Car dealerships generally have a reputation of being fairly low on the ethical scale. But we just encountered a recent and more insidious way some are abusing customers’ rights and expectations. Here’s our story:

A few months ago, we bought a used car from the Bob Rohrman Subaru dealership in Lafayette, Indiana. During the negotiation phase, their original proposed paperwork had an insanely high amount of documentation and other bogus fees (not the taxes). I balked at it, saying I’ve never seen such inflated fees. They immediately agreed to “remove this [big] part of the fees, which was for the LoJack service”, yet it’s description didn’t actually say what it was for at all. They always include by default, gouging customers for a worse-than-worthless “service”.

My reply was, “Definitely remove that. I would never want LoJack — it’s just an invasion of privacy.” That made our position very clear.

We eventually settled on the price. For logistical reasons, we were coming back to pay and take delivery a few days later. This gave them plenty of time to fill up the tank and make sure everything was ready for us (which they confirmed having done).

Fast forward a couple of months in time, while my wife has been driving the “new” car on a daily basis. One day she mentioned to me that something under the dash detached and was dangling from wires … would I go fix that?

The Spireon LoJack transmitter that had been hidden behind our dashboard by Bob Rohrman dealership.

I was disgusted to find an active Spireon LoJack transmitter was installed and hidden in our car — directly against our agreement! We could have been tracked for years without our knowledge and you may be too!

By the way, I have no problem with dealerships using LoJack or similar tracking devices on the vehicles in their inventory, since they supposedly improve theft recovery rates, which reduce overall costs and could in principle avoid theft overhead costs from being passed on to legitimate customers.

But tracking customers by GPS without consent (regardless of who pays for it), misrepresenting the capabilities of LoJack devices, and ignoring the insecurities and side-effects are all inexcusable violations of ethics, privacy, and security.

Technical Details:

For a very enlightening analysis of how incompetent the Spireon engineers are and how vulnerable many LoJack-tracked vehicles are to being hacked, read the analysis by Kudelski IoT Labs. Ironically, though these crap devices are sold for the sole purpose of aiding recovery of stolen vehicles, since anyone can hack, track movements, and disable these vehicles through their unencrypted cellular transmitters, the ironic reality is that Spireon LoJack’d vehicle owners are at higher risk of theft, burglary, and other crimes of opportunity that knowledge provides.

Consider that a criminal hacker, with easy access to hundreds or thousands of individually-identifiable cars’ real-time GPS positions can watch the maps, figure out where each car “lives”, know when it is far from home, when it’s parked at the airport, etc. How simple it becomes to rob the vacant home and be certain the owner is far away. The burglar could even disable the owner’s car remotely to help make sure they can’t get home quickly!

Comments Wanted!

If something similar has happened to you too, I’d be interested to hear where it was and how long you were tracked without knowing it. Add a comment here to tell about it.

Related Posts

Leave a Reply