1. Privacy and the Car of the
Future
Consideration for the coming connected vehicle
2. whoami
• BSEE, digital communications
• Many years as a network engineer
• Santa Clara University Law student
• Research assistant providing technical expertise on privacy
audits and reviews
• Contracted by auto consortium to review privacy of
proposed vehicle to vehicle safety network
3. Standard Disclaimer
IANAL (Yet)
But if you know anyone looking for summer interns....
4. Non-Standard Disclaimer
A current NDA covers some of my work here (but not very
much)
The focus will be on published information and standards.
5. What is This Project?
• DSRC: Dedicated Short Range Communications
• (Where “short” == 380m)
• Vehicle to Vehicle
• Vehicle to infrastructure in Europe
- Not having to wait for a light on an empty street again.
- Better traffic planning for better cities and roadways.
6. Why is It being Developed?
Safety
Photo Credit: Jason Edward Scott Bain
7. Non-trivial Impact on Auto
Deaths
• World Health Organization
estimates 25% of vehicle
deaths each year can be
prevented.
• Fatigue and distracted driving
accidents reduced.
• Blind Corners, fog and
limited visibility accidents
reduced.
Photo: Public Domain
9. How Soon?
• Hardware is already being shipped.
• Software issues still entirely in the air
• More is being done in software these days.
• The US Dept. of Transportation is considering mandating
this for all new cars. (Decision to come later this year.)
• Has already deployed in trucks in Europe
10. What is DSRC
• Basic safety messages sent out
every 1/10 seconds.
• All message carry a standard
glob: values for pre-defined
vehicle trajectory and
operational data.
• Cars process data and warn
driver.
• Equipment integrated into
vehicle Photo Credit: US Dept. of Transportation
12. What DSRC is not
• CANbus
• OnStar (or any other
remote service)
• (Direct) support for
autonomous driving
mechanisms.
Photo Credit: US Dept. of Transportation
14. Radio protocol
• 5.9GHz reserved in US and Europe
• Signaling standard: IEEE 802.11p /
1609.4 / 1609.3
• Channels reserved for specific
functions
• No source address for vehicles
defined by protocol
• Recommendations include using
certificates
• Privacy challenges at each layer Photo Credit: NASA
15. Basic Safety Message
• Standard: SAE J2735
• ~50 fixed data elements
• “only” interface to radio
(on this band)
16. Parameters for effectiveness
• Density
• Benefit derived from other vehicles’ use
• Greater usage means greater effectiveness
• Confidence
• Most messages must be trustworthy
• People must trust information broadcast
17. Validity?
• All messages are
cryptographically signed
• Signing certificates issued by
central authority
• Issued based on system
fingerprint
• Revocation for “malfunctioning” Image source: US Dept. of Transportation
equipment
• System should invalidate itself if
internal checks fail
18. Certificates
• Limited time use to prevent tracking
• Reused?
• Periodically refreshed (and malefactors reported)
• How often?
• Permanent blacklist
20. MAC Layer
• Changeable source (for vehicles) / no destination
• Unrouteable! (mostly)
• No significant privacy concern as is.
• Any algorithm to make network routeable will make
vehicles trackable.
21. BSM
• “Temporary” ID could become persistent with bad app
• Open source apps suggested for processing and acting on
message data
• Is this the only thing the unit will transmit?
23. Fingerprints
• “No” correspondence
between fingerprint and car
• “hard coded” into device
• If revoked, entire unit must
be replaced to function
Photo Credit: NIST
24. Certificate Delivery
• Haven’t figured out how
certificates are delivered to
vehicle
• Proposals include cellular,
wifi, infrastructure links
• So many opportunities for
failure
25. Worrisome Noise
• Manufacturers want to use this system for commercial apps
• Advertising and other “funding” schemes to pay for CA
• Fixed infrastructure potentially operated by data brokers
26. Problem: Law
Enforcement
• What can they do with this?
• Correlate location, speed to
independent identification?
(cameras?)
Photo Credit: Alex E. Proimos
27. What you Can Do
• Hack the radios
• Commercially available now
• Hack the protocols
• Become politically engaged
• Most decisions are not being made by elected officials
• Help find a way to fund the infrastructure without selling
out!
29. Acknowledgements
• Professor Dorothy Glancy, who requested my help on this
project
• DC 650 (especially Charles Blas) who gave me a reality
check with current security and privacy capabilities
Current law student. Privacy professor needed help
should not matter But I’m working on that whole “lawyer” thing.
little information to complete the audit. can talk about most published standards
DSRC is a series of protocols. Has changed over the years of development. Black Hat talk: protocols are no longer relevant
collision early warning system. - prevent accidents. - Save lives NHTSA “ distracted ” 2009 (US) stats: Almost 5,000 deaths, est 448,000 injuries Not including other inattention involving physical/emotional state of driver
Good Work - want it to happen . Anecdote: driving in pouring rain too afraid to slow down, too afraid not to.
Large scale testing in Ann Arbor Michigan started last August. Auto makers have already invested heavily in this technology. A few startups here in Silicon Valley to implement this.
American government won’t spend money on infrastructure May be related to “black box” recent US mandate. Trucks have no privacy concerns as they are commercial vehicles.
A system of protocols Not like asn.1 - not data pairs - Map of data
Designed claimed as a “sealed” system, with sensor integrity and accuracy checks.
Automakers lesson from CANbus: insecurity caused no real problems No new tech to mech tech - needs human intervention. “ sealed” sensor system with integrity checks.
HOW it works
Japan doesn’t have the same spectrum available ETSI and FCC approved operating parameters (Biggest difference: US allows more power.) 33 vs 44.7 dBm
Minimum requirement for system. Additional protocols considered in Europe. illustrates general and some specific fields data = whatever’s useful in avoiding collisions
More use = more effective People must trust the system Not just received, but what is sent about them Privacy is important or people will disable it Technological trust is better than laws
Signature and certificate management - on radio Sensor validation (beyond scope here)
Still not nailed down Ann Arbor test: came pre-loaded
This is where we start talking about the FUD
Already pressure for other apps - that need routing. Tension between routing and identifiability
F/OSS Apps kind of neat. Closer to autonomy... Fun: someone in blind spot: “I wouldn’t do that, Dave” - give your vehicle too much power? This is too neat a toy to not use for other things.
Permanent Blacklist? - may not be problem as internet - must replace entire blacklisted unit.
Another problem for anonymity Many schemes to deal with this. Current solution is “no paper trail” We already have certain mistrust of CAs
IEEE 1609 family beyond scope, won’t work - raises many more privacy concerns By the way 9 data brokers took the 5th before Congress in 2006 when asked to reveal the sources of their data.
Tracking, ticketing, whatever else they may want to do.