China spying using common car battery monitor?

[VK3DRB]

Someone in Australia discovered by accident his commonly available simple car battery monitor is being used track the user's location and other data to the People's Republic of China by stealth.

The guy's investigation is nothing short of brilliant. It is well written, and it is extremely interesting how he methodically tracked down what and where the data was being sent. His link also shows the device in question: https://doubleagent.net/2023/05/21/a-car-battery-monitor-tracking-your-location. Don't know about you, but I learnt heaps from reading the post from a technical perspective. And it raises big concerns.

Is this a massive breach of trust, privacy and security? Maybe every piece of data is assembled like a jigsaw puzzle as a dossier on individuals? What other devices are being sold that are secretly sending your personal information to foreign entities without you knowing?

[SiliconWizard]

As a general rule, do not use anything that requires a mobile phone app. Unless you absolutely have no choice.
The ease with which you can access all the phone resources via Android APIs is, uh... funny. And user permissions? Sure but but if you do not authorize some app to access your location and this app REQUIRES it, you just can't run it. Period. And in some cases, it's not hard for an app to even circumvent the permissions.

And the fact here it's going right to China is concerning, but if you think only chinese vendors do this...

The "dossier" you're talking about, Google and others already have it.

[NiHaoMike]

Time to send them a bunch of fake data to make the data collection much less useful?

[Berni]

Yep this is a common trend with China

They have laws where companies have to hand over any user data to the government without even needing to give a reason. If they refuse to hand over the data then some heads are going to roll (literally even).

Baking in unnecessary tracking into products that don't even need it likely lets them score some bonus points (literally even) with there local government.

Time to send them a bunch of fake data to make the data collection much less useful?

They could probably still clean up the data using IP filtering (Unless you have access to a sizable botnet for the data flood)

[mendip_discovery]

I find this somewhat ironic that people like to point out all the stuff China is up to and say how awful it is. Meanwhile a good majority of the rest of the world does some very similar stuff. Yes some of them have some legal framework in place but your data is often open to those willing to pay for it, then there is the police etc that when using the right keywords can get to a lot of that data.

I have always avoided using apps that come with random stuff as you never know what it is sending back to base. I get concerned with some of the programs on my PC that insist on having access to the internet when it has to real reason for it. 20 years ago blocking stuff from the internet was easy but now it's a nightmare.

[VK3DRB]

I find this somewhat ironic that people like to point out all the stuff China is up to and say how awful it is. Meanwhile a good majority of the rest of the world does some very similar stuff. Yes some of them have some legal framework in place but your data is often open to those willing to pay for it, then there is the police etc that when using the right keywords can get to a lot of that data.

I have always avoided using apps that come with random stuff as you never know what it is sending back to base. I get concerned with some of the programs on my PC that insist on having access to the internet when it has to real reason for it. 20 years ago blocking stuff from the internet was easy but now it's a nightmare.

Read the part about Data privacy on his first page. What the device is doing is clearly violating those "assurances".

One day, I mentioned to someone I was thinking of visiting a place called Warrnambool. No Google searches and I wasn't using the computer and we don't have toys like Siri and other listening devices other than two colour TV's and two telephones. Within a half hour, I got an advertisement for accommodation in Warrnambool. No coincidence.

[AndyBeez]

The primary location source for location-2-advert tracking is your IP address. Most ISPs share their IP to location data, including 4G/5G cell tower geolocations. So it's no wonder you had push content out in the badlands. Look down to the bottom of your Google search results. Freaky, eh?

Chinese apps calling home has long been a problem. I noticed recently a LED control app 'needed' access to Files and Contacts. Why? I suspect it was to share LED patterns with other "led fans". I didn't get caught out, but I'm sure millions already have.

For public domain 'location tracing': https://www.iplocation.net

[EPAIII]

Your car battery! Your refrigerator! Your toaster!

Apps? Heck, the phone itself was probably made in China. They don't even need apps to spy.

Only way around this is to not buy anything Chinese. Or anything with any Chinese parts. ..... Fat chance of that.

[Siwastaja]

>Android app requires location permissions to work.

I don't think it counts as spying. If I understood correctly, Android literally and explicitly asks user's permission for location data, and people willingly click "yes", so what's the issue?

[Shonky]

>Android app requires location permissions to work.

I don't think it counts as spying. If I understood correctly, Android literally and explicitly asks user's permission for location data, and people willingly click "yes", so what's the issue?

OK it needs the permission simply because that's how Android works to access the Bluetooth device.

It becomes spying when it takes extra data and posts it to server that is absolutely not needed for the device to work properly. Also the declaration that it doesn't send any personal data is false.

You could argue it's a shortcoming in Android's permission system but at the end of the day it's certainly doing way more than users would expect from that permission.

I have one of these and the app is OK but certainly not the best. I have toyed with the idea of writing my own as an exercise.

[eugene]

It's no wonder that people are concerned about apps collecting information they don't don't actually need and sending it home. But, it's a little perplexing to me that (most) people allow Google to do this on a massive scale. I understand that we need to trust someone, but Google, I don't trust you that much.

[madires]

It's not just a chinese vendor, it's a general problem! Usually apps for Amdroid and IOS are based on so called app or
development frameworks which come with all that nasty spying and data collection. If the framework is free for the app developer it's very likely that it will collect data to make money for the framework developer.

[NiHaoMike]

They could probably still clean up the data using IP filtering (Unless you have access to a sizable botnet for the data flood)

If it's a popular product, easiest would be to make a hacked version of the app that fakes the data being sent back. Or if you're on a CGNAT or VPN, they'll discard a lot of good data when they try to strip out the fakes.

[eugene]

The challenge with faking data in Android is that much of it is retrieved via a set of "apps" generally referred to as Google Services. In order to fake the data you literally need to replace those services at close to the operating system level.

There are de-Googled versions of Android like /e/os which will (depending on settings) give fake location and IP to any app that ask for such data. They don't fake everything. I wish I could completely hide my contacts list for example (if you get junk mail, odds are the email address was obtained from someone else's contact list.) It's definitely inconvenient because if I install any Google apps (App Store, Maps, Google Keyboard, gmail, etc...) then the purpose becomes defeated. But it does prevent others from tracking my location. I still have my old phone running a factory version of Android at home. It has no SIM card, so I can't make phone calls, but as long as there's wi-fi I can still use certain apps when I need to.

[edpalmer42]

>Android app requires location permissions to work.

I don't think it counts as spying. If I understood correctly, Android literally and explicitly asks user's permission for location data, and people willingly click "yes", so what's the issue?

Yes and no.  Android does ask, but if you say no, the app doesn't work.  That happens with all Bluetooth Low Energy (BLE) devices like this battery monitor.  When Google introduced BLE, they designed it to enforce that requirement.  The responsibility for this situation ultimately lies with them.  I'd like to see them justify this in front of a Congressional committee.

I have this battery monitor and I use this app.  When my firewall asked if the app should be allowed to access the net, I said "HELL NO!!!".  It's not a perfect solution but, these days, you're asking for trouble if you don't run a firewall program to control outgoing access.

Ed

[Infraviolet]

"20 years ago blocking stuff from the internet was easy but now it's a nightmare."
A virtual machine perhaps, isolate not-entirely trustworthy programs within it? Then cut off internet access from/to that VM in VirtualBox/VMWare's settings. The programs would run slower, but with modern hadware usually not even enough to be noticeable.

[abeyer]

When Google introduced BLE, they designed it to enforce that requirement.  The responsibility for this situation ultimately lies with them.  I'd like to see them justify this in front of a Congressional committee.

You say that like google is somehow to blame for the privacy situation... but if anything their choice on this was more disclosure than there otherwise would have been. BLE by design is fairly short range and allows enumerating unique ids of nearby devices. Companies have abused this by planting networks of BLE beacons and have databases of their geocoded locations... so any app developer with access to BLE data on your device and willing to spend some money for access to that geocoding data or use one of the frameworks that's already linked to these systems can effectively get your location data, even if you hadn't granted that permission.

[edpalmer42]

When Google introduced BLE, they designed it to enforce that requirement.  The responsibility for this situation ultimately lies with them.  I'd like to see them justify this in front of a Congressional committee.

You say that like google is somehow to blame for the privacy situation... but if anything their choice on this was more disclosure than there otherwise would have been. BLE by design is fairly short range and allows enumerating unique ids of nearby devices. Companies have abused this by planting networks of BLE beacons and have databases of their geocoded locations... so any app developer with access to BLE data on your device and willing to spend some money for access to that geocoding data or use one of the frameworks that's already linked to these systems can effectively get your location data, even if you hadn't granted that permission.

What I said is that Google linked location services to BLE.  You can't have one without the other.  Without this apparently arbitrary linkage, you could use BLE while denying permission to access location services.  Then, if a BLE app refused to run without location services, the fault would lie squarely with the app developer.  Now, an unscrupulous app developer can just shrug and say that he doesn't use location services but Google forces it.  Then he just does what he wants and hopes nobody catches him.  Ethical developers are caught in the same trap.  They don't use location services, but their apps won't run without access to the unnecessary and unused service.

Ed

[abeyer]

When Google introduced BLE, they designed it to enforce that requirement.  The responsibility for this situation ultimately lies with them.  I'd like to see them justify this in front of a Congressional committee.

You say that like google is somehow to blame for the privacy situation... but if anything their choice on this was more disclosure than there otherwise would have been. BLE by design is fairly short range and allows enumerating unique ids of nearby devices. Companies have abused this by planting networks of BLE beacons and have databases of their geocoded locations... so any app developer with access to BLE data on your device and willing to spend some money for access to that geocoding data or use one of the frameworks that's already linked to these systems can effectively get your location data, even if you hadn't granted that permission.

What I said is that Google linked location services to BLE.  You can't have one without the other.  Without this apparently arbitrary linkage, you could use BLE while denying permission to access location services.  Then, if a BLE app refused to run without location services, the fault would lie squarely with the app developer.  Now, an unscrupulous app developer can just shrug and say that he doesn't use location services but Google forces it.  Then he just does what he wants and hopes nobody catches him.  Ethical developers are caught in the same trap.  They don't use location services, but their apps won't run without access to the unnecessary and unused service.

Ed

In that scenario you propose, you could agree to allow bluetooth but not location, and any untrusted app could still get your location even though you never agreed to it. That's the fundamental problem: it isn't really possible to give full access to use bluetooth while not making it possible to extract your location even without GPS. So, what's the value in separating them?

In theory I could see maybe a hierarchical permission system, where you gave permission for location and then could specify which specific mechanisms to allow eg allow location only via bluetooth and not via GPS... but that would be a pretty big departure from the existing permissions model, from what I know.

[.RC.]

Look down to the bottom of your Google search results. Freaky, eh?

My location given by google, many many many hundreds of km away, I might as well be on the moon.

I thought someone use starlink is also going to show up as being in the USA?

[SiliconWizard]

>Android app requires location permissions to work.

I don't think it counts as spying. If I understood correctly, Android literally and explicitly asks user's permission for location data, and people willingly click "yes", so what's the issue?

Uh, the issue is that the app won't work without it, so whether users are AWARE of it (or even asked about it) or not matters only if users are willing NOT to use the app.
Otherwise, once granted access to location, the app can do pretty much what it pleases with it.
Not sure I get your point. Obviously it's "spying" only if the app actively tracks and uploads your location, which sure the app is not FORCED to do, but you can bet that many will.

And this whole Bluetooth Android location thing is mind-boggingly stupid. That would be a good reason enough to ditch Android.

[haxrob]

Hi all, first time poster on eevblog - really enjoying reading the variety of view points in the discussions in this thread. Thanks for showing in interest in this minor endeavor. 

On the topic of the Bluetooth permissions - with iOS you don't need to hand out all the neighboring (mobile) cell ids, GPS coordinates and wifi network BSSIDs for BLE scanning - and I'm pretty OK with that.

Based on some comments in this thread, it appears there some interest on developing a new application to replace the official version. That's enough to give me motivation to finish reversing this interface. Here is what i've done so far:
https://doubleagent.net/hardware/ble/bluetooth/2023/05/22/a-car-battery-monitor-tracking-your-location-part2.

And the resulting python code to read the voltages from the device over BLE:
https://gist.github.com/x1sec/3af7efdcd3465aac09093081c32ba321

What needs to be implemented next is to be able to obtain archived voltage readings stored in the device's memory for when it isn't paired.

I'll also be tackling the firmware for the SoC at some point. Waiting for the debugger for the Texas Instruments CC2541 to arrive. In the post linked above, I provide a way to pull firmware it uses for OTA updates from their cloud servers. It's bundled in a proprietary format so there is some further reversing work to be done here.

FYI I have reported my findings to Jaycar and and have responded promptly - immediately initiating an investigation on their side.

[NiHaoMike]

I think it would be good to add a feature to send tracking with fake data to really show them how much the users hate tracking, of course have it disabled by default so it would be opt in. (What should it be called? I vote "chaffing" after the aerial combat device.)

[RJSV]

My doctor's conventional office uses Google enterprise stuff, although I don't recall the exact product name, but has a logo, and I've also seen Google 'Play' involved in the various office interactions.
Radio receivers unavailable retail now, so you get a choice of some crippled podcast that has horrible drop-outs, and, YouTube style advertisements have been creeping in, starting May 2023.
   If you get tired of the seemingly crippled podcast you MUST get the APP.
After all, you never did PAY for that (free) radio show.  Congress, early in the days of radio broadcasting, specifically placed measures to ensure a decent flow of info traffic to the public, meaning that a large part of that intent was to avoid the whole 'gouging' or exploitation of listener by way of excessive charges.

   Many of the medical office situations involve staff that certainly are tone-deaf to this whole discussion, saying things like "What's the big deal, you sign up, get the APP,...and then you can access all your (private medical data!  Convenient !"

   You might then ask "How did Google get my private medical data?"...
By reading it, in the WEB Portal App.
Funny thing, I just realized, the host of those APPs has your private data, but if you haven't signed up, you don't have access; they have more of your stuff than you do, in that case !

[mendip_discovery]

"20 years ago blocking stuff from the internet was easy but now it's a nightmare."
A virtual machine perhaps, isolate not-entirely trustworthy programs within it? Then cut off internet access from/to that VM in VirtualBox/VMWare's settings. The programs would run slower, but with modern hadware usually not even enough to be noticeable.

Back then not every program had a reason to phone home but now everything needs the internet to check you have a current subscription, updates checks and cloud stuff. Back in the 2000s, I remember running ZoneAlarm so you allow individual programs access to the internet and turn it off later. It did help cut down on your 56k dial-up grinding to a halt just because something was calling home to report your recent usage.

On a phone, it's a nightmare. I recently had to install an app so I could connect to a boroscope that uses WiFi. While in use it's fairly safe as I have to connect to the WiFi of the camera unit so its not connected to the outside world, but I don't like having the app on my phone.

You might then ask "How did Google get my private medical data?"...

I remember with a charity someone suggested we make a list of all the members and put pins on a map to see the coverage we had. Then someone pointed out that this is a big risk with the DPA as Google will harvest the names and the postcodes for these people and add them to the collective. They even stated sending URLs to development web pages via Google can cause the crawlbot to know of it and crawl it shortly afterwards exposing your work to the rest of the world. I did think this was paranoia but I was assured it was true and given the job the person saying it had, there was a good chance he had actually read the terms and conditions for things.