faraday cage and prevents all transmissions along with muffling the sound that could be recorded by an active mic.

https://en.wikipedia.org/wiki/Baseband_processor

https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

These issues aren't something that the average person generally has to worry about, but there are a lot of privacy concerns regarding them.

 

But with current phones that baseband processor will still be active even if the phone is off or in airplane mode.

I watched the video and my take-away is that the baseband processors at the time were hackable, but do you have a reference that says that the baseband processor is active when the phone is actually turned off? Airplane mode is totally different because the phone is still on. I suppose a hacked baseband processor can spoof the phone being turned off when it isn't turned off, but assuming it wasn't hacked, is there any evidence that an unhacked phone continues to power the baseband processor when the phone is off?

 

I understand your thought process on this, and I'm not insisting that it's impossible that the baseband processor is active when an unhacked phone is off (charging or not). It seems like you're extrapolating that it might still be on, instead of saying that as a fact the baseband processor is definitely active. I understand the comparison to wake-on-lan but but I'm not sure it's the same.

Subarus with starlink have an analogy to wake-on-lan where it's always listening even when the "car is off" for remote start but I'm not sure cell phones are similar. I haven't heard about a phone being remote started from the off position, but maybe it can be done? To me the jury is still out and in the absence of actual evidence I'd rather not assume that it's true. Then again if you're someone for whom going dark is essential then perhaps it's better to presume that it is true.

 

How do you think that charging animation gets displayed?

You'll note that the charging animation does not start immediately. When you plug in a charger it powers up a processor that starts a small piece of code to control the charging and display the animation.

that's how you remotely turn on and access servers.

Wake on Lan is not controlled by baseband software. When Wake on Lan is enabled on a capable motherboard, low power is supplied to the network card, the network card listens for the WoL Magic Packet and activates the soft power button to power up the motherboard.

Also when a phone it turned off, a call goes directly to Voicemail without ringing half a dozen times. That's because the towers know there is no active phone pinging the network.

 

I understand your thought process on this, and I'm not insisting that it's impossible that the baseband processor is active when an unhacked phone is off (charging or not). It seems like you're extrapolating that it might still be on, instead of saying that as a fact the baseband processor is definitely active. I understand the comparison to wake-on-lan but but I'm not sure it's the same.

Subarus with starlink have an analogy to wake-on-lan where it's always listening even when the "car is off" for remote start but I'm not sure cell phones are similar. I haven't heard about a phone being remote started from the off position, but maybe it can be done? To me the jury is still out and in the absence of actual evidence I'd rather not assume that it's true. Then again if you're someone for whom going dark is essential then perhaps it's better to presume that it is true.

The baseband processor is definitely on as long as there's power being provided. What it's programmed to do is hard to say as baseband processors run proprietary code and therefore there's no easy way to tell what it is doing or can be configured to do. As I mentioned, it's not something the average person generally needs to be concerned with, but there's definitely more going on under the covers than people realize.

I was actually referring to things like IPMI, Intel AMT, iDRAC, or iLO. These are all things that allow for out of band management. https://en.wikipedia.org/wiki/Out-of-band_management WOL is just a way to attempt to ring the doorbell via the network. What I'm referring to allows you to modify settings, format drives, install OS, etc as if you were sitting at the computer.

Then why don't 'powered off' phones 'wake up' when when they are called instead of going directly to voicemail? Why can't law enforcement track 'powered off phones'? Why? Because powered off phones are...powered off and not communicating with a tower which was the whole reason this 4 year old thread was revived by someone who has disappeared from the thread.

Because they're not configured to do so. The baseband processor could talk to the tower and listen for incoming calls and then start the phones operating system at that point. They don't because it would take too much power and by the time the OS booted the call would have gone to VM.

If someone wanted to, they could configure the baseband processor to allow for LE to track the phone and connect to towers. And due to the proprietary nature of the baseband processor it's very difficult to tell if that's the case or not.

You'll note that the charging animation does not start immediately. When you plug in a charger it powers up a processor that starts a small piece of code to control the charging and display the animation.

Wake on Lan is not controlled by baseband software. When Wake on Lan is enabled on a capable motherboard, low power is supplied to the network card, the network card listens for the WoL Magic Packet and activates the soft power button to power up the motherboard.

Also when a phone it turned off, a call goes directly to Voicemail without ringing half a dozen times. That's because the towers know there is no active phone pinging the network.

You'll note that I never mentioned WOL. See my explanation to @SilverOnyx above. And I'm not claiming that the baseband processor is pinging the towers. I'm just stating that it's possible and it's exceedingly difficult to know for sure due to the proprietary nature.


Look, I don't really care if y'all believe me or not. It doesn't change the fact that baseband processors exist and that we have to take it on faith that they're doing what we think and want them to do. Do I think it's worth going through the hassle of disconnecting the antennas? Not really. But the concerns that lead someone to want to do so aren't completely unfounded even if the specifics might not be completely correct. And that's not even getting into the cases of user data being sold/stolen. https://foundation.mozilla.org/en/p...official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/

 

The baseband processor is definitely on as long as there's power being provided.

When you say there's power being provided, which of these are you referring to?
a) the phone is on
b) the phone is off but plugged in
c) the phone is off but battery is not removed

All I want is evidence, not proof, that it's more than just speculation that the baseband processor is active when a phone with an unremovable battery is shut down/off

 

With 3G gone is the antenna even capable of communicating if one did not get the upgrade during the grace period?

 

The 3G connection was always designed as a backup, in the event the LTE connection was really weak or no signal.

 

I know that's the case for computers as that's how you remotely turn on and access servers

You'll note that I never mentioned WOL.

You didn't mention it by name, but WOL is how you remotely turn on a server and then access it with SSH or desktop control software.

 

With 3G gone is the antenna even capable of communicating if one did not get the upgrade during the grace period?

Probably not, although I don't know how much different the antenna design is between the various data standards.

When you say there's power being provided, which of these are you referring to?
a) the phone is on
b) the phone is off but plugged in
c) the phone is off but battery is not removed

Yes.

All I want is evidence, not proof, that it's more than just speculation that the baseband processor is active when a phone with an unremovable battery is shut down/off

At this point I have no idea what you'd consider evidence or proof and I don't really care anymore.

You didn't mention it by name, but WOL is how you remotely turn on a server and then access it with SSH or desktop control software.

No. WOL is a method for a machine to listen to a special packet on the network. If WOL is turned on and it sees this packet, it will turn on. That's all WOL does. And you can't ssh or remote desktop into a machine with no OS. Using the technologies I mentioned and was referring to, you can plug a server in with just power and network and then remotely access it, turn it on, configure the BIOS, mount ISO images, install an OS, etc.

Comparing WOL to things like IPMI is like comparing a leatherman to an entire workshop. The fact that you think they're even remotely the same tells me that you don't have experience with it.

The 3G connection was always designed as a backup, in the event the LTE connection was really weak or no signal.

To quote everyone else in thie thread, citation needed. Most likely what happened is that Subaru got a good deal on 3G accounts(possibly because nothing newer existed) and they continued to use those until they got notice that the 3G network was being EOL. The car isn't sending that much data where it needs the latest and fasted connection. Especially with the number of them in service, Subaru will opt to go with the cheapest option.

 

Comparing WOL to things like IPMI is like comparing a leatherman to an entire workshop.

I guess I (erroneously?) assumed we were talking about consumer grade desktop and laptop computers.

Yes, server computers that implement IPMI have a separate CPU and ram from the main OS that can run all the time and control the actual server computer.

But technology like IPMI is not in consumer grade desktop and laptop computers, so anyone following this thread should not be concerned that their home computer can have bios adjustments or new operating systems installed remotely after they turn off their computer and go to work (or to sleep).

 

Huawei Honor 6(it's over 7-10 years old) has option to turn ON itself based on set time and calendar...
not sure why it was an option .. but something still need to be running on the phone for it to work..

 

I guess I (erroneously?) assumed we were talking about consumer grade desktop and laptop computers.

Yes, server computers that implement IPMI have a separate CPU and ram from the main OS that can run all the time and control the actual server computer.

But technology like IPMI is not in consumer grade desktop and laptop computers, so anyone following this thread should not be concerned that their home computer can have bios adjustments or new operating systems installed remotely after they turn off their computer and go to work (or to sleep).

I did say servers, and I was using those technologies as an analogy for the baseband processor in phones. It's capable of the same things.

My 2017 seems to not respond to any app possibilities. Interesting.

That's what I would expect. As I posted earlier, I'm pretty sure walker is incorrect in their assumption. If 3G was a fallback for LTE then Subaru wouldn't have needed to do any swapping. I can understand how they might think that based on the way phones can fall back to slower speeds, but it's not quite the same situation.

 

It's capable of the same things.

Citation needed

 

Same picture in an earlier post in a different thread https://www.subaruoutback.org/threa.../privacy-not-included-subaru-report-connected-services-etc.556583/#post-6401448

 

Interesting. What was the upgrade then? Just unplugging the 3G antenna?

 

I disconnected my antennas today, figured I would add to this post rather than add a new one to get lost.

I mostly followed the two previous pictures in this thread, the picture of the dcm and the wiring diagram, though only the wiring diagram was close. Didn't show the plugs themselves(location), but did give what they looked like which is what I ended up going off of. And maybe color though another part has the same color plugs, but not the same shape.

Touring/high trim
I removed the shift lever(push down then one retaining pin) and then the center console(lift from the open center compartment). Then I removed the bezel housing with two screws above the gauges. I then pulled the mid dash trim (leather part above glove box and tray) from passenger side towards the ignition. There's one screw holding the ignition to the mid-dash after you pull it. This reveals the four screws for the infotainment (10mm) unscrew these and you can gently pull the unit free from the dash. I had some confusion about which plugs to pull due to coloring and location off the reference pictures I used. In case the photos don't attach, the green and brown plugs on the top of the back of the infotainment unit are the two to disconnect (not sure about generations or such of dcm, but this is where mine were, not like the reference picture I used[previously in this thread I think]). I ended up going with the wiring diagram that showed what the plugs looked like and matched them (same colors on lower portion but different plugs). Many are tagged with a plug number (an##) but I couldn't find a good match to the diagram (for the antennas, they didnt have the tag like the others) aside from the physical look.

Gentle pulling was used to get most pieces out, a flathead for the shifter pin, a Phillips screwdriver for the bezel and ignition screw, and a 10mm socket for the infotainment screws.

 

I disconnected my antennas today, figured I would add to this post rather than add a new one to get lost.

Thank you very much!

Did you turn the car on mid process to confirm you unplugged the right connectors?

 

Nice pics! You gen6 folks are lucky - the gen5 unit is a tight fit, and there isn’t much room to reach down to disconnect the harness to pull the unit out enough to even see the DCM.

 

Fight the powers, brother.

Where exactly is the facial recognition camera? In the red plastic trim above the screen unit? Looks like a Cylon from Battlestar Galactica. Sometimes I see a red light on the right behind that red plastic, and if the camera is back there I want to remove the plastic & paint it black on the backside. Looks better than tape over the front.

Does that red plastic piece pop off if I pry it?

https://geekculture.co/wp-content/uploads/2019/10/cylon-original.jpg

Where is the microphone?

 

I expect disconnecting the antenna will cause the starlink transceiver to transmit at full power through the maximum duty cycle unless there is a timeout for rural areas without cell coverage. It’s not clear to me how to stop the starlink function and current draw on the battery from the transceiver electrical load.

 

Thats why you remove the entire transceiver. The only leftover wire is the 5v needed to run the powered microphone for bluetooth. This power is still available from the back of the stereo, just add a pin/wire.

 

After a week of trying out my trial subscription to Starlink on my new 2020 Outback, I decided I wasn't getting enough value out of it to justify the security and privacy sacrifices, and cancelled it. However, I plan to go further by physically disconnecting my telematics antennas. If you Google "disconnect Starlink antenna" you'll find a few threads about it on other forums, but not all of them terribly helpful and none of them applicable to the Gen6. So I thought I'd share the results of my research.

WHY

First of all, why am I bothering with this? Exactly what security and privacy am I protecting, and why isn't service cancellation sufficient?

According to the Starlink privacy policy they collect and retain:



They'll share this information with "suppliers, roadside assistance providers, emergency service dispatchers and providers, anyone you designate as an emergency contact and our affiliates" and also with law enforcement if they receive a subpoena.

None of this is unreasonable or gratuitous; it all seems reasonably connected to the advertised functionality of the product. It's good that they only collect location data in response to crashes or service requests, rather than constantly. It's nonetheless more than I care to share. Even if they're not getting location data all the time I'm driving they're still learning a lot about my driving patterns on the basis of time and mileage. And I don't necessarily want the system automatically calling for help if I get into a minor single car accident; I might prefer to take care of it quietly than to get police and insurance involved.

Cancelling service presumably prevents most of this data collection. But without some significant effort at sniffing bus traffic or reverse-engineering the firmware, I don't really know this for sure. It could be that they're still collecting it all and just no longer giving me access to it. In most of the US, they wouldn't be running afoul of any laws that way.

For sure, though, cancelling service does not prevent Starlink from phoning home. If I wanted to reactivate my service, I could do so without ever touching anything inside the car. The car therefore must necessarily still be connecting to the cell network at least long enough to check up on its subscription status. So at the very least, Subaru is still getting a request containing my VIN every time I turn on my car, and they can use my IP address to deduce my approximate location. AT&T is getting similar information from my IMSI. I'm of course also leaking this same information to cell providers by carrying a cell phone, but at least that's easy to turn off or leave behind.

That's enough for privacy — how about security? An attacker who takes control of my Starlink account could use it to do some pretty scary things, like immobilize my car in the middle of the highway. Such an attacker could be a rogue Subaru employee or could be anybody who finds a vulnerability in their website or in the unit itself. There have been many such vulnerabilities already discovered, and you should take it for granted that there are more that are not yet known. Cancelling my service doesn't protect from this, since the attacker could just re-enroll me.

HOW

Ok, hopefully I've established that disconnecting your telematics antennas is something worth doing. Now on to how. Unfortunately, it's a giant pain in the ass and if you want to try to do it yourself you're going to at least need the service manual in hand.

There are two separate antennas. The main one is in the sharkfin. But there is also a secondary antenna, referred to in the service manual as the "telematics sub antenna", located behind the instrument panel. I'm not sure if the second antenna is just there for redundancy (in case the main one gets destroyed in a crash) or if they're tuned to different bands. The manual refers to them both as LTE antennas but it would make sense if the sub antenna were actually UTMS (3G). Regardless, they both need to go.

The path from the main antenna to the data communication module (where the transceiver is) passes through three different connectors, and one of them is easy to get at. It plugs into an antenna amplifier located at the top of the lift gate, which you can get to just by popping off the trim panel with your fingers or a plastic pry tool. This is the one labeled "An63" in the service manual. If it weren't for also having to do the sub antenna, I'd do this one myself and post a howto video. Sadly, the sub antenna is much harder to get to and I don't dare attempt it on my own (dammit Jim, I'm a security researcher, not a mechanic). There's only one connector, "An65", and you have to pull out the whole instrument panel in order to reach it. Nope, not gonna do that to my new car.

However, I've explained to my dealer's service department what I want done, and they're willing to do it. My appointment is March 2, and I'll update this thread afterward and let you know about any problems I encounter or the lack thereof. I'm not expecting any. It's just an antenna after all, and sometimes an antenna isn't going to have any signal, so the car must be designed to cope with that.

UPDATE 2020-03-02: Success! See this reply for how the dealer went about it and what the outcome was.

don’t forget the Black Box in the the car. It is tracking 15 data elements as you drive

 

Are you referring to the federally mandated airbag recorder?
That is only capable of transmitting data when you physically have wires connected to it. It doesn't transmit out of the car. It's also built into the airbag module so you don't want to remove it.

 

Appropriately, harvesting, selling and using personal information in the digital age is known in the political economics field as 'surveillance capitalism'. The key being, we are not the customer. We are the product, the commodity. At least for this Outback owner (of a 1 year old car, dead battery, a fight to get a new battery, cause: defective usb port in back seat), in this forum, the info is a 2-way street. It offered a speed course in parasitic draining, the DCM, TSBs, and all the poorly designed or engineered limitless electronic gadgetry. Cheers fellow Outback travelers.

 

• Subaru of America’s response to my data request 59 days ago.
• 
  
• Dear….. :
  
  We received your Right to Know (tell me what personal information you collect, process, sell and share) privacy rights request.    
   
  We have fulfilled your request. Please see the details below. 
    
  Subaru has collected the following specific pieces of personal information about you, the consumer.  
  
  Ownership Status 

• VIN 

• Alias 

• Unique Personal Identifier 

Subaru may collect the following personal information about a consumer:  
  
Categories of personal information:    

• Identifiers    

• Consumer records   

• Commercial information   

• Internet or Other Electronic Network Activity   

• Audio recordings   

• Vehicle geolocation   

• Professional or employee-related information   

• Inferences   

• Sensitive personal information   

Categories of sources from which the personal information is collected:    

• Retailers, i.e. authorized Subaru dealerships  

• Provided by consumer or vehicle    

• Third parties   

Business or commercial purpose for which Subaru collects or sells personal information:    

• To provide services to the consumer    

• To market goods and services to consumers   

• To provide marketing by third parties for third party goods and/or services    

• To comply with legal obligation    

Categories of third parties with whom the personal information is shared:    

• Business service providers      

• Contractors   

• Retailers   

• Corporate parent and affiliates   

• Third party providers of goods and/or services   

• Entities required to comply with the law     

Categories of personal information sold:    

• Identifiers for third party marketing of goods or services.   

• Consumer records for third party marketing of goods or services   

Categories of personal information disclosed for business purpose:   

• Identifiers are disclosed to service providers, contractors, and third parties.   

• Consumer records are disclosed to service providers, contractors, and third parties.   

• Commercial information is disclosed to service providers, contractors, and third parties.   

• Internet or other electronic information is disclosed to service providers, contractors, and third parties.   

• Vehicle geolocation is disclosed to service providers.   

• Inferences are disclosed to service providers and contractors.   

• Sensitive personal information is disclosed to service providers and contractors.    

Third parties to whom personal information is sold:   

• Liberty Mutual   

• Sirius XM 

• Your preferred retailer   

We received your Right to Correct (correct inaccuracies in my personal information) privacy rights request.  

The information you provided as part of this request is identical to the information that is in our systems. Therefore, there is no action to take.

If you still believe your information is incorrect, please provide us with the specific information that you would like us to correct.

Please note that we cannot process your Right to be Forgotten request in full due to the lemon law litigation you have threatened against Subaru. We are under a legal obligation to retain those records.

We will maintain a record of your request for at least 24 months, or as otherwise required by law.

 

1984 in 2024

 

Can't post links (new member) so you'll have to use your best problem-solving skills

Surprised this hasn't been mentioned here:
samcurry.net/hacking-subaru

Specifically:
samcurry.net/hacking-subaru#tracking-my-mom-for-the-last-year

tl;dr: We ~pretty much knew we were being tracked, but storing fine-grained location data for the life of the vehicle is effed (not to mention Subi's garbage security). Probably (definitely) affects all makes; Curry just happened to have bought his mom a Subi the year before with a promise that he'd get to toy around in it.

Anyway thanks for the thread. This has been on my todo list for too long.

 

Surprised this hasn't been mentioned here:
samcurry.net/hacking-subaru

It’s been mentioned elsewhere - there is a dedicated thread on it.