Your Car is Spying on you, and a CBP Contract Shows the Risk

(The Intercept) - A “vehicle forensics kit” can reveal where you’ve driven, what doors you opened, and who your friends are.

Your Car is Spying on you, and a CBP Contract Shows the Risk

U.S. CUSTOMS AND BORDER PROTECTION purchased technology that vacuums up reams of personal information stored inside cars, according to a federal contract reviewed by The Intercept, illustrating the serious risks in connecting your vehicle and your smartphone.

The contract, shared with The Intercept by Latinx advocacy organization Mijente, shows that CBP paid Swedish data extraction firm MSAB $456,073 for a bundle of hardware including five iVe “vehicle forensics kits” manufactured by Berla, an American company. A related document indicates that CBP believed the kit would be “critical in CBP investigations as it can provide evidence [not only] regarding the vehicle’s use, but also information obtained through mobile devices paired with the infotainment system.” The document went on to say that iVe was the only tool available for purchase that could tap into such systems.

According to statements by Berla’s own founder, part of the draw of vacuuming data out of cars is that so many drivers are oblivious to the fact that their cars are generating so much data in the first place, often including extremely sensitive information inadvertently synced from smartphones.

Indeed, MSAB marketing materials promise cops access to a vast array of sensitive personal information quietly stored in the infotainment consoles and various other computers used by modern vehicles — a tapestry of personal details akin to what CBP might get when cracking into one’s personal phone. MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.” MSAB even touts the ability to retrieve deleted data, divine “future plan[s],” and “Identify known associates and establish communication patterns between them.”

The kit, MSAB says, also has the ability to discover specific events that most car owners are probably unaware are even recorded, like “when and where a vehicle’s lights are turned on, and which doors are opened and closed at specific locations” as well as “gear shifts, odometer reads, ignition cycles, speed logs, and more.” This car-based surveillance, in other words, goes many miles beyond the car itself.

iVe is compatible with over two dozen makes of vehicle and is rapidly expanding its acquisition and decoding capabilities, according to MSAB.

Civil liberties watchdogs said the CBP contract raises concerns that these sorts of extraction tools will be used more broadly to circumvent constitutional protections against unreasonable searches. “The scale at which CBP can leverage a contract like this one is staggering,” said Mohammad Tajsar, an attorney with the American Civil Liberties Union of Southern California.

MSAB spokesperson Carolen Ytander declined to comment on the privacy and civil liberties risks posed by iVe. When asked if the company maintains any guidelines on use of its technology, they said the company “does not set customer policy or governance on usage.”

Getting Smartphone Data Without Having to Crack Into a Smartphone
MSAB’s contract with CBP ran from June of last year until February 28, 2021, and was with the agency’s “forensic and scientific arm,” Laboratories and Scientific Services. It included training on how to use the MSAB gear.

Interest from the agency, the largest law enforcement force in the United States, likely stems from police setbacks in the ongoing war to crack open smartphones.

Attacking such devices was a key line of business for MSAB before it branched out into extracting information from cars. The ubiquity of the smartphone provided police around the world with an unparalleled gift: a large portion of an individual’s private life stored conveniently in one object we carry nearly all of the time. But as our phones have become more sophisticated and more targeted, they’ve grown better secured as well, with phone makers like Apple and phone device-cracking outfits like MSAB and Cellebrite engaged in a constant back-and-forth to gain a technical edge over the other.

So data-hungry government agencies have increasingly moved to exploit the rise of the smart car, whose dashboard-mounted computers, Bluetooth capabilities, and USB ports have, with the ascendancy of the smartphone, become as standard as cup holders. Smart car systems are typically intended to be paired with your phone, allowing you to take calls, dictate texts, plug in map directions, or “read ”emails from behind the wheel. Anyone who’s taken a spin in a new-ish vehicle and connected their phone — whether to place a hands-free call, listen to Spotify, or get directions — has probably been prompted to share their entire contact list, presented as a necessary step to place calls but without any warning that a perfect record of everyone they’ve ever known will now reside inside their car’s memory, sans password.

The people behind CBP’s new tool are well aware that they are preying on consumer ignorance. In a podcast appearance first reported by NBC News last summer, Berla founder Ben LeMere remarked, “People rent cars and go do things with them and don’t even think about the places they are going and what the car records.” In a 2015 appearance on the podcast “The Forensic Lunch,” LeMere told the show’s hosts how the company uses exactly this accidental-transfer scenario in its trainings: “Your phone died, you’re gonna get in the car, plug it in, and there’s going to be this nice convenient USB port for you. When you plug it into this USB port, it’s going to charge your phone, absolutely. And as soon as it powers up, it’s going to start sucking all your data down into the car.”

In the same podcast, LeMere also recounted the company pulling data from a car rented at BWI Marshall Airport outside Washington, D.C.:

“We had a Ford Explorer … we pulled the system out, and we recovered 70 phones that had been connected to it. All of their call logs, their contacts and their SMS history, as well as their music preferences, songs that were on their device, and some of their Facebook and Twitter things as well. … And it’s quite comical when you sit back and read some of the the text messages.”

The ACLU’s Tajsar explained, “What they’re really saying is ‘We can exploit people because they’re dumb. … We can leverage consumers’ lack of understanding in order to exploit them in ways that they might object to if it was done in the analog world.’”

Exploiting the Wild “Frontier of the Fourth Amendment”
The push to make our cars extensions of our phones (often without any meaningful data protection) makes them tremendously enticing targets for generously funded police agencies with insatiable appetites for surveillance data. Part of the appeal is that automotive data systems remain on what Tajsar calls the “frontier of the Fourth Amendment.” While courts increasingly recognize your phone’s privacy as a direct extension of your own, the issue of cracking infotainment systems and downloading their contents remains unsettled, and CBP could be “exploiting the lack of legal coverage to get at information that otherwise would be protected by a warrant,” Tajsar said.

MSAB’s technology is doubly troubling in the hands of CBP, an agency with a powerful exception from the Fourth Amendment and a historical tendency toward aggressive surveillance and repressive tactics. The agency recently used drones to monitor protests against the police murder of George Floyd and routinely conducts warrantless searches of electronic devices at or near the border.

“It would appear that this technology can be applied like warrantless phone searches on anybody that CBP pleases,” said Mijente’s Jacinta Gonzalez, “which has been a problem for journalists, activists, and lawyers, as well as anyone else CBP decides to surveil, without providing any reasonable justification. With this capability, it seems very likely CBP would conduct searches based on intelligence about family/social connections, etc., and there wouldn’t seem to be anything preventing racial profiling.”

Tajsar shared these concerns.

“Whenever we have surveillance technology that’s deeply invasive, we are disturbed,” he said. “When it’s in the hands of an agency that’s consistently refused any kind of attempt at basic accountability, reform, or oversight, then it’s Defcon 1.”

Part of the problem is that CBP’s parent agency, the Department of Homeland Security, is designed to proliferate intelligence and surveillance technologies “among major law enforcement agencies across the country,” said Tajsar. “What CBP have will trickle down to what your local cops on the street end up getting. That is not a theoretical concern.”