Posted by Taylor Armerding on Thursday, April 11th, 2019
The world is clamoring for connected vehicles, even with their persistent cyber security and privacy issues. What does the future of V2X have in store?
The original version of this post was published in Forbes.
Connected vehicles are mainstream. They are prime time. But they are not really ready, in more ways than one.
That is a generally accepted reality when it comes to security, which was confirmed again at this week’s RSA Conference in San Francisco.
There is plenty of evidence—a continuous stream of stories about how the computers and sensors used to control most of the functions of today’s modern cars have software vulnerabilities that can be hacked and exploited to cause anything from relatively harmless mischief to physical injury or death.
As Ed Adams, CEO of Security Innovation, put it during a presentation on the topic at RSA, “Cars are part of the IoT [Internet of Things] already.” He said a friend from the automotive industry joked that “the only reason we put wheels on them is to keep the computers from dragging on the ground.”
Indeed, the amount of computer control in vehicles is staggering. Adams said a Dreamliner jet has about 6.5 million lines of code, while a Ford pickup has about 130 million. That truck also has about 100 different chips, more than two miles of cable and 10 operating systems.
And as a recent report sponsored by Synopsys and conducted by the Ponemon Institute titled Securing the Connected Car: A Study of Automotive Industry Cybersecurity Practices found, software security is not keeping up with the technology of the automotive industry.
According to the report, 63% of respondents from the industry said they test less than half of their hardware, software and other technologies for vulnerabilities. Only 10% have an established cyber security team.
Larry Ponemon, founder of the Ponemon Institute, who was scheduled to be part of the presentation but couldn’t attend because he was ill, did participate via video. He noted, referring to findings in the Synopsys report, that the hacker threat is not slowing. “It is better and stealthier,” he said. “The fear is that it [the cyber threat] could cause massive damage. These things aren’t sci-fi either—they are real issues.”
The prime time problem also exists with privacy. Vehicle-to-vehicle (V2V) communication technology, now increasingly being called V2X (vehicle to multiple other things like traffic infrastructure), is starting to be installed in some brands, with more to follow.
The goal is laudable—to protect connected vehicles from collisions caused by everything from driver error to malfunctioning signals, potholes and other drivers who might be “impaired.”
Adams said that in 2017 the federal Department of Transportation (DoT) mandated a move to V2X by 2020 (although the Trump administration has put the mandate on hold) because of carnage on the roads, particularly among younger drivers.
Traffic fatalities are the leading cause of death in the 15- to 34-year-old age group, he said, adding that there are more than 40,000 road deaths in the U.S. per year and 4.6 million injuries, costing more than $300 billion.
V2X, he said, “brings a lot of positive benefits and features.”
But multiple privacy advocates contend that the data collection necessary to make that possible will inevitably also become another component of the surveillance state.
That view is not unanimous—some privacy advocates say the DoT and the National Highway Transportation and Safety Administration (NHTSA) have made significant efforts to build privacy into the data collection for V2X.
It works through a wireless protocol called Dedicated Short-Range Communication (DSRC) that now extends to 300 meters but reportedly is being extended to 500 meters, which connected vehicles would communicate with other vehicles and traffic infrastructure.
The DoT is “trying to make us safer,” Adams said, adding that the development of DSRC included provisions to ensure that data collected to make that safety possible would be anonymized and never logged or stored.
“It is privacy by design, by default,” he said.
But the Electronic Frontier Foundation (EFF) contends that the amount of data involved (10 “messages” per second per vehicle) will enable surveillance, even with efforts to build anonymity into DSRC with so-called “rotating certificate credentials” that would change every five minutes, or 20 times an hour.
In comments to the DoT when the V2V technology mandate was proposed, EFF said, “While a human being might find it confusing to remember 20 different identities for the same vehicle, it would be straightforward for a computer to analyze data collected via a sensor network and identify a vehicle over the course of one day—including associating the full set of certificates assigned to the vehicle.”
And once a sensor network had identified a vehicle for a day, “it would be able to immediately identify the vehicle for the remainder of the week … and for the corresponding week in any subsequent year.”
Jeremy Gillula, tech projects director at EFF, said he hasn’t seen any more recent proposals that would guarantee even “a minimal level” of privacy. And he said if one did, that would create another set of problems—helping criminals to be anonymous. “It’s hard to create a communication system that protects privacy without giving more access to bad actors,” he said.
Rebecca Herold, CEO of The Privacy Professor, said no data set today “can truly be 100% anonymized. If that data is combined with other data sets, results from AI [artificial intelligence], big data analytics, etc. performed using the multiple data sets will often reveal specific individuals.”
And even with anonymized and minimal data collection, “re-identification is still a risk depending upon the algorithms used, and the other data being used in combination with such data,” she said.
Jody Westby, CEO of Global Cyber Risk, said V2X data will be just as vulnerable as other IoT communications. “Anonymization rarely works, and advanced data analytics often are able to put pieces of data back together,” she said. “It is one thing to talk about privacy by design and another to actually secure data flying through the air.”
But Lauren Smith, policy counsel at the Future of Privacy Forum (FPF), was less critical. She commended the DoT’s efforts, saying the agency “went to great lengths to make sure those messages couldn’t be linked to a specific car or a person.”
She said, as Adams did, that the technology “can go a long way in improving safety and helping to avoid accidents.”
But she did recommend, in comments to the DoT in 2017, that the agency work to “identify any protective technical or legal control that could limit third party collection, aggregation, or sale of V2V data, including considering encryption or higher Pseudonym Certificate rotation rates.”
And she agreed with critics that, at least so far, there is no way to eliminate privacy risks entirely. One example is that the data in transit—flying through the air, as Westby put it—from vehicle “messages” won’t be encrypted, because to do so would increase “latency,” or slow down the transmission. And with connected vehicles moving as fast as they do, that would be a problem.
A complete rollout of V2X is years away—the entire traffic infrastructure is not even close to being “smart.” But even with the mandate suspended, Adams said, more carmakers are moving to add it voluntarily. He said Volkswagen intends to install it in its entire fleet.
Sammy Migues, principal scientist at Synopsys, said it is probably inevitable that V2X will become standard. And he said while technology can enable faster and more comprehensive data collection, the privacy risks aren’t any different from those that have always existed.
“Every single thing everyone does ‘in public’ can be observed and used against them,” he said. “All we’re doing these days is institutionalizing new collection methods and greatly decreasing both the time and data it takes to reach pretty accurate conclusions.”
And he suspects that, ultimately, it won’t just be the DoT collecting the data. “It will simply be sold directly to advertisers, doctors, lawyers, and so on,” he said.
Get the latest AppSec news and trends sent directly to you.