Pandora’s box has been opened in ways that only films envisioned, and the scenario is rapidly escalating.
Automatic license plate readers (ALPR) provided by surveillance firms now utilize a technology known as SignalTrace, which employs sensors within the ALPRs to extract electronic hardware identifiers from your smart devices. Even more troubling, it’s being marketed and made accessible to law enforcement agencies such as police, border patrol, and other governmental organizations. Naturally, it didn’t take long for such technology to be misused, with officers already being caught using license plate readers to track individuals.
We are not solely referring to the tracking of your connected vehicle. This surveillance extends to mobile phones, wearables such as smartwatches and smart rings, and even microchips in your pets or AirTags in your children’s backpacks. Additionally, it collects data from your car, which presents its own complexities when trying to disconnect. There’s no ability to opt out, and no safeguards in place because the technological advancements occurred so swiftly. Legislation hasn’t caught up yet. Security specialist Matt Hurewitz, currently the CISO at Ent.AI, stated on The Drivecast, “the laws are way behind” and remarked, “If you give it enough time, there will be instances that impact individuals in significant ways, prompting crucial discussions.”
In the latest episode of The Drivecast, we engage with Hurewitz on how rapidly emerging technologies allow the government to establish a digital map of your existence without your awareness, and how there is currently no effective method to prevent this from occurring.
New to our content? The Drivecast is The Drive‘s weekly podcast that takes you behind-the-scenes on the most significant controversies, narratives, and figures influencing the automotive domain along with current road conditions. Powered by The Drive‘s exclusive access, original journalism, and insights, The Drivecast endeavors to make everyone an insider.
Tune into The Drivecast on Spotify, Apple Podcasts, or Amazon Music. Do you enjoy it? Appreciate it? Want to support us? Leave a five-star review on your preferred platform to help promote The Drivecast to a broader audience. Have suggestions, tips, requests, or feedback? Reach out to us at [email protected]. We ensure every email is read.
Complete Transcript
Joel: Greetings to everyone, and welcome to the Drivecast. I’m Joel Feder, serving as director of content and product at The Drive.
Adam: And I’m Adam Ismail, a senior editor at The Drive.
Joel: The Drivecast is our weekly podcast offering an insider’s perspective on the most significant stories, controversies, and personalities shaping the automotive sector. Today, we’ll be discussing how the devices you carry can enable law enforcement and the government to monitor your every action. A concerning notion. Prepare to don your tinfoil hats.
Adam: That’s certainly the case, Joel; a new type of license plate reading camera is said to be far more than its name implies. It can scrape the smart devices you carry with you and compile all that data into a comprehensive report for law enforcement and governmental entities.
Joel: Just to clarify, we aren’t discussing the tracking of just your connected car, correct, Adam? That’s an issue that has, dare I say, become old hat.
Adam: Unfortunately, it extends much further than that. We’re talking about phones, wearables, infotainment systems, and even pets’ microchips if they possess them.
Joel: Yikes. And my dog is definitely microchipped. Who would have thought AirTags and smartwatches would enable tracking by someone or something, right? This discussion originated last week when Adam explored the matter on The Drive. And let me tell you, the feedback was intense. Shocking. Today, we will investigate what’s truly happening and chat with a special guest to help us differentiate truth from fiction, my friend, and more importantly, security specialist, Matt Horwitz, who is currently the CISO at Ent AI. By the way, if you appreciate our content, please do us a favor by leaving a five-star rating on Spotify or Apple Podcasts. This genuinely helps increase the visibility of The Drivecast. Alright, let’s dive in.
Joel: So Adam, it feels like we’re living in a film. I say this repeatedly, considering Elon’s robots and all this technological advancement; I often ask, “Hasn’t anyone watched the movie I, Robot with Will Smith?” Nowadays, there are countless films depicting what we’re experiencing or are about to experience. I’m convinced that if my grandmother were here today and witnessed electric vehicles and robots, she would be utterly perplexed.
Adam: Yes, and during uncertain times like these, I often recall a tweet from some time ago, expressing, “It would be refreshing to return to some familiar times,” because technology evolves so remarkably fast across all aspects of life. The world is just beginning to grapple with challenges that I’m sure our guest Matt will address, particularly regarding the global implications of automated license plate reader cameras. These devices have existed for years, but now we must confront additional complexities, you know?
Joel: Well, we’ll get to Matt and the crux of the issue shortly. First, I thought it’d be entertaining to share what we each regularly carry, including our dog. I mean, I’m constantly equipped with my iPhone, a smartwatch, a smart ring, as I’m quite health-conscious, and all data tracking. I have AirPods, AirTags, my dog is chipped, and our vehicles are sufficiently modern to possess infotainment systems and GPS. I’m sure I overlooked something, but that covers the essentials. What about you?
Adam: I believe you’ve encompassed virtually every potential category that they track. As for me, I suppose I travel light. I have my phone; sometimes I wear my smartwatch, although not daily. Yet, that’s almost irrelevant, isn’t it? TPMS sensors were mentioned earlier, right?
Joel: Just for clarity, he just referenced the acronym for tire pressure monitoring systems, the device that alerts your car when the tire pressure is low. That leads us directly into our topic. Before we invite Matt for his expert insights, we must delve into the actual story and what’s unfolding in the report. Specifically, what are we discussing today, and what did you discover, Adam?
Adam: So Leonardo, an Italian defense firm that manufactures surveillance systems, has introduced new technology called Signal Trace. Essentially, we are now largely familiar with automated license plate reader cameras, and this technology is an enhancement to those systems. If enough data points and daily capture information are compiled, it’s possible to trace a person’s general life path based on their vehicle and repeated license plate identifications. This new technology links data from the smart devices you carry with you to that vehicle or whatever you’re traveling with. It organizes everything so that it’s clear you have this car, and alongside it, there’s an iPhone or another smart device tracked. Perhaps you’re with your pet or your dog, which is also contained within this data if it has a chip, like you previously mentioned, Joel. There are so many devices we rely on nowadays. It’s also collecting information built into the vehicle, such as infotainment systems, 5G modems for Wi-Fi hotspots if the feature exists, and TPMS sensors—the entire range is covered. If you can link a vehicle with a variety of devices, the uniqueness of each person’s collection leads to creating a detailed digital fingerprint of your identity. The ramifications of this are broad-reaching, and it’s a daunting dystopian scenario, wouldn’t you agree?
Joel: Before we bring Matt in, one final question: if I recall your report correctly, they claimed they aren’t decrypting any of this data, right? Thus, it remains anonymous, correct? What was their assertion? And then I have further inquiries for Matt, and we’ll bring him into the conversation.
Adam: Indeed. As quoted from Leonardo’s documentation, “Signal Trace captures only publicly broadcast device frequency activity. It does not decrypt or store any content from devices or communications. It operates like a license plate reader by capturing identifiers without accessing personal data or messages.” What’s intriguing about this disclaimer is that it essentially claims, “We’re not gaining unauthorized access. We’re merely detecting the signals broadcast by your devices and what you’ve chosen to carry.” However, this raises significant concerns as we live in an era of rapidly advancing technology, where legal frameworks should be established, yet they aren’t. Consequently, they find themselves in a position of leverage.
Joel: That’s a fantastic transition to introduce our colleague Matt. Matt Horwitz, a personal friend and poker buddy who resides here in Minnesota. We are acquainted outside of professional settings, and sometimes our professional paths intersect. You’re recognized as a security expert, correct?
Matt: Yes, although I wouldn’t necessarily describe myself with that term, but yes.
Joel: I do because I value your expertise. So to start off, Matt, how concerned should consumers be? Is the strong reaction to this story warranted, or is it merely an overreaction? Just a high-level perspective.
Matt: Adam, you did an excellent job articulating the technology and its broad applications. It’s crucial to understand that consumers often accept privacy compromises for convenience or perceived value. However, what I will refer to as dual use might not have been what they intended when they clicked through the terms of service. I’m sure Adam and Joel read those, and I do too, but many individuals do not. Hence, there is much to consider.
Nonetheless, they’re correct in stating the information is public. As Joel mentioned, asserting, “I don’t encrypt anything,” is technically true; however, encryption is a specific measure preventing a particular type of breach. That doesn’t imply their actions are any less invasive or uncomfortable. From a policy standpoint, the judiciary is indeed lagging, and the laws are outdated. Nonetheless, I feel uneasy about someone extracting data from my vehicle without my consent, especially regarding devices I wasn’t aware were broadcasting for that purpose, allowing law enforcement to gather intelligence from outside my car regarding my information. I’m not an attorney, but there are likely Fourth Amendment concerns that must be addressed here.
In general, I’d say this: if a security practitioner gains access to you while you’re in your vehicle and approaches from outside with tools, you might be surprised by what can be extracted from the air. Subsequently, we can correlate findings with readily available internet data and form a comprehensive profile based on information you were unaware was accessible.
Joel: That’s a solid setup for my next inquiry. You can’t simply opt out. You previously discussed how while driving, once you possess devices like an iPhone, AirPods, and other electronics, you generally have to accept their terms of service. While we, as hosts, likely read these terms fully, that’s not true for the wider consumer base. So consider the dilemma: you’re driving, broadcasting all of this data, and there’s no opt-out option. If I invite you into my vehicle, I’ve given you permission, a security specialist, yet you possess the ability to access things unknown to me. What about my father or my friends unfamiliar with vehicles who may not even realize their tire pressure monitoring system can reveal their whereabouts?
Matt: They remain unprotected. Ignorance of what you’ve purchased or utilized offers no legal protection at present. Complicating matters further is the mindset when consenting. Upon buying an iPhone and agreeing to terms, your thoughts revolve around communicating with loved ones, engaging on social media, or managing your photos—everything is geared for convenience.
Thus, when you arrive at an airport, seeking an internet connection, you activate your device, revealing multiple Wi-Fi options. The reason these options appear is their activity in broadcasting: the network name, MAC address, and other identifiers allow users to connect to MSP Free Wi-Fi and get online. The protocols aiding device recognition can also be exploited in surprising manners.
When it comes to Bluetooth Low Energy devices, the beacons allowing you to locate lost items continually broadcast information to enhance that functionality: signal strength, tag name, MAC address, and certain particulars about the device. Understanding these factors helps locate your wallet, and they also enable someone like me to gauge signal strength, suggesting your proximity to the transmitting or receiving device. When connecting to a Wi-Fi network—or automobiles with Wi-Fi accessibility—if I’m driving next to you, it’s feasible for me to observe your network, just as we often see our neighbors’ Wi-Fi names, even if we cannot access them. All this data contributes to profiling and drawing conclusions about you based on publicly available technology. While it may not involve encryption, and technically, you need no key to interpret the information, the utilization of this data might surprise the user.
Joel: Thus, these already operational devices, whether performing singular or dual functions, now possess the capacity to track everything emitting Bluetooth and RF signals, including tire pressure monitoring systems, AirTags, pet chips, iPhones, Oura rings, and smartwatches. We could enumerate all the items within my personal collection, and you may not realize they’re being tracked. The concerning aspect is that this tracking isn’t confined to individual stoplights but spans numerous locations, forming a grid that illustrates a map of your precise location and activities. Many individuals maintain consistent routines, enabling someone to create a vivid depiction of someone’s daily activities for potentially malicious reasons. Did I summarize this accurately, Adam, and capture the essence of public concern?
Adam: Absolutely, and this recent development involving Leonardo is intriguing. They aren’t the only company in this space; we can discuss others engaged in ALPR-related ventures. Reflecting on 2019, I recall a New York Times article revealing how data brokers track individuals, simply by recognizing daily patterns. This raises an important question: have we already relinquished so much privacy with existing license plate cameras, and the previously available technology, that while this issue is significant, it also exposes the reality of our ongoing circumstances? When awareness arises around such technologies, it often maintains a dissonance compared to policy. We may have been unwittingly experiencing this level of oversight without realizing its implications. I find myself pondering this frequently.
Matt: The practitioner community has discussed this extensively for years. It’s widely accepted that convenience and perceived value frequently outweigh security concerns for most individuals. There’s a glaring lack of comprehensive policy regulation surrounding this topic, but I predict that if we wait long enough, real-world incidents will occur that deeply affect individuals, prompting essential discussions.
Moreover, as chips evolve—gaining power and decreasing in size—it becomes increasingly straightforward for manufacturers to obtain chips equipped with capabilities beyond their intended use. Consider that when I purchase a small chip meant for unlocking a door, I’m unaware that it may have the potential to perform additional tasks. The chips I acquire are among billions produced annually by large manufacturers who design them for the general market. As such, the chip I receive might possess functionalities beyond those currently being utilized.
This concept translates into risks related to third-party supply chains—the emerging legislative discussions about transparency and potential risks of components in products. Essentially, modern cars, now equipped with numerous computerized systems, prompt inquiries about their other possible functions. Occasionally, intriguing security research surfaces, showcasing vulnerabilities that expose these systems to misuse. Thus, the potential for misuse isn’t limited to this specific vendor employing publicly broadcast signals in ways consumers never anticipated; we will increasingly encounter such situations across the automotive sector and beyond.
Joel: It seems evident that consumers remain blissfully unaware, simply agreeing to terms of service without grasping the complexities within modern vehicles. To illustrate, recently, we reported on a man who purchased a new Toyota RAV4—a mid-tier vehicle costing around $32,000, which ranks among the best-selling cars globally. This car, not a luxury model, comes equipped with large screens, numerous chips, and computerized functionalities including GPS, Bluetooth, and satellite radio. This individual desired to keep his car entirely untraceable. To achieve this, he had to eliminate Bluetooth, GPS, satellite radio, and essentially all communications electronics.
This leads to your point—today’s vehicles are intrinsically connected. Utilizing Bluetooth for your phone renders it a connected vehicle. We’ve grown accustomed to constant connectivity, requiring features like CarPlay for hands-free laws, given that many users can’t resist multitasking while driving. Yet, vehicles themselves now serve as data repositories, and with advancements in technology linking personal devices with license plate readers, we face the unsettling reality of creating digital landscapes of our lives. It’s frightful, truly frightening. Matt, what can individuals do? Aside from the extreme case of a person disassembling their entire car, what feasible actions can people take? Should they be concerned, or is there no cause for alarm?
Matt: I believe individuals should be aware, allowing them to make informed choices regarding their level of concern and potential behavioral changes. My primary issue arises when people remain unaware, then unexpectedly encounter negative consequences. I’m surprised that individual’s vehicle remains operational after removing significant electronics; if a person disables crucial components, they may void their warranty or render the vehicle unusable. Consumers should receive clear information before making purchases, ideally in an easily understandable format that swiftly conveys essential points about what they’re agreeing to.
However, an additional concern is that existing ecosystems do not offer many choices for average consumers who confer about limitations with either Apple or other providers. Most often, opting out of Apple isn’t a viable option. In the short term, this could be uncomfortable, but long-term, it could nurture greater variety and meaningful legislation—and ultimately, regulations designed to safeguard consumers. While I’m not fundamentally pro-regulation, I think consumers deserve to grasp associated risks, which represents a significant gap at this time. Many will be taken aback when they discover how vulnerable they actually are.
Joel: I concur, and it’s ironic because discussions often arise in forums like Reddit or within The Drive’s comment sections. If we mention brands like Rivian, Tesla, or GM’s current electric vehicles and note their lack of Apple CarPlay, responses vary widely. Some owners express adaptability, while others adamantly refuse to purchase such vehicles due to missing features. There’s a passionate divide over the necessity of CarPlay, leading to personal reflections from owners either lamenting its absence or arguing they don’t miss it at all.
To maintain an organized discussion, let’s wrap up with final thoughts. Adam, I’ll start with you for your closing insights on this matter, considering you reported on it for us.
Adam: Clearly, we’re navigating dangerous and fascinating times. It’ll be interesting to witness how stories like this develop further, influencing public awareness as Matt indicated, as well as policies that evolve. I’m particularly eager to see how device manufacturers and technology firms will react. Just recalling that when I try to disable Bluetooth on my iPhone, it tends to reactivate itself. Is it not the case that if you tap the button, it turns back on automatically? Individuals may think they’ve turned off a feature but don’t realize it remains active. Cars exhibit similar functionalities. The challenge is that opting out of certain features is nearly impossible; achieving a data-free existence might necessitate severe measures such as physically disassembling components. I say let’s keep an eye on this area as the conversation will undoubtedly intensify. And a shoutout to 404 Media for their insightful coverage of what Leonardo is doing, capturing significant attention.
Joel: Matt, what are your concluding thoughts on this topic for today, as Adam rightly suggests this won’t be the last discussion of its kind?
Matt: A small group of individuals consistently advocates for comprehensive privacy, yet most only react when faced with privacy infringements, often after compliance issues come to light. Organizations such as the EFF engage deeply in related concerns and contribute invaluable discourse in practitioner circles. I hope we can be proactive in addressing these matters before individuals encounter serious repercussions stemming from convenience-driven decisions. The protocols designed for ease and efficiency have become deeply ingrained in modern interactions, underscoring their significance. When these technologies are employed for unexpected purposes, particularly concerning law enforcement cooperation, we must tread thoughtfully. Protection of individual privacy remains paramount, and I leave it at that.
Joel: Integrating my closing remarks with the sentiments expressed, I wholeheartedly agree. It would be fantastic to witness the establishment of a formal legal framework surrounding these issues. Recent discussions around AI systems—whether involving Anthropic or others in government policy formations—are compelling. Just weeks ago, Caleb and I were discussing regulatory measures targeting diesel truck owners, making the irony palpable that now we’re addressing the government’s capacity to monitor via diverse devices using license plate readers. This conversation isn’t just one-time; it will continue to evolve. I extend my gratitude to Matt and, of course, Adam, who produces this content on a consistent basis. I truly appreciate your time and expertise, Matt. Your input is invaluable, and I am sure we’ll hear from you again in the future.
Matt: My pleasure. Thank you for having me; it’s been enjoyable, and I look forward to our next discussion.
Joel: If any concerns arise regarding the automotive industry or this subject, please don’t hesitate to contact us at [email protected]. We welcome your feedback, and I assure you every email is read. That concludes this week’s episode of The Drivecast. Thanks to Leonardo for revealing another layer of Pandora’s box, to Adam for shedding light on this crucial matter, to Matt for his contributions, gratitude to our editor Tyler Mark, and thanks to you for listening.
Adam: Don’t forget to visit thedrive.com for in-depth coverage on this topic and so much more. Subscribe to any of our fine newsletters—they’re free! Follow us on Instagram, Facebook, and TikTok, and subscribe on YouTube, where we have several exciting videos forthcoming.
Joel: We’ll see you next Wednesday. Goodbye, everyone.