Pandoras box is now open in a way that only movies depicted, and the situation is already spiraling.
Automatic license plate readers (ALPR) sold by surveillance companies are now using a technology called SignalTrace that uses sensors in the ALPRs to scrape electronic hardware codes from your smart devices. Worse, it’s being made available and marketed to law enforcement agencies including police, border security, and other government agencies. Of course it didn’t take long for new technology like this to be abused and cops are already getting caught using license plate readers to stalk people.
We aren’t just talking about your connected car being tracked. This tracking is extending to phones, wearables like smartwatches and smart rings, and even your pets’ microchip or the AirTags in your kids’ backpacks. Though, it also grabs information from your vehicle, which in itself is extremely complicated to disconnect. There’s no opt out to this situation and no guardrails in place because the technology that enables all this rolled out so quickly. The law hasn’t caught up. Security expert Matt Hurewitz who is currently the CISO at Ent.AI said on The Drivecast “the laws are way behind” and noted, “I think if you wait long enough there will be examples that affect people in a very real way, and that will cause a conversation to happen, which I think is really important.”
On the latest episode of The Drivecast we discuss with Hurewitz how suddenly new technology is enabling the government to create a digital map of your life without you even knowing it, and how there’s no real way to stop this from happening today.
New here? The Drivecast is The Drive‘s weekly podcast that takes you behind-the-scenes on the largest controveries, stories, and characters shaping the automotive industry along with the way our roads look today. Powered by The Drive‘s inside access, original reporting, exclusives, and insights, The Drivecast aims to make everyone an insider.
Listen to The Drivecast via Spotify, Apple Podcasts, or Amazon Music. Love it? Like it? Want to help? Leave a five-star review on your platform of choice to help get The Drivecast in front of more people. Have a suggestion, tip, request, or feedback? Drop us a line at feedback@thedrive.com. I promise, we read every single email.
Full Transcript
Joel: Hello everyone, and welcome to the Drivecast. I’m Joel Feder, director of content and product at The Drive.
Adam: And I’m Adam Ismail, a senior editor at The Drive.
Joel: And the Drivecast is our weekly podcast giving you an inside look at the biggest stories, controversies, and people shaping the automotive industry. Today, we are talking about how the devices you carry will enable law enforcement and the government to track your every move. Scary thought. Time to break out the tin foil hats.
Adam: That’s right Joel, a new kind of license plate reading camera is said to be far more than its name. It will be able to scrape the smart devices you take with you and wrap all that data in a neat little bow for law enforcement and government agencies.
Joel: To be clear, we aren’t talking about your connected car being tracked here, right Adam? Because that’s a topic, dare I say, old and tired.
Adam: No, unfortunately it goes way beyond that. We’re talking phones, wearables, infotainment systems, even your pet’s microchip if they have one.
Joel: Yikes. And my dog is definitely chipped. Who would have thought AirTags and smart watches would enable someone or something to track you, right? This topic all started last week when Adam covered the story on The Drive. And boy, did it get some reactions. Shocking. Today we are going to dive into what’s really going on and have a special guest to help us dissect fact from fiction, my friend, and more importantly, security expert, Matt Horwitz, who is currently the CISO at Ent AI. By the way, if you like what we’re doing here, do us a favor and hit us with a five-star review on Spotify or Apple Podcasts. It really does help get the Drivecast in front of more people. Okay, let’s go.
Joel: So Adam, I swear, we’re living in a movie. And I say this all the time, with Elon’s robots and all this stuff, I always say, “has no one seen the movie I, Robot or whatever with Will Smith?” And now, there are so many movies that literally depict what we are living or about to live through. And I swear, if my grandmother was alive today and saw electric cars and robots, she would be like, “what is this?” It’s like a movie.
Adam: Yeah, and you know, in times like this I always go back to, I don’t know, somebody tweeted this a long time ago, but it’s like, “dang, it would be really nice to live in some precedented times for a change,” because, you know, I mean, the technology accelerates so quickly in so many facets of life. And the world is only starting to grapple with something that I’m sure our guest Matt will be able to speak to, how big the automated license plate reader camera situation is globally. Those have been out for years. To now have to deal with this on top of that is just a whole new field, you know?
Joel: Well, and so we’re going to get to Matt and the topic at hand. The one thing we’re going to do real quick, I think this would be fun because it’s going to lead into the topic, I thought it’d be fun to admit to each other all the stuff that we carry on our person on a regular, or our dog. I mean, I’m always walking around with, I mean, I have my iPhone, I’ve got my smart watch, I have a smart ring, I’m very into fitness for those that don’t know, and tracking everything. I have AirPods, I have AirTags, my dog is chipped, our cars are modern enough that they have infotainment systems and GPS in them. I’m sure I missed something, but that’s just a high level. How about you?
Adam: Yeah, I think you covered pretty much every single possible category that they list here and things that they track. As for me, on the surface, I travel pretty light I guess. I have my phone, sometimes I wear my smart watch, I’m not good about wearing it every single day. But the thing is, it almost doesn’t matter, right? TPMS sensors were covered here, right?
Joel: Just so everyone knows, he just used the acronym for tire pressure monitoring systems, so it’s the thing that tells your car to go “ding, your tire is low on air.” But that brings us right into the topic. And so we’re going to get to Matt here in a second, but before we can ask Matt for all his expert information on the topic, I think we need to just dive into the story itself and what actually is happening and the report. So specifically, what are we talking about today and what did you report on, Adam?
Adam: So Leonardo, which is an Italian defense contractor, they make surveillance systems, all that kind of stuff, they are coming out or rather I should say they have come out, it’s already being introduced in certain markets around the country, but they have this new technology called Signal Trace. And what it basically is, as I said earlier, we’re all familiar now for the most part with automated license plate reader cameras. And this supplements those cameras, which are already able to, basically if you stitch enough of the data points together and enough of what’s been captured, day in and day out, you can pretty much gather a person’s sort of path through life through just their vehicle and their license plate being photographed repeatedly. This now attaches data from smart devices that you carry with you to that vehicle, or to that thing you’re traveling with. It kind of packages everything together so it knows okay, you have this car, and with this car I see an iPhone 13 or something with a unique ID, I see this smart watch. Maybe you’re traveling with your pet or your dog. If your dog’s chipped, as you said earlier, Joel, that’s in there too. And there are so many things today obviously that we rely on. And it’s also taking stuff that’s built into the car. So, infotainment systems, 5G modems for your Wi-Fi hotspot if your car has that feature, TPMS sensors, like everything. It really runs the gamut. And once you’re able to do this and take a vehicle and associate it with sort of a mix of devices, I mean, everyone’s mix of devices is unique. So what that does is it allows whether it’s police, law enforcement, government agencies, investigators, whatever it may be, that allows them to get pretty much like a digital fingerprint for who you are because everyone’s mix is unique. And so the ramifications here are obviously wide-reaching and kind of an absolutely dystopian minefield, right?
Joel: And before we talk to Matt, one last question. If I remember correctly in reading the report that you did, they made a claim that they’re not decrypting any of this information, right? So it’s anonymous, whatever. So what was that claim? And then I have some questions for Matt, we’re going to bring him in.
Adam: Yeah, so, and this is a quote from Leonardo’s own literature here. They say, “Signal Trace captures only publicly broadcast device frequency activity. It does not decrypt or store any content from devices or communications. It functions like a license plate reader by capturing identifiers without accessing personal or message data.” And what’s really interesting about this is this disclaimer is in there basically for saying like, “we’re not getting any unauthorized access. We’re just picking up on what your devices and what you’ve purchased and choose to carry with you just put out into the air.” And I think, and this is I think part of like a really interesting part of the discussion, is that seems to on the surface absolve them of some legal, you know, culpability there. But we’re living in a time where again, the technology is advancing so quickly that, you know, there should be laws around that, right? But there aren’t yet. And so they’re kind of able to run with the ball here.
Joel: Boy, is that a perfect segue to bring in our friend Matt. So Matt Horwitz, friend of mine, poker player at my house, actually lives here in Minnesota. We know each other from outside of the work world, ironically, we’re friends. But sometimes our work worlds collide. You are a security expert, correct?
Matt: Yes, though I would never use that language to describe myself, but yeah.
Joel: But I do, because I love you and you are a security expert. So just off the top here, Matt, so everyone knows, how nervous should consumers be? Is the strong reaction to this story justified or are people just overreacting? Like, high level.
Matt: So listen Adam, you did a fantastic job representing the technology and the uses broadly. It’s a hugely important part of the conversation because the consumer, high level, is used to giving up certain information for convenience or what they perceive as value. This, what I’ll call a dual use, you know, is probably not what they signed up for when they clicked the buttons that everybody knows they should read to accept the use of the thing. I’m sure Adam and Joel read them, I also read them as well, but many people do not. And so, gosh, there’s a lot to unpack.
But they’re correct in saying this information is broadcasted. Saying “I don’t encrypt something,” as Joel touched on, is technically correct, but encryption is a specific control that stops a very specific type of thing from happening. That doesn’t mean that what they’re doing is any less creepy or invasive. And from a policy perspective, I think yes, the courts are way behind and the laws are way behind. But there’s something that feels weird about somebody outside of my vehicle extracting information from devices that I didn’t know was broadcasting it, or I certainly didn’t know for this use, so that law enforcement can grab stuff from outside of my car to know things about me. There’s probably, like, I’m not an attorney, but there’s probably Fourth Amendment issues that need to get navigated there.
But generally, I say this: if you give a security practitioner access to you while you’re inside their car, and they’re outside of it with our tools, you might be very surprised with what we can extract out of the air. And then we can connect that to other things about you that’s generally available on the internet, and we have a very good picture of things that you didn’t know was readily out there.
Joel: That is a perfect setup for what I wanted to ask you. I wanted to know, you can’t opt out. Because you mentioned in here about how you’re driving around and you, I mean, like, you get an iPhone, you get AirPods, you get any new electronic device, you basically have to click the terms and conditions and you accept it. And again, while the three of us absolutely read every word of those things, the consumer probably doesn’t. And I’m sure Matt prints them out and puts them in a file. But the reality is that you really don’t know. And to your point, you’re driving down the road and you’re just broadcasting all these things, and you can’t opt out. Now if I invite you in my car, I invited you, a security expert, into my car. And while we’re friends, you could do things. You could do things that I probably wouldn’t even know you could do. But what about my dad? What about my friends that don’t even know about cars and didn’t realize their tire pressure monitoring system could broadcast their location?
Matt: It doesn’t protect them. Ignorance for what you’ve bought and what you’re using, at least according to laws today, doesn’t protect them. And what makes it even more difficult to suss out is that you have something in mind when you opt in. When you buy your iPhone and you click through and you log in, you’re thinking about talking with your friends and family, staying connected in social media, accessing your photos, all of those things. And to make those ecosystems work, there are great conveniences built in.
So like, when you go to the airport and you want to get online, and you open your laptop or your phone and you see 30 different Wi-Fi things and you pick the one you want to connect to, the reason you know they’re there is because they broadcast things out into the world: the name of my network, the MAC address, like, various things, so that you as the end user can pick MSP Free Wi-Fi and get online. And those protocols that are there to help devices discover each other and know who they are can be used in interesting ways.
When you broadcast, whether it’s a Bluetooth Low Energy device, the things that, the beacons that you hear about that let you find your wallet when you lose it and your keys, they’re constantly broadcasting a few pieces of information that are relative to make that experience work: signal strength, the name of the tag, there’s a MAC address, which is like an identifier for the device and some of the pieces on the device. When you put all of that together, it helps you find your wallet, but it also would let somebody like me discover, like, signal strength is a decent proxy for how far are you from the thing that is receiving this signal or sending this signal. So that gives me proximity to where you are at a given time.
When you connect to a Wi-Fi network, or some vehicles have Wi-Fi that the users can connect to, if I’m driving around in the car next to you and I’m looking to see, we’ve all done that. We’ve seen our neighbors’ Wi-Fi even if we can can’t connect to it, we can see where it is. And that data helps build a profile and a picture. That technology that is broadcasted publicly, it is only available over a certain distance that is not super far, but it’s far enough that if you’re close to it or if you can otherwise harness the signal, that information is technically out there. So yes, it is not encrypted, you don’t technically need a key to make sense of the information. So that is correct. But how somebody might use that information is probably not what the end user had in mind.
Joel: So these devices that are already out there and doing these single function or dual function things, now having the ability to track basically all the things that are putting off these Bluetooth and RF signals. So whether it’s your tire pressure monitoring system, your AirTag, your dog’s chip, your iPhone, your Oura ring, your watch, again, we can just go through the list of all the things that I own in my life, and you don’t realize that these things are now being picked up. But the scary part of it is, it’s not just being picked up at this stoplight or that stoplight. Because when you’re going from this stoplight to that stoplight to this stoplight to that stoplight, you’re not creating a map, you’re on a grid. And these things can paint a picture of your actual location and your whereabouts. And to be clear, a lot of people have routines. So you can suddenly paint a picture of someone’s life on the daily or on the regular, and you could use this for very nefarious uses. Did I summarize all this correctly, Adam, and why people are nervous?
Adam: Yeah, and you know, getting caught up with this most recent development and what Leonardo is doing, and you know, obviously they’re not the only company, we can talk about others that kind of run the gamut more in terms of like the ALPR stuff. But like, I remember back in 2019 what turned me on to this was I think there was a New York Times report that was just basically sort of laid bare like all of the ways that data brokers can track you. And it’s just as simple as like knowing where you are and that you do that routine every single day, and that’s it. And this is something to kind of go into I guess, and Matt would be a good judge of this, but like, has the horse left the barn in a way? Have we already given up so much just with the license plate cameras already and the technology that existed previously, that obviously I won’t say this doesn’t matter, this seriously matters, but I think what’s almost happening is when things like this happen, when this technology becomes aware, or when the public becomes aware of it, we’re all just getting caught up. You know, and then you’re waiting for policy to catch up. And it’s just like, how much of our lives have we already been living like this without even knowing it? I guess is just kind of a question that I just keep reflecting back on.
Matt: So we’ve been talking about this in the practitioner community for a long time. And what’s generally accepted is convenience and value tends to trump security most of the time for most people. There is a lack of meaningful policy regulation, what have you, around this. But I think if you wait long enough there will be examples that affect people in a very real way, and that will cause a conversation to happen, which I think is really important.
There’s some other things that you guys should probably kind of think about in this kind of problem space more generally. As chips get better over time, they get more powerful, they get smaller, it becomes much easier for a manufacturer to buy a chip that does more than they need. And so like, what does that mean? I want to buy a small chip that opens a door knob or, you know, like pulls a cord or whatever it is in the digital equivalent. The chip that I’m buying is one of 10 billion made a year by a large manufacturer somewhere in the world, and they build a chip that’s most readily appealing to the market. So that chip may have capabilities above and beyond the door knob and the string that go into the device that don’t get used or don’t seemingly get used because of the function, right? Like, all I’m trying to do is turn a door knob, I’m not expecting it to open my garage door. But it’s already in the chip, it already is powered, there’s already like the built-in wiring there.
We think about that as like third-party supply chain risk in like the parlance you hear a lot of. Congress is starting to talk about, and federal agencies are starting to talk about, the bill of materials and the risk of the bill of materials that go into the thing, right? And so this is kind of an extension of this, where if you buy a new car off the lot now that’s mid-priced, it probably has 120 computers in it. Everything is super technical, right? There’s a lot of questions as to what else these things can do. And every once in a while you’ll see interesting research come out about security researchers that have found ways to abuse stuff that’s that’s something to keep in mind as well. So it’s not just this particular vendor using a signal that is broadcast publicly to do something that’s unexpected to the consumer, much more broadly, this is going to happen more and more in the automotive space, but in the world in general.
Joel: I think consumers, ignorance is bliss and you just agree to the terms of service or whatever. And I don’t think people realize how complicated cars are. And so we, and I’ll put this story that I’m about to note here in like one sentence in the show notes here so that people can click and read it. But we just recently, in a couple within the last couple weeks, did a story about a guy who went and bought a new Toyota RAV4. To your point Matt, that’s a mid-priced, you know, let’s call it a $32,000 very mainstream, it’s one of the best-selling cars in the world. This is not a fancy luxury car. But those cars have big screens, they have a ton of chips in them, they’re computerized, most they’re all hybrids now. And it has GPS and Bluetooth and AM/FM radio and SiriusXM radio. And he didn’t want anybody to be able to track his car. I’m dead serious. This is a guy that was in the security field or whatever like that, and I don’t know whether we’re in the tin foil hat realm or not, I don’t know this person. But the story goes that he wanted his car to be untrackable. And to do that, he literally had to rip out Bluetooth and GPS and sat radio and he had to rip all the communication electronics essentially.
So to your point, we are living in an era of connected cars. Just to have your phone via Bluetooth, that is a connected car. And we now live in a society where people can literally not go down the road without texting someone. That’s why we have CarPlay and everyone argues whether you need CarPlay. Stop texting while you’re driving, people. But that’s not the point. So now we have to have these Bluetooth and all these other signals, because otherwise we have hands-free laws, because people can’t drive without talking on the phone. But cars are data themselves. And now we’re talking about expanding to the stuff you’re carrying on your person in the automotive world for license plate readers and all that stuff, to literally connect you that way and make a digital map of your entire life. It is scary. It is totally scary. Matt, what can people actually do? I mean, beyond this guy, other than this guy who like ripped everything out of his actual car, aside from that part of it, right? What can people do? Should they really be concerned? Should they not be concerned?
Matt: I think people should be aware, and they get to determine how much concern and how much, like, behavior change they want to make based on that. Like, my biggest problem is when people don’t know, and then they find themselves caught up in the bad and had no idea. So I think that, listen, I’m surprised that gentleman’s car still worked because I imagine you disable a bunch of the electronics and you’re on your own, no warranty, maybe it doesn’t even start. I have no idea. But like, the average consumer needs to have like three sentences before they make a choice, or iconography that they can trust, or or something, so that at the speed in which I make my purchase, I can take a beat and understand what’s going on.
There’s a secondary issue that, much like you mentioned in like with related to your phone, those ecosystems in and of themselves right now don’t have a lot of choice, especially for the average consumer, you know? It’s like, are you using Apple or are you not? And for most people, not using Apple is a non-starter, right? And so, I think in the short term it could be painful, in the long term it could lead to more choice, more meaningful legislation, potentially regulation that helps consumers. And I’m not a huge pro-regulatory person, but I think the consumer has to know in a way that makes sense to them as to what the risks are. And I think that’s a big gap right now. People are going to be very surprised.
Joel: I would agree with you, and it is funny you mention that because like, you go on Reddit or you go to, I mean, even the comments on The Drive, and if you go to a car like a Rivian or a Tesla or even any of GM’s new EVs, and you make mention in the story as we would as journalists that these cars don’t have Apple CarPlay, you either have someone in the comments who owns one of these vehicles and they’re like, “well, it’s not that big a deal, I live with it and it’s fine or I miss it,” or you have people in the comments who are like, “well, I won’t buy a GM EV or I won’t buy a Rivian or I won’t buy a Tesla because they don’t have CarPlay. And I need CarPlay and you know, stick it in my veins, I can’t drive without it.” It is a very big lightning rod for people of “I need it, I don’t need it.” And in those cases, a lot of people have tried to live without it, and so then you end up with people in the comments that own one of these vehicles saying, “I miss it or I don’t,” and it’s it’s very interesting.
But I want to do, because we want to keep everything tight here, let’s round through some final thoughts here. Adam, I want to start with you. Final thoughts on the topic as the one who originally reported on all this for us.
Adam: Obviously, dangerous, very interesting times. It’s going to be interesting to see what stories like this, because obviously it won’t be the last, are going to do with public awareness, as Matt mentioned earlier, and also policy. I’m also curious how, you know, device makers and technology companies and stuff like that respond to this because like, I’m just thinking off top of my head like, if I turn off Bluetooth on my iPhone, it turns itself back on. Like, I have to go, at least in like the the pull-down control center whatever, if you tap that, it turns itself back on tomorrow, right? People don’t even know that. They might think they’re turning it off, and they’re turning it off for good. Cars work the same way, too. Your level of control in a car might not be as granular as you need it to be. And obviously, like, this isn’t something, as we’ve said multiple times, you can just opt out of, right? It’s going to be really, really hard if you really want to try and be that person who who rips the SiriusXM out of your RAV4. That that might be what it takes. You know, I guess it’s one of those things like, watch this space, because this conversation is going to only deepen. And also shout out, by the way, to 404 Media, who they were the ones who, Joseph Cox there, who did that story that, you know, kind of got a lot of people aware of of what Leonardo’s doing and then what’s been going on there. So shout out to them.
Joel: Matt, final thoughts on this topic for today at least, because I think Adam is right about this won’t be the last time.
Matt: There’s a small number of people that care about privacy holistically all of the time. There’s fabulous work being done at like the the EFF and other orgs that are very like intellectual about these types of things, and in the practitioner community. I think broadly, privacy only becomes a consumer concern when something bad happens and they get caught up in it. And so, I would love to see us get a little bit ahead of that happening, but there is a lot of convenience in these electronics. I don’t think it’s a malicious conspiracy among, you know, like I’m not in that way. I think that in this case, these are protocols that are being used that were designed for convenience and efficiency and bring a lot of meaningful interactions into people’s lives through technology, which I think is really important. But when people decide to use it for alternative means or in ways that are unexpected to the consumer, or in this case, it’s it’s essentially, if I understand this correctly, to help coordinate with law enforcement for some reason or other, I think that that’s an area that we have to tread into very carefully, because privacy is important. And I’ll just leave it at that.
Joel: And I will say, to wrap my final thought into things with everything you guys said, I don’t disagree with anything you said. I would love to see some kind of legal framework being talked about or put around this. I mean, we’ve all seen the news that whether it’s Anthropic with the with the current government or or any of the AI systems and the framework they’re talking about and guardrails they’re putting up within that system. You know, it was just a couple weeks ago that Caleb and I were on this podcast talking about the Feds coming for diesel truck owners, and it’s starting with your phone because of this OBD2 app that was allowing tuners and people to basically skirt their emissions equipment. And so, the irony that we’re sitting here literally, actually not almost a month, almost a month to the day, and talking now about the government being able to track you via all these other devices using license plate readers. It’s to your point, the conversation, it’s it’s continuing a month later. It’s it’s not the first time, it will absolutely not be the last time. And I just want to say thank you to Matt. I mean, Adam obviously, but you have to do this, you work here. Matt does not have to do this, he doesn’t work here, and I really appreciate him taking the time to join us. I’m sure you’ll be back, and I appreciate your time, insights, and and your knowledge.
Matt: Yeah, my pleasure. Thank you, guys, this has been a lot of fun, and look forward to talking again.
Joel: So if you know something that concerns you related to the auto industry or on this topic, absolutely feel free to drop us a line at tips@thedrive.com. We’d love to hear from you. I read every email, I promise. That’s it for this week’s episode of the Drivecast. Thanks to the defense contractor Leonardo for opening another iteration of Pandora’s box, to Adam for his reporting on this important story, to Matt for his time and insights, thanks to our editor Tyler Mark, and thank you for listening.
Adam: Be sure to check out thedrive.com for our full coverage on this topic and a whole lot more. Subscribe to one of our fine newsletters, they’re free by the way. Follow us on Instagram, Facebook, and TikTok, and subscribe to us on YouTube where we’ve got a lot of cool videos coming up.
Joel: We’ll be back next Wednesday. Bye everyone.