Privacy And Security In The Age Of Connected Vehicles

Art Dahnert, Managing Consultant - Software Integrity Group, Synopsys Inc.Art Dahnert is an industry professional with decades of experience in security domain. His core expertise lies in developing anti-malware technologies, teaching secure software development classes, and delivering leading edge security analysis tools.

Today's modern vehicles have come a long way since the birth of the modern car in 1886. The automotive industry has gone through many innovations, from engines, chassis, gearshift, to modern amenities such as cup holders and the ubiquitous GPS (global positioning system). More than just a mode of transport, modern vehicles today have embedded sensors that can navigate your route for you, but also may have technologies that may track your movements, and possibly record what you say and do in the vehicles.

From GPS to Cellular
There are many sensors that can be used for location identification. There are sensors for the navigation system which may typically include the common GPS and specialty cameras to capture road signs. There are also vehicles fitted with various cellular modems (LTE/3G) to provide communication to and from the vehicle for the convenience of the passengers, and to aid first responders in the event of a crash. For some more sophisticated vehicles there may be sensors that can detect position to the road or highway, to provide features such as blind spot warning, lane centering, and advanced cruise control.

All of these technologies are available to an OEM (original equipment manufacturer) and offered to their customers in today's vehicles. By themselves, these innovations are benign. However, should such features be more tightly integrated for even more precise vehicle positioning, there may be possibilities that such features can be exploited by external bad actors.

For example, the navigation systems in a vehicle can provide the current
GPS location down to the meter. Couple this with information from the speedometer and the cruise control system (if available), it is possible to accurately determine the exact location of a vehicle on a road in real time. And if a cellular communications module and network (such as an LTE/3G modem) are available and then subsequently exploited, bad actors can potentially spy on the driver or passengers in such a moving vehicle.

Empower or Risk - the “ One Ring to Rule them All”?
Already, such technologies are increasingly embedded in modern vehicles, including newer electric or always connected vehicles. With a cellular modem, data from the vehicle can be easily sent to any corner of the world through the cloud, and vice versa (which may have other nefarious implications).

Technologies are increasingly embedded in modern vehicles, including newer electric or always connected vehicles

This information can be collected and tracked either in real time or across previous time periods, if desired. And since each vehicle is unique with a Vehicle Identification Number (VIN) and other unique network markers, an individual vehicle may potentially be identified and tracked, isolated from the millions of other vehicles on the road.

Many vehicles also come equipped with an internal microphone for “hands free” phone calls and some may even feature internal cameras to determine if the driver is awake or distracted, making it possible to visually identify if a specific person is in fact driving a vehicle.

Vehicle manufacturers and downstream vendors have had personal identifying information about their customers for a long time now. They have details such as your address, other demographic information such as your family size and economic details (since many people purchase vehicles on bank financing). This information is often stored in a database controlled by these companies.

It takes mere steps to integrate this information with the real time vehicle status, which is what some OEMs have done. It is quite easy to fathom how this can be done by simply updating some embedded software in the vehicle to unite all the embedded sensors and technologies together, much like the “one ring to rule them all” in J.R.R. Tolkien's epic fiction “Lord of the Rings”.

Does Privacy Matter to YOU?
This is a real problem if you are concerned about privacy, since it is possible for a corporation to know where you are at any point in time. Currently, there are no controls in place from a regulatory or legislative view for this type of location resolution and tracking. It is easy to imagine the damage to individuals or groups of individuals if this system was abused, either by a malicious employee or through some type of remote attack by bad actors. This scenario is ever more pressing, as vehicle manufacturers are gearing up for autonomous (self driving) vehicles, which would mandate the need for real time access to a vehicle's location in order for autonomy and safety to work in tandem. What then?