Warning: *privacy not included with this product
Hyundai is a South Korean car company founded in 1967. Once knocked for building cheap, unreliable cars, Hyundai has improved their reputation over the past few decades and is now pretty popular around the world. Newer models inculde the Elantra, Kona, Sonata, Santa Fe, and EVs Ioniq 5 and Nexo. Their MyHyundai app and Bluelink connected servcies lets owners do lots of remote things like start the vehicle, lock and unlock the car, honk the horn and flash the lights, check your EV's charging status, and even connect your WearOS watch for voice commands do remote car things as well. So, how is Hyundai at privacy? Well, they are pretty yucky to be honest.
What could happen if something goes wrong?
Hyundai nooooooo! We loved your wholesome Kevin Bacon commercial. But your privacy policies? They seem like they were written in a tiny town where privacy is illegal (that was a Kevin Bacon/Footloose movie joke for you young'uns). We did not enjoy reading them. Here’s what gave us the willies: Hyundai collects a massive amount of detailed and sensitive data about you and what you do. And we don’t like how they treat it: When they’re not sharing or selling it (two things we feel they do too much of) they fail to keep it safe. Oh, and their position on sharing all that data and personal information with law enforcement and governments is not great at all.
Like all the cars we looked at, Hyundai collects a ton of information about what you do in your car, through the app, using those Bluelink connected services, and more Things like your geolocation, how fast you drive, whether you’re using the seatbelts, your presets and use of your car’s features, and when exactly you do these things. They also collect “sensor data” that’s created by your vehicle, which can include “images and event data.” OK so basically everything you do in your car. What else? Well, they collect information about the world around your car, like “images from exterior cameras” and “weather, temperature and other driving conditions.”
Back to you, Hyundai can also collect information about stuff you buy (“purchase history”) and sites you browse online (“browsing history”). Beyond things you do, they collect a lot of information about you; Information about your identity, like your driver’s license number, your IP address, insurance policy number, and other “unique identifiers.” So far, they’re about tied with most of the car companies we looked at, but they don’t stop there.
Broad and vague language is common in privacy policies, but it still annoys us every time. Like when Hyundai says, in their California Privacy Supplement, under biometric information collected, that they might collect “[p]physiological, biological or behavioral characteristics.” The example they provide is “fingerprint or facial recognition” that you might use to enroll for certain features. But since that’s technically just an example, that could also give them permission to collect a lot more.
There’s more! Not all of the information that Hyundai learns and stores about you is taken from your car, what you tell them, or even from your phone. Hyundai can collect information about you from “dealers,” “public sources,” “affiliates and partners,” “data aggregators and brokers,” and “government entities.” Crikey!
Bet you’re wondering what they do with that mountain of data. For one, they use it to make up even more data about you. Hyundai collects “inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes.” There’s that too-broad “characteristics” word again. We’d say more about how we feel about this, Hyundai, but you should be able to ~infer~ our attitude from this review.
More upsetting news: Hyundai does a whole lotta sharing and selling of your data, sometimes for “marketing and promotional purposes.” Specifically, they “may ‘sell’ or ‘share’ identifiers [like your Social Security number in the United States], customer records [which can include “medical information”], commercial information, internet or other electronic network usage data [“search history”], and profiles and inferences to or with affiliates and subsidiaries, marketing partners, third party ad companies and other marketing and advertising partners; and analytics providers.” Affiliates and marketers and partners -- oh my! It’s starting to feel like selling cars is secondary to your data biz, Hyundai.
Moving on. Like most connected products, Hyundai can also “collect, use, and disclose” aggregate and anonymized data however they like, which, we do like to point out, especially with large volumes of sensitive information, can be relatively easy to re-identify.
Ouff. OK but since it looks like data’s an important asset to Hyundai, surely they have nailed down how to properly protect it? No, they have not. Another thing that Hyundai does with your data is accidentally give it away. In April, Hyundai suffered a data breach that exposed the personal information of French and Italian car owners who booked a test drive. Worse, in February Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on TikTok led to hundreds of car thefts, including 14 reported crashes and eight fatalities, according to the United States’ National Highway Traffic Safety Administration. Thieves known as “The Kia Boyz” posted instructional videos about how to bypass the vehicles’ security system using only a USB cable and a screwdriver. Dang, that is really not good. And initial fixes for the problem didn't actually seem to, you know, fix the problem. We did get a good chuckle of Kia's solution to this security problem leaning heavily into trying to take down the TikTok videos showing people how to exploit the problem and maybe not enough into actually fixing the security problem. ""Ira Gabriel, a spokesman for Hyundai, said the company has tried to remove from social media the instructional videos that show how to steal the cars .But as new ones surface,” he said, “there have been additional waves of thefts.”" Call us a tough customer, but we believe taking control of someone else’s car should be more challenging than charging your phone.
Last year, Hyundai made (another) pretty embarrassing misstep when they used an encryption key that was copied from an example listed in a public document, allowing a software developer to “hack” their own car’s software with a simple Google search. That boneheaded oopsie also gave us a good chuckle, but we also don't know if we should laugh or cry and Hyundai's struggle to security their stuff.
So what are your options? Can you at least opt out of some or any of this? Not really. If you opt out of data collection from the technologies and services, then “most Vehicle Technologies and Services will not be available to you.” And if you try to opt out of the collection, sales, or sharing (of information collected through the app or your car) through the Personal Information Request Portal, Hyundai will only “respond to your request as required by state law” which means only Californians and residents of states with similar privacy laws have that right. Oh, and lucky people living in Europe under their stronger GDPR privacy laws will be good too. The rest of us, well, we're probably out of luck. Ugh!
Clearly, bad stuff’s already happening with Hyundai’s privacy practices. But it could get worse. Hyundai could goof up again and expose the absolute avalanche of private data (plus inferences) that they have collected about you. Or they could drop the data security ball (again) by giving away control of your car to folks with more sinister intentions than teenagers on TikTok.
Hyundai’s tagline is “New thinking, new possibilities” but we’d humbly suggest they pump the brakes until they master the fundamentals -- like keeping their cars and customer data secure. Hey, actually, we found a document that summarizes our other suggestions for you pretty well, Hyundai. It mentions the importance of privacy and advocates for data minimization, data security, choice, transparency, and more! Hang on, it looks like you agreed to these principles! Perhaps you should give it another gander. and do better Until then, we’d suggest drivers keep at least six degrees of separation from a Hyundai -- they come with *privacy not included.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Name, username, address, VIN, IP address and online identifiers, email address, account name, SSN, driver’s license number and other government identifiers, and unique personal identifiers, precise location. browsing history, search history, gender, age, citizenship, marital status, and disability status. Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes. Vehicle- and driving-related information: Audio, visual and other electronic data: including data related to your Vehicle and the Vehicle Technologies and Services, including error codes, diagnostic and performance data, and other sensor data generated by your Vehicle, images and event data generated in connection with certain features (such as autonomous driving features), and data from third party accounts services that you link you MyHyundai account (e.g., calendar integration); inferences and trends derived from Covered Information (e.g., for quality, safety, improvement, analytics and other purposes); Usage and performance: information related to the use of your Vehicle and the Vehicle Technologies and Services, as well as Vehicle performance, diagnostic codes and service-related data. This includes information such as odometer, mileage, MPG and emissions data; tire pressure data; trouble or error codes, and other diagnostic data; service and maintenance history; engine performance; tire pressure data; weather, temperature and other driving conditions; fuel levels and refueling activity; battery levels and status; images from exterior cameras (if available); Vehicle settings, commands and presets, points of interest, and other information about your use of certain features, including which features you activate, access or use; and other performance, mechanical and operational data; as well as associated date/time stamps for such information; Geolocation data: location information, including your Vehicle’s GPS location, and, when you engage remote services using your mobile device, your mobile device location information; Driving data: including driving data about the operation of a Vehicle, such as speed, acceleration and breaking data; direction of travel; trip data (mileage, date, length, conditions); ignition events; steering events; cruise control data; seatbelt status; information about Vehicle incidents or events; other information about how you drive a Vehicle; as well as associated date/time stamps for such information."
"Audio, electronic, visual, thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings and other audio recordings." "Physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity. For example, if you enroll, we may collect and process biometrics (e.g., fingerprint or facial recognition) as part of certain features and services, such as digital key and other vehicle services that enable your access using your biometric access credentials, subject to your consent as required under applicable laws." Biometric information: such as fingerprints or facial templates, if you enable and enroll in biometric authentication to access your Vehicle or certain Vehicle Technologies and Services."
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2023, Hyundai disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data.
In 2022, a software developer cracked Hyundai car security with a simple Google search. The vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.
In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable."
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
While Hyundai has encryption on its products, there was evidence of this encryption has been weak. Also, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
You can report vulnerabilities here.
Highway driving assist includes such features as lane following assist, smart cruise control, etc. It is available in the newest cars. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
SiriusXM Software Flaw Let Researchers Unlock And Start Cars RemotelyMotor 1
Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challengeThe Verge
Hackers Can Clone Millions of Toyota, Hyundai, and Kia KeysWired
Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your DataNewsweek
Hyundai data breach exposes owner details in France and ItalyBleeping Computer
Software developer cracks Hyundai car security with Google searchThe Register
Hyundai Uses Example Keys for Encryption SystemSchneier on Security
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Hyundai and Kia thefts keep rising despite security fixAP
Kia, Hyundai are easy targets for thieves, insurance data confirmsCNN
Got a comment? Let us hear it.