Is it possible to buy a new car these days without the remote/cell connection stuff? Or if not, can it be disabled? My car is 15 years old so I haven't had to think about it yet, but I'm worried about what I'll do when it finally gives up. Maybe just buy another older used one or something.
Alternatively, are there any killer features that make having an always connected car desirable? I understand why car manufacturers would want it for telemetry and updates and such but I'm not sure what the value is for me.
I use an app to turn on climate control in my car a few minutes before I'm ready to leave, so it's already warmed up in winter, or cooled down in summer, by the time I get in. My last few cars have been electric, so this doesn't involve starting up a noisy engine, and can safely be done if the car's parked in a garage too.
There are many use cases like this that make it nice to remotely signal your car, but many of them shouldn't require a subscription or WAN communication.
Funny how this suddenly became prevalent, when there was actually a time when you could buy software that would last for decades without the need for a subscription.
The only reason this would need a subscription is to pay for the sim.
I'd argue most modern software doesn't need to either but has hamfisted features that require it for the sole purpose of making you pay for a subscription.
Stuff like Adobe Creative Cloud has some cloud features that lock you into their ecosystem. Not taking them up on it and storing locally is still an option (for now anyway) but you can't choose not to pay for their cloud features if all you need is their editing software.
Remote start is present on my wife’s 2016 Chevy. Simple RFID built into the fob. No subscription required. I suspect that technology will last another 3 years and longer.
Not as full featured as grandparent comment’s use case (can’t start it in the garage) but it’s like 90% of the way there with a fraction of the complexity.
My last car had a key fob that could do that up to about a half mile away; cell signal irrelevant. It's just a 2-way remote start system. I miss it. The fob even reported the cab temperature.
When I was in school, about 20 years ago, my friend’s dad loved that feature on his (non-electric, obviously) car. But it simply used the key via RF and didn’t require internet or an app.
My new car got stolen earlier this year and the built-in GPS is the reason I got it back.
Police in my case took it super seriously and recovered the car even though it was on private property and the GPS signal was 400 yards off of the actual location.
In Europe there are many brand new cars that have BT for connecting locally to the smartphones for handsfree calls, but no access to Internet. I love that. We use Waze a lot for navigation, with Android Auto your phone can show the map on the car's display.
Even better, I found that some 2022 model motorcycles have no chip in the key, it is just a dumb key that starts the engine or opens the fuel cap - usually the offroad motorcycles that you don't want to leave you stranded in the middle of nowhere just because the chip is not read correctly.
As someone who was on the R&D Infotainment team on the US side of one of the big Japanese manufacturers, I had many heated debates with management over these "features," which became a big enough deal for me that it was one of the main reasons I left the company. The executive suite on the American side R&D were always pushing these dubious features for the underlying data underneath. This was masked as "value" for the customer, but it's mostly a smokescreen so that the manufacturer can sell the data on the open market. There is a large Silicon Valley/MBA influence when it comes to data and how to monetize it.
One may or may not be surprised of the philosophies here - the idea is to monetize the vehicle and data every step of the way. The data doesn't belong to the customer even though they bought the car. Given the pervasiveness I saw at this specific company and it's software suppliers, I would assume every supplier and manufacturer for newer model vehicles are doing this now.
I'm a little old-ish school. At this point just give me a bluetooth connection that always works with my phone and I'm good. These newer vehicles are basically just another mobile phone on wheels, riddled with bugs and data collection services. No thanks.
The automotive firmware industry has had a strong preference historically for stable, old dependencies. With the advent of connected firmware, arises a strong force pushing in the other direction — towards frequent updates, built from latest and greatest dependencies. How they balance verification and validation for safety purposes with frequent and more volatile updates, will be interesting to watch.
The sharkfin is usually only for external comms. There's still other comms on separate antennas like Bluetooth that can be potential entry points to the vehicle.
Worse, even the external comms systems are moving to more redundant setups to mitigate signal loss scenarios.
I'll have to dig up the post but a gentleman with a relatively new Subaru was kind enough to share his explorations and found significant logic parts integrated into the sharkfin, not just the antenna bundle. Likely a cost measure.
How well does this extend to other vehicles? No clue.
All of that comms stuff has its own logic associated with it that usually lives up there in my experience. In the past, manufacturers have tried to avoid putting much stuff above the headliner beyond roof windows and speakers. It's hot, narrow, and vibrates a lot (especially in the center). Frankly, the antennas are only up there because antenna placement is very expensive magic that doesn't deign to obey the whims of mere "designers".
Things are changing though. Autonomous vehicles need large numbers of sensors up there anyways and you can't keep shoving everything under the cabin.
How available are full vehicle wiring diagrams these days? Not any good for radios built into computers like the bluetooth antenna in the head unit, but it might be nice to snip the wires to the sharkfin or other remote comm modules without having to tear at body work or computer modules.
That would take away the government's ability to track vehicles. They look the other way on consumer protection and the manufacturers get to coerce you into subscription services. Win win right?
The linked vulnerabilities don't even have anything to do with firmware (although it is certainly littered with issues too), but rather just basic web/application security issues on the "cloud" side of "cloud" services.
This is less of a directional shift IMO as the classic "hardware companies are bad at software" issue. There's no unsolved or novel problem in this SiriusXM vulnerability (or one from the same researcher in Hyundai/Genesis systems where they compared a JWT subject with a subject passed in the request, but stripped whitespace). There's no update-frequency or validation issue. It's just basic web application security getting neglected.
Maybe the automotive firmware industry had it right. Software on the internet is often just plain bad. SiriusXM's software should have had proper authentication on the endpoints.
>At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan.
>We reported the issue to SiriusXM who fixed it immediately and validated their patch.
Nice to see that it was addressed quickly, but it's frightening that such a shoddy system design was accepted by auto manufacturers with seemingly no oversight.
> This severe vulnerability isn't going to hurt their bottom line, even if it "should".
When there's damnable, devastating security news for some publicly-traded company that makes it to the big news sources, the stock takes a 0-10% dive and then completely recovers within a couple weeks. Even if the company's response is completely bungled, mismanaged, or miscommunicated, the market doesn't understand security issues and it seems like the company just benefits from the news exposure.
I wish I kept notes on the last few times I've seen this happen so that I could cite examples.
It's not the market, the customers don't care. They won't stop buying the product because of security issues, it's because of THAT that the price recovers, not because "the market" doesn't understand security
If the customers cared, there would be significant drop in the price of the stock because a vulnerability like this would result in lower sales
Well, some traders are selling on the news, which is what causes the dip. Most investors don't really have a deep technical grasp of the situation and don't fully realize how common software vulns are, don't understand their impact, or don't understand the effort to remediate them.
Idiotic claim with no proof. SiriusXM is a publicly traded company. If they were found responsible for vulnerabilities that lead to stolen cars, the lawsuits and public sentiment ABSOLUTELY would affect their bottom line. Just look at Kia and Hyundai right now.
NO IT WOULD NOT. One business is dependent on their media image to sell cars, one business would rather you forget they exist because they are selling your identity to third parties.
> Nice to see that it was addressed quickly, but it's frightening that such a shoddy system design was accepted by auto manufacturers with seemingly no oversight.
That's thanks to the old tale of "outsourcing what is not a core business". I get it, it's fine when you have the capacity and capability to do oversight - but in most cases, the beancounters eventually decide that this capacity is not needed, and then shit like this happens.
The vulnerability was in a Sirius product. If you’re suggesting auto manufacturers don’t write their own telematics software because it’s not core to their business, then… hallelujah! Can you imagine what kind of crap they’d deliver? I’d you’re suggesting something else, then I don’t understand.
I have seen companies prepare for a SOC2 compliance audit, and I get the feeling that these companies like vendors because the audit doesn't apply to vendors, so all they really have to do is ask the vendor to pinky swear that the software is safe.
So from what I gathered, they weren't running any validation on the server aside from that the VIN existed and matched a customer's vehicle? No JWT token/cookie validating the logged in user or anything else?
Not just are they using basic http auth, but it is silently ignored by the server. Try it yourself.
They clearly intended to impelement authentication on their API endpoints, but didn't finish it, becuase the client is sending an Authorization header. But I don't know if their servers are even configured to check them. And they should certainly use JWT instead of digest.
The news is going to be saying "Security issue found, elite hackers elitely hacked into SiriusXM" when it should be saying "Sirius did not bother to implement any security at all for their remote management software"
Yup. And I wonder how they fixed it - did they actually find a way to distinguish the owner from the hackers? Does anyone know how the initial pairing with the app works?
I mean the dirt simple way would be to authenticate the user's account, return some JWT/cookie, and then when you make requests to the API, pair that token w/ the VIN. If the VIN doesn't belong to that token (or the token itself is invalid), 403 it.
When someone is believed to have "committed suicide" or "accidentally" left their car running in the garage, is it routine for investigators to audit the manufacturer's remote-start logs? Do those logs even exist?
I don't personally know whether it's possible, but the NYT has reported that every year a couple of people die from leaving a running car in the garage:
If it is possible to do accidentally, then it's also possible to do on purpose.
With that said, I would expect more 28 false positives 12 years. Those very low numbers may indicate that - contrary to their reporting - it is not actually possible (barring weird circumstances).
My garage is right below my kids' room so leaving the car on would definitely be dangerous. Most remote starters automatically turn after 10 minutes so I'd like to think that mitigates that particular threat. Also we have carbon monoxide detectors in every room (after one of my neighbors' HVAC exhaust got blocked by snow after a particularly bad storm).
It's a thing - more accidents these days with hybrid and keyless, so if you get distracted it's not immediately obvious that you've left the car on and the engine might kick in randomly later.
Let's only look at CO2 and disregard the even nastier NO gasses emitted by a gasoline engine. EPA data suggests a car produces 2,345 grams CO2 for every liter gas. And a modern, but without shut-at-stop, idling car burns about 0.75 l/hour.
So 1758 g/hour CO2 for an idling car in your garage, which is roughly 63 m^3, and CO2 is 44.01 g/mol, so after an hour idling in a closed garage, you'd have 14,440 PPM CO2. That is enough to cause drowsiness in most, and some illness in sensitive populations. The OHSA standard for allowed exposure is 5,000ppm averaged over 8-hour workday.
My back-of-envelope calculation must've few mistakes in it (I was multiplying numbers from the internets, ffs), but none as big as the above comment nonsense.
You can still die from carbon dioxide exposure/oxygen inefficiency. It will just take longer, now that carbon monoxide emissions are down because of catalytic converters eliminating a lot of them. And yet, a lot of people still die or get seriously injured, particularly because their "keyless" crap acts up [1].
I agree that carbon dioxide exposure is dangerous, but it is probably less dangerous because (TIL) there's a specific brain mechanism that wakes you up when your blood has elevated CO2[0].
On the other hand, carbon monoxide poisoning will only wake you up if its symptoms (among which headache, nausea/vomiting, elevated heart rate, and cardiac arrest seem likely) do so.
Carbon Monoxide alarms are being required in more and more places, though typically only enforced in situations where you are getting a building inspection (new construction, extensive remodels, etc.) or where it's a rental property.
You can pick one up at the hardware/big box store.
My vehicle is safe, thanks to Ford. Telematics goes over terrestrial phone networks, and when 2g shutdown months after the car was made, they replaced the modem with a 3g modem that was alreadt obsolete and now that 3g is shutdown, there's no more internet access to the car. Thanks Ford!
I'm not certain - assuming their goals are consistent with other depictions they'll probably come armed with pre-wireless technology spoofing devices and a serial or parallel port so they can actually interact with and take over missile control systems.
Some day we might find an uneasy peace with the machines when we desperately admit we need their advanced technological capabilities to bridge PS/2 to USB-c so we can keep using our clicky IBM Model-M keyboards.
Shhhh, that's how I work on reverse engineering old IoT stuff! SDR, loose admit-all policies, extremely low power, figure out what APNs and info it wants, and start capturing requests from it.
Your comment is insightful and made me realise something I was quite unaware of in India - that allowing your automobile to track, collect and share data has become so mainstreamed in the US / west that it is considered "normal"! I guess I shouldn't be surprised - most people are unaware that Ford (and some others) collect a lot of personal data when you take your car to the service centre (for e.g. they download your contact list and call logs from your car when they run the diagnostic software)
> they download your contact list and call logs from your car when they run the diagnostic software
I'm inclined to believe you because I don't give cars access to my contacts and in general treat in-car software as already-compromised (I see the car manufacturer as more of an adversary than a partner), but do you have a source for this claim?
I remember reading about this a long time ago (5+ years ago I think) - it was Ford doing this and it did cause some mild outrage in the internet. Unfortunately I cannot find that particular article - Google has become shitty for finding old stuffs and possibly Ford PR has scrubbed the internet so that the public can't find it easily (a common practice in the evolving online marketing industry). I've added two sources to my earlier comment that disclose the gist of what I have claimed.
yes, but in their defense, the Internet has become (or has always been) shitty at keeping old stuffs around, so even if Google indexed it the link would be dead or empty by the time you go to look at it. Google used to surface links to their cached copy that they used for indexing more prominently but I hardly ever see them anymore.
We're finally seeing things like guest or hotel login modes for smart tvs/netflix/hulu etc where it wipes your credentials every time you turn the tv off. I wonder why phones don't have a "Connecting to rental" kind of option in their bluetooth configs. Like you I see rental cars with all kinds of crap in the pairing history.
Or car infotainment systems with rental mode would be awesome. Like if every time you pair a phone, the car asks if you want it paired indefinitely, or for N days. User sets N based on rental duration, and the car wipes the data after that.
Granted, it's much better for the phone to not send contacts to a rental car at all, but either solution would be a significant improvement.
This occurs not because the user decided to sync contacts, but because they wanted to play music. And both the auto manufacturer and the phone colluded to sync all contacts.
I bought a used car (2010 Honda) with built in car gps unit. It’s not great but it’s always on. It had all the previous owners address look up history.
How do these cell systems respond to the network no longer existing? Do they continue trying to ping towers that no longer exist? Do they give up eventually and turn themselves off forever?
Probably try forever. The last head unit firmware added a deep sleep so it doesn't drain the battery and polled much less frequently (this was before 3g shut down and made the telematics much less useful anyway). Might have just been parked in an underground garage or driving through tunnels everywhere. I really should pull the fuse though.
When the 2G networks were sunset, Nissan offered a voluntary service campaign for some of their cars with 2G modems: either pay $200 to get a replacement telematics unit with a 3G modem, or they'll disable the 2G modem for free so it doesn't drain your battery trying to connect to a non-existent network 24/7.
But did Nissan disable the "we're collecting data and sending it off to the homeland: OK/Cancel" startup screen? No. So now every time I drive the thing, I have to push a button that does nothing so that I can see the screen.
One of but many little duck bites that has us firmly in the "never buy another Nissan" camp.
On Volkswagens, nag screens like that (and "menu disabled while vehicle is in motion" lockouts, and a million other things) can be tweaked with cheap dongles that let you change settings using your phone or laptop. Maybe there's something similar for Nissan?
Ya know, now that you mention it, there are apparently dongles of some sort (perhaps OBDC? It's been a while...) that give all kinds of extra info, maybe there's something like you mention. It's been a while since I've been over to mynissanleaf.com, perhaps it's time to go pay a visit for a search.
Thanks for the prompting.
EDIT: though it does not look like the tool will disable the nag screen, LeafSpy Pro does a lot of other things Leaf owners might find handy, such as change the backup warning tone, door unlock/lock behavior, et. al.
OBD2 / OBDII refers to generic powertrain diagnostics (engine, emissions, etc) for all vehicles. Plenty of dongles for that. But I mean something that emulates the tool a dealership would have for specific makes of vehicle, which goes far beyond just the engine, extending into every module, possibly like what you found. Although usually it would be for a family of makes, not just a family of models.
For VW/Audi/Skoda/Seat the popular ones are VCDS and OBDeleven (the name of the latter being a play on OBDII, confusingly, being that I am trying to differentiate actual OBDII... ugh).
I just imagined the wireless unlock button sequentially stepping through the 16 lock/unlock states for a 4-door vehicle. "The car is locked. 13 quick clicks later, both front doors are unlocked and both back doors are locked."
I went from a Nissan LEAF to a VW ID4. Now I have to press "OK" to confirm a driving profile instead of a legal agreement every time I turn on the car, and my app has even fewer features than NissanConnect EV had. The grass is always greener on the other side, as they say.
My Volvo has had this happen. I have no idea if it still pings anything but the app access has been shut down.
Annoyingly every so often the car gives me a warning that the Volvo service has expired. I’d love to turn that off. But it must still be trying to connect to something.
Yeah, I still get the warning every so often that Ford has access to my GPS for trip tracking... I think if I factory reset the headunit, that'll go away, but then I lose my presets. If I had thought about it, I could have deassociated while the modem was online. :(
My 2016 Mazda was never connected in the first place, but I've left my wife's 2017 Volt connected because I do actually find the monthly OnStar report that's emailed to me to be useful. I also like notifications of low-tire pressure, engine-oil life, etc.
Though my wife and I just celebrated 26 years of marriage and have open lines of communication, her telling me anything about the car she's driving is very hit or miss. So the monthly email is helpful. :-)
Sometimes the person driving the car does not (want to?) pay attention or has "ceded responsibility" for car maintenance, and it's nice to get these reports without needing to periodically remember to check the car manually.
Unless a tire is punctured, it only loses air slowly over time, but not enough you'd really notice looking at them, but still enough that it's bad for tire wear. It's a nice reminder to me I need to add air to the tires.
The car's dashboard display also shows the tire pressures, but:
a) My wife, for whatever reason, seems blind to anything the car shows her on the dashboard. :-(
b) She'd have to put the dashboard to the screen which shows tire pressure. The TPMS doesn't alert till pressure is quite low. They are supposed to be 36 PSI. The TPMS won't alert till they are below 25 PSI or some such.
I have also had your experience, but my resolution was just to swap cars for a day every couple weeks. The threshold on her car was higher though, I believe 29 (same ~35-36 normal range), so if they dropped she'd at least be alerted sooner if I didn't see it.
Low gas should come in a monthly report you can pickup it up on your way walking your empty car home. Or a door is open report that you can receive as you lay on the side of the road.
There's some kind of corollary to Zewinski's Law of Software Envelopment: device developers are incentivized to "innovate" their product to the point it can send email.
Yeah, There's an upgrade available, but it costs money (even when they were offering to pay the labor for some people), and the functionality isn't worth it for me, especially once they changed the power tradeoff and the car doesn't get the messages in a reasonable amount of time. It's nice that it doesn't kill the battery, and I understand the tradeoff, but if I don't know how many hours it will take for internet based remote unlocking to get to the car, it's not useful.
It's mind blowing that removing a single k/v in an http post would lead to unlock any cars... wtf seriously. Like how can you not test that, the POST to fetch token should be bulletproof.
Your Leaf is too new. We've got an OG Leaf (2011) that had the old GPRS radio. When AT&T dropped that, Nissan generously offered a more modern cell radio for something like $300. Or they would take out the radio for free. Given the utter uselessness of Nissan's "remote" platform[0], guess which option we went for?
But it's right behind the glove box, and unless the design has changed (it has been eleven years), a couple of screws should get you in the neighborhood of the antenna.
[0] Seriously, what a slow-ass piece of shit. It was literally faster to walk out to the garage and turn the heat on than it was to do it through the app. And that assumes that Nissan's server could see its way clear to turn the heat on at all, which it frequently didn't.
Awesome, maybe this can work better than the provided app for my Leaf. The car never responds to remote commands to start the heater etc, no matter what the app says.
Manufacturers for even allowing that to exist (why the fuck telemetry app made by company making radio channels would have permissions to unlock the car in the first place) and company for woeful errors in security and data protection.
Because that "radio channels" company already have expensive infrastructure in place to transmit to cars in most of North America, and an established relationships with car manufacturers, and thus are already integrated into their supply chain.
SiriusXM is a company that does a lot more than just "making radio channels." This is an egregious security issue, but SXM offering the service makes sense. They also offer an aviation weather service.
When you look at the physical layer it's just a 1.5 mbit data stream carrying whatever you want, pointed at most of North America. Over time some of that bandwidth was carved out for data services at the expense of audio quality.
i’m aware that on this case there was something even dumber, an unsecured api endpoint, but as far as i know, if you’ve managed to reach the system you can do anything with any other connected device. there should not be a way to be able to do whatever you want just because you have access to the network.
I recall reading that some cars are now using TCP/IP for connecting some of their systems. A _super_ quick search on this topic yields some results speaking to this [0].
I think this must have been buried in years old docs and layers of design that nobody understands what's going on under the hood.
I wouldn't blame either parties, I suppose the process can be improved but it's very subjective. There'll be a new missing piece tomorrow and you'll have to "improve" the process again.
I think this is simply a side effect of fast moving software design. Things will settle down in a couple of decades when the AI lord takes over.
I had a manual Acura Integra when I was younger and I installed a remote start on it because shops refused to (because it's dangerous af).
Anyways, the clutch pedal simply presses a little button when it is all the way up. All I had to do is bridge the two wires going into that button and it would start without the clutch pressed.
Amazingly I only ever tried to remote start it while in gear once. It retries 3 times so it jumped forward 3 times. About a foot each time, but didn't hit anything thankfully.
I always wanted to add a sensor to the shifter so it'd only bypass the clutch sensor when in neutral, but I never got around to doing it.
this sounds useful since i often forget where i parked. i could remote flash and honk all hondas in the parking lot when i go christmas shopping. then the one not flashing is my car.
or when the guy 3 cars ahead on his phone doesn’t move when the light changes, i can honk the car in back of him.
This is super interesting, but why are people posting this kind of thing to tweet streams? Twitter is just absolute shit for trying to document this kind of research, IMO.
"Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
This exact complaint about Twitter formats has appeared hundreds of times over several years, and is the #1 reason we added this guideline. Note: the guideline acknowledges that these annoyances are annoying. It just says we need to focus on the interesting, specific bits of a story.
I think the difference is that Mastodon doesn't make the format one of their defining characteristics. And maybe eventually everyone will eventually see that a longer format post is an option, and that it makes sense for certain content. And Automattic will register macrotweets.com and make it a redirect to wordpress and everything will go full circle.
They could tweet with a link to a blog post for the details. I guess some followers would still be too lazy to follow the link, but that’s not a valid argument anymore IMO.
There are so many reasons to do it this way. You reach a huge audience. You don't have to how your own assets. If your post is popular, it won't get DDoSed off the air. Search engines will index it immediately. Etc. People get many benefits from posting this way.
You would reach the same huge audience by putting in a summary and link to a website with the detailed info.
> If your post is popular, it won't get DDoSed off the air
So someone who is capable enough (or a team) to pull off and uncover this exploit can't be troubled to run a website (server whatever) that can handle ddos or traffic?
Yes, that's right. They have more important things to do than worry about hosting a website. They rightly use third party applications to disseminate information.
Yeah, I don't personally think twitter is the best place either, but it's unambiguously easier to type a few sentances and click "post" than it is to make a webpage of any kind.
I'll just address your last point, which I think is actually fairly important to think about. It's easy to assume that other people have the same knowledge/skillset as you do, or to think that things that are trivial for you are similarly easy for others.
This is simply not the case, and it's important to try to put yourself in others shoes. (As an aside - this is what I think leads to the best products.)
I've met many programmers who are absolutely brilliant in their field who do not know, nor care to learn, how to stand up even the most simple website.
Is twitter the best place for long form articles? Probably not. But as the original commenter pointed out, there are many benefits to it as well.
One downside to using Twitter is it's not possible to know if the posts are authentic. Other platforms have similar problems but ideally this content would be posted on user's (and governments and so on) own sites and then linked to from sites like Twitter.
Fully agree.. 9/10 for the research, but 1/10 for the lazy presentation. People are saying "It's easier to go viral", oh please, is everyone that pathetic, chasing after their 5 minutes of Internet fame?
I remember seeing several videos of people trying to steal cars, only to find out its a manual and have to retreat. The best was a pair of criminals who robbed a store, got the managers keys, loaded up the car and then after several attempts of leaving with the loot (popping the clutch to hilarious effect) and realizing they couldn't drive a manual, just got of the car and took off on foot empty handed.
This must be a generational thing. As soon as I was old enough to drive, I was taught how to drive a manual first.
I don't get why people thinking driving a manual gearbox is such a mystery - it's not much different to automatic driving I've never met anyone who wasn't able to do it well enough.
There's really no magic to it - there's an extra pedal you depress when changing gear, and you bring up to re-engage the engine. Anyone can figure it out when presented with the pedal and the gear lever. People with no no education do it all around the world every day - I'm sure an American can figure it out.
I doubt that. Most people in the US getting into a car with a third pedal and a stick shift would just not have any idea what to do. The more enterprising would think, ok, I guess to I need to put it in first gear. So they try to move the shifter, and they can't move it. Assuming they don't break anything, maybe they figure out they need to press the clutch pedal. So they shift, and release the clutch pedal, and the car stalls.
Many people would just give up right there.
Those who don't, might get that they need to release the clutch slowly. So they try that, but maybe it still stalls (maybe they're on a slight incline, and the car won't move without giving it a little gas).
Let's say they do manage to get the car moving. I expect that further shifting will be incredibly rough, and there will be a lot more stalling. And that's basically the best scenario. I don't think most Americans would get anywhere near this far.
As an American who learned how to drive manual by accident in the Netherlands, but who already understood the basic mechanics of it, it was still very difficult. It took me over a half hour to get out of the parking lot, and then I stalled quite often in embarrassing ways over the next day or so (including on the highway during stop-and-go traffic, where I rolled back into the front of a box truck behind me). By the time I returned the rental car, I'd more or less figured it out, but I also had the benefit of my dad owning a manual car when I was young (though Mom made him get a car she could drive too by the time I was 8 years old or so). But someone who'd never even thought about a manual transmission before? Like, most Americans? Not a chance. (I did end up buying a manual car back at home, a few months later, when my existing car died. Drove it for 15 years until I finally had to get rid of it earlier this year.)
Remember, we're talking about a hypothetical car thief here who hops into a car, gets it started, and then notices it's not an automatic. We're not talking about someone who has actively decided to teach themselves how to drive manual, and rents or borrows a manual car for that purpose.
>I doubt that. Most people in the US getting into a car with a third pedal and a stick shift would just not have any idea what to do. The more enterprising would think, ok, I guess to I need to put it in first gear. So they try to move the shifter, and they can't move it. Assuming they don't break anything, maybe they figure out they need to press the clutch pedal. So they shift, and release the clutch pedal, and the car stalls.
In what scenario they'd go right into driving a manual car without prior instruction, looking up some instructions online, or someone knowledgable explaining it to them like 10-15 minutes?
Dunno, one is able to find automatic rentals all over the world - and if not that, one can certainly find ahead of pick-up time that the car is going to be manual...
Based on your comments, it seems you really can't emphasize with others that cannot drive a stick for some reason. It's not obvious, it requires a cordination and timing; unless you know what to do, you will stop your car, over/under-rev the engine, slide back on a steep road.
I taught many people how to drive and it was always a challenge with manual. Anyone cannot figure out without any verbal or written instructions.
People do drive a stick with education whether its formal drivers license course/exam, or some one is teaching them. An American usually does not need to learn a manual because almost no one uses a manual. But some other parts of the world, automatic transmission can be a considerable cost item. Even some countries started to have automatic only drivers licenses.
> no education do it all around the world every day
I taught myself to drive stick on a rental car. It was probably extremely obvious to other cars that I had no idea what I was doing. Grinding gears, over-revving the engine especially in reverse, and stalling at every full stop. That would catch any cop's eyes. But to your point, after 3-4 hours I got the hang of it and was no longer attracting attention.
But to parent's point: A thief who doesn't drive stick is almost certainly going to prefer stealing an automatic.
I had ridden in manuals as a passenger. I watched some youtubes and understood the general principle, but it was sink-or-swim learning. Pretty unsafe to be honest, but this was in a pretty remote area, and the car was a very forgiving Japanese micro-SUV.
I understand, I drive one, and I have taught nearly a dozen others.
If you put someone behind the wheel of a manual transmission vehicle and don't give them any pointers, they will turn the key and complain that the vehicle doesn't start... even if they understand the general idea of a manual transmission. Muscle memory is a powerful thing. (In the US clutch interlocks are universal)
It is highly unlikely that someone with no prior experience with a manual will successfully pull off a time sensitive and high pressure task like a car theft. They will steal another car instead.
In US. Our 2005 CR-V has a clutch-starter interlock. None of my other (older) five manual cars have/had them. It does not appear to be a federal motor vehicle standard requirement*. On some cars which are factory-equipped, there are instructions on how to defeat the system (typically for off-road/trail riding).
This is like comparing a microwave meal to one cooked from scratch on a stove. Yes, anyone can do it. No, experience with the automatic version does not meaningfully translate to the manual one.
You just turn the ignition. You may have to push the clutch in for some cars, just like you have to push the break in for some automatic cars. Manual cars aren't as different as you think they are.
If you put someone who has developed their muscle memory driving automatic transmission vehicles behind the wheel of a manual transmission car, they will press the brake and turn the key.
Successfully starting a manual transmission vehicle has two prerequisites:
* knowing that you have to press the clutch in
* identifying the clutch
People without this knowledge lack these prerequisites.
It's possible that the person you were replying to is making a joke playing on the general lack of familiarity with manual transmissions in the US, as opposed to making a statement of literal fact that manual transmission cars are hard to steal.
I now only own automatics as of last month but before then I'd never lock my doors for my manual sports cars when around town. No one messed with it or tried to steal it. It was pretty great.
Alternatively, are there any killer features that make having an always connected car desirable? I understand why car manufacturers would want it for telemetry and updates and such but I'm not sure what the value is for me.