It would be wonderful if there were less traffic accidents and auto deaths, so can you imagine a world where your dashboard suddenly flashes with the Warning Do Not Pass? This sort of safety warning is happening right now with the development of Digital Short Range Communications (DSRC), cars receiving data from other vehicles within 1,247 feet, or 380 meters, to warn of hazards unseen by the driver. Yet connected vehicles talking to each other and to the infrastructure could also create new types of tracking and privacy invasions such as your car transmitting your speed and landing you a speeding ticket.
Privacy and the Car of the Future: Considerations for the connected vehicle [PDF] was presented at the 29th Chaos Communication Congress (29C3) in Hamburg, Germany by Christie Dudley. She wrote, “I was contracted to do a privacy audit in July to identify aspects of the technology that would pose threats to users' privacy, as well as offering summaries of methods to partially or completely compromise the system. For this program to be successful, it must be accepted by the public since the benefits are derived from others' broadcasts.”
About 2,800 vehicles are talking to each other in the U.S. Department of Transportation's Connected Vehicle Safety Pilot in Ann Arbor, Mich. These cars wirelessly send signals to each other, “warning their drivers of potential dangers such as stopped traffic or cars that might be blowing through a red light. They can even get traffic lights to turn green if no cars are coming the other way.” The US DOT will decide later this year if DSRC should be required for all new cars. The German government is considering investing in this messaging technology so it could be built into infrastructure.
DSRC sends out a "basic safety messages” every 10 seconds. It uses IEEE 802.11p and 5.9GHZ in US and Europe. Dudley stressed that the protocol is not like OnStar or CAN bus—it can’t shut the car down or help to break in. In fact, she said CAN bus (controller area network), where all current auto sensors now connect, is considered so insecure that it is “untrusted by auto manufacturers,” and “all data from that bus is suspect.”
Instead, DSRC will be similar to Slotted Aloha and would be a totally independent control unit with its own GPS, inertia sensors, and interfaces that are not related to CAN bus.
Dudley explained that the packets transmitted would include a basic safety message with 50 fixed data elements such all four brakes, GPS time-sync, speed, path history, and path prediction. These messages must be considered trustworthy, so that is where certificates come into play. The certificates must be used for only a limited time, or else they could be abused and allow for tracking. The Certificate Authority is never supposed to interact with the device it is issuing the certificate for. Malfunctioning equipment would have its certificate revoked and its fingerprint blacklisted. If the system doesn’t invalidate itself after internal sensor checks fail, then the entire unit must be replaced. Cost is high for that which is why they hope that revoked certificates and blacklisting works.
Although the hardware is ready to ship, the software is not done. No one is quite sure yet how to load the certificates, or if a certificate would track coming and going for an entire trip, or only one way. Also what if innocent people were accidentally blacklisted? There have been discussions for certificate delivery to be loaded via cellular or wifi – but both would allow people’s vehicles to be tracked . . . something that nobody wants. There has also been talk of using a separate SIM for this system, not the one in your personal mobile phone. There is a MAC layer which is unrouteable and is good for privacy. However if there is ever any algorithm to make the network routeable, it will also make vehicles trackable.
Before President Obama mandated black boxes in vehicles, we looked at your car’s black box is spying on you. For this new tech, much like mandated tire pressure sensors, manufacturers are willing to add it to cars, since the cost can be passed on to consumers. Yet there have been concerns of geo-targeted advertising – forcing ads into someone’s car based on their location. Dudley said it has been discussed as a way to fund this technology. Other potential privacy pitfalls include manufacturers using the system for commercial applications and data brokers tapping into the system if it were integrated into infrastructure.
One of the most worrisome privacy concerns deals with law enforcement, since you would be broadcasting your speed. Dudley asked, what could the cops do with this? Issue tickets based on your car telling the cops you are speeding? Correlate location and speed to independent identification such as cameras or automated license plate readers (ALPRs) like the ACLU has warned the DEA uses to track us? Hackers would disable it in an instant, the first time such an unwelcome surprise speeding ticket comes in the mail.
What can hackers do? Hack the radio and the protocols. While Dudley didn’t go into it in depth, she pointed interested parties toward searching for manufacturers. There were eight device manufacturers that each produced five “Here I Am” units for US DOT Safety Pilot qualification testing.
The time to make changes that would better protect privacy is now, before this emerging technology is fully implemented.
Below is the 29C3 Privacy and the Car of the Future video presentation:
Images used with permission from Christie Dudley's Privacy and the Car of the Future presentation [PDF].