 Okay. Good afternoon or as I like to say good morning. Welcome. I'm here to talk about privacy and connected vehicles. First of all, a little bit about who I am. I have an electrical engineering degree and I decided that that worked as a network engineer, decided that got boring. So I went to law school because that's where all the really interesting problems lie. Standard disclaimer. I'm not a lawyer. I don't give legal advice yet. And here's my nonstandard disclaimer. I was contracted to work on this and I did sign an NDA in relation to that work. However, that was only about 20 hours of work total. So there's not a lot to not disclose. Okay. This project. Dedicated short range communications. A lot of people should know what this is by now but it's unfortunately still pretty opaque. The Senate committee, subcommittee on communications technology and the internet sure is aware of it and they're really excited about this being the panacea that solves the wireless spectrum problem that they anticipate. It's a multi-channel protocol. I'm going to be focusing on one channel which is for dedicated safety communications. The idea is vehicles communicate to other vehicles and they also communicate with the infrastructure. It would be pretty nice if 380 meters out they detected you were approaching a red light in the middle of the night and so you never ever had to stop because there was never any cross traffic. The idea of infrastructure efficiency is pretty cool. And my question is will it maintain privacy? I'm not convinced that the system as described and built will have enough protections for personal privacy. I think it can but I think it needs some very serious people taking a very serious look at it. There have been a few reviews like my review. It was a very small project and not a lot that's really convinced the automakers who are charging forward that they need to slow down and consider the implications that this has on people. The real reason that this technology is being pushed forward is safety and it's really dramatic the kind of safety expectations. They just finished a large-scale road test and the kind of improvements they expect to get, they're expecting a 82% reduction in all automobile accidents. 82%, that's a really dramatic number. It's revolutionizing driving. For example, in 2009, the there were 5,000 deaths just from distracted driving alone. That doesn't include drunk driving, it doesn't include inattentive or emotionally distraught driving which also causes a large number of accidents. 5,000 deaths in 2009 that were totally preventable, the system would completely eliminate that type of or virtually eliminate that type of accident. There are a lot of people who are working on this safety project. As I mentioned before, it's totally non-trivial effect on death. 25% of vehicle deaths each year can be prevented even without the system. With the system, we're going beyond, we're talking about blind corners, dense fog, heavy rain, situations, the National Institute or the NTSB, National Transportation Safety Board, the wonderful people who brought us TSA. They have recently called for a mandate because of two school bus accidents in the last month. The buses were, one of them, the bus driver was at fault, he was on medication and he wasn't reacting as he should. He ran a red light and the bus got hit by a truck moving through the intersection. The other instance was the school bus was moving safely and there was a speeding truck that couldn't slow down in time to avoid hitting the school bus. Two school buses, many school children died. Each of these different scenarios could have been prevented had the driver been warned that there was an imminent accident. With 380 meters communication range, that's the spec for the communication range. It has the potential to extend out much further. That's a lot of warning and that's a lot of ability to respond in an accident. And then the next question that comes up, is this going to really happen? And the answer is, yeah, it's already out there. Most automakers have plans, most high-end automakers have plans to include this in their 2014 model year cars. The NTSB is talking about making a mandate for 2015 model year cars, meaning every car on the road starting in 2015 will have this. AC Delcos looking at aftermarket products, perhaps save you a little money on your insurance, and bring more cars into the fold. And then how soon? As I said, 2014-2015, very soon. They've already run large-scale tests. In our Ann Arbor, Michigan, they got all the employees of a university in a hospital to put the aftermarket version in their car, and they ran around for a year, and they measured what the density implications were, how it dealt with the infrastructure, and how cars dealt with each other. They learned a lot of lessons. They came out with a new version, and they believe they're ready to move forward with this. This sort of technology is already deployed in trucks in Europe. In addition to the safety benefits, you're able to get more efficiency by allowing cars to move closer together. Because as soon as somebody in front of you steps on the brakes, you know that, and so you can step on the brakes if you're particularly alert. So you can get wind efficiencies as well as just density efficiencies for the highways. So what is this? I've been talking about it. The basic safety message is the core of the protocol. It's just a digital blob that's sent out once every tenth of a second. It's a standard glob with predefined values, very much like a CAN bus message. There's no header information. It's not like ASN 1 where you have key value pairs. It's just the data glob. The idea is the cars process the messages and warn the driver so that the driver isn't... The driver actually gets to mitigate the information and interpret it as to what they should do. Initially, although the self-driving car people are really excited about this technology, they assured me that this wasn't an autonomous thing and that they would definitely deploy it for a few years and see how it worked before they started automating the system. Yeah, this is what the aftermarket system looks like. The idea is that it comes with its own sensors. It was told to me that it would be a self-contained system, that there would be no existing things on the system that would be potentially open for compromise. They were absolutely confident that they had developed the sensor systems well enough that they wouldn't have the concerns about coming between the sensor and the control unit. I'm not sure that's necessarily true, but they feel that by moving away from the CAN bus architecture and into this, quote, sealed system, they can avoid a lot of the vulnerabilities that exist now. DSRC is not CAN bus. It is not the same technology at all. This is a radio that communicates with other vehicles. The idea that it has its own inertial sensors. It has its own GPS positioning system as well as other positioning systems because they're very well aware that in large cities with tall buildings as well as in tunnels and canyons, it's sometimes very difficult to determine GPS location, so they need to have alternative ways and they're working through that as well. It is not on-star. I've spoken with a lot of people who, how is this different from on-star? This is a vehicle to vehicle. All auto manufacturers will be running the same protocol and as I mentioned before, they're talking about mandate. So this isn't a phone home situation. This is notify everybody in the vicinity. More technical details. 5.9 gigahertz spectrum. The idea for that is the DOT owns the spectrum. So it's not used by anything else. The DSRC is a channelized protocol. Only one of the channels will be used for safety messages. Theoretically, this does not require a source address for these transmissions of the safety information. The source address was removed from the protocol in 2010 because of the privacy concerns. Any time you have a uniquely identified vehicle, you have a uniquely identified vehicle and you have the problem of tracking. So they remove that from the protocol. However, if you think about it, how do you route without a uniquely identifiable address? How do you validate people? They came up with the idea of certificates where you have the fingerprint that's hard-coded into each radio unit and the certificates are keyed to that fingerprint. So if you have a bad actor, the whole package of certificates are revoked by exposing the fingerprint. Each layer of this, there are some real serious privacy challenges. So the basic safety message. This is the glob that's sent out that's much like the CAN bus message. The SAEs come up with a standard for it. The idea is it has a lot of really interesting stuff. I don't know if you can see that. It's very small. It has location, acceleration, the status of your braking system. And each of these headers breaks down into different individual values. Like for the braking system, each individual brake reports its status. To include if your analyte braking system is engaged, if your airbags deployed, traction control, stability control, there are some other interesting things like the message count. But it also includes your size, your speed, your acceleration, your anticipated trajectory, and your previous path. In order for this to become effective, you need to have density. Because the benefit in a collision avoidance is not from your unit transmitting anything. It's from the unit that you'd potentially hit transmitting their data. So you would need the more units, the more vehicles on the road that have this, the safer the road is. So the other side of the coin is confidence. If you don't believe that the messages you're getting in are accurate, then you'll ignore it. And this is where hackers come in. I was thinking about, I'll get on to that later. Here I would like to point out that privacy is particularly important because if people don't trust it, then people will disable it and you wind up back with the first problem. If I don't feel like it's keeping my information private, then I'm going to be disabling it if I can't go anywhere without everybody being able to track me. So in order to attack the validity problem, they cryptographically signed all the certificates. And the certificates are issued by a central authority. I think that should be raising some more bells with some of you. The question is, who is that authority? There's been discussions, each automaker is its own authority. There's a government authority that issues certificates, really. There's public-private partnerships, all sorts of things. And then the revocation. And they plan on using a blacklist system. The internet tried that, I think. The idea is that the system, however, should invalidate itself if its sensor checks fail. It shouldn't be transmitting bad information if its internal checks are not working. They believe that they have a lot of information available for sensor validations, but if they can't even control their own drones, then who knows how that can go. So, certificates. The idea is that they're limited time use so that you can't be tracked by a unique identifier. Because as soon as you use a certificate for a little while, then it's as easy to track you by that certificate as it would be by any other unique identifier. The idea is that they're refreshed. You use, I had discussions with people who were working on these radios. How big should we make our memory to store these certificates? And they were thinking on the order of three years. And it occurred to me three years to renew your certificates. Oh, and by the way, you have to report the bad actors when you renew your certificates. So if you're only reporting bad actors every three years and then you get the report back the next three years when you update this, it becomes pretty clear that that's kind of a bad idea. So privacy. Here we go. Starting with a Mac layer, starting at the very bottom, the idea is that there's a changeable source or no source address in the protocol. This has been debated in the past. Whether it does or doesn't have that source, really it will come down to the implementation. Because anybody who's worked closely with protocols understands that nobody implements a protocol perfectly. And so if the leading implementation winds up demanding a source address, then everybody has to use source addresses. And this is a first to market problem rather than a market penetration problem because the first to market sets the standard. I'm thinking of Haze-compatible modems. I know I used a lot of Haze-compatible modems, but I never used a Haze modem. So the idea that we have no source address means that any traffic to these devices would be ungroutable. This is an interesting thought considering we're talking about moving vehicles if you had only an address to like an infrastructure base station, that'd be great, but the infrastructure base station would move out of range fairly quickly and you'd need some scheme to track that particular vehicle and which direction out of range it's gone and so on. And you could come up with a pretty good tracking scheme even if you avoided tracking individual vehicles. So there's no initial privacy concern, but the implementation and how they use it will create a problem. So coming back to the BSM that I showed you earlier, up there in the header elements I have, I just kind of grouped some like things, they have this temporary ID field. It is a specific field in the basic safety message itself. Temporary, that sounds pretty good, it's not a persistent identifier, but depending on the application and implementation it could be. Everybody's idea of temporary is somewhat different. My idea of temporary is no longer than five minutes plus or minus three, so I don't think everybody is on the same page. So certificates, the identity validity conflict, you want to trust somebody but they don't want you to know who they are. And it's something in infosec you deal with all the time, struggling between the authenticated user and the anonymous user. If we have constantly changing certificates with an unsteady shift, then that could help, but once again it depends on the implementation. But the biggest issue is the issuing authority. Who can control it? Who knows what vehicle maps to what fingerprint maps to what certificate and what location they are? There have been proposals that the units are ship sealed and the fingerprint is not known to the automaker, so they can't map a VIN, but then there have been proposals to the IATF that the VIN be used as the fingerprint, which is exposed the VIN, exposed the vehicle, the whole vehicle can no longer use the system ever again if there's a problem, and then you wind up in the aftermarket used vehicle sector picking up radios just for the VIN. So the fingerprint, no correspondence. I think I've covered all of this. So the delivery is the next challenge that I saw. How to get the certificates to the vehicle is we don't currently have any mechanism to communicate with that doesn't authenticate or uniquely identify both ends of the conversation, and most include some trackable method. I think cellular is the leading contender right now for certificate delivery. Wireless or even using DSRC in-band and that just really hurts my head to think that in-band certificate delivery could happen. There's just so many opportunities that that can fail. So more worrisome noise is going on with this. I mentioned that the safety was only one channel on many channels of the DSRC spectrum. The other channels there's a lot of applications. They're talking about mesh networking routing, which would be fun. Sharing MP3s with the other cars on the highway is a big joke about that. But the advertising is one that particularly gets me because that's not only a concern for the safety of the network, for people who bought a car and don't expect to be pummeled with advertising all the time, but also we've, I imagine, discussed different ways that advertising can be used as malware delivery. So what concerns me the most is this last one and I'm giving a talk tomorrow on data brokers, but data brokers using this fixed infrastructure, giving it to you for free so they can collect all the data on, maybe they're not collecting data on specific cars, but which model cars go to which malls, which neighborhoods drive which types of cars. There's a lot of rich information for data brokers in this system that cannot be overlooked. Another problem with this system is law enforcement. You're transmitting your speed every tenth of a second. Even if you're the most conscientious driver, occasionally you will be transmitting a speed that is over the posted speed limit. And there's really, there's published studies on there. There's no way to get around that. Downhill, crosswinds, suddenly shifting wind directions can push you over the speed limit. Can small law enforcement agencies start issuing tickets by mail? That's not very bright. It's possible to correlate location and speed and get a nice license plate reader to go along with the system so that when you pass through their camera they can catch you that way. It's very easy to de-anonymize this even if you're transmitting anonymous signals simply by using another method that law enforcement has at their disposal. So I know if I got a speeding ticket in the mail, I would disable the system. I'm neither the most nor the least conscientious driver, but I don't want to expose myself to that specific vulnerability and that expense. So what can you do? And this is kind of a call to action to all of you, your hackers. You have an idea about how these things can be broken probably even more than I do. The radios are commercially available. Coda, COHDA is the leading manufacturer right now. Cisco has an interest in them. They just released a brand new unit that is designated as a reference design for production so that others can intertest with that. So hack the protocols. DSRC is out there but mostly it's behind paywalls. I've tried to get a couple of other people to really play with it and break it and all the documents are behind paywalls. And become politically engaged. The Senate knows what this is. You guys should know what this is. Every auto manufacturer knows what this is. The administrative agencies, they're all totally on board with this. Hackers need to be jumping in and making a difference here. And more than anything else that certificate authority needs to be hashed out. If we're to maintain any privacy at all, there needs to be a separation between the government, the auto makers and the users. And all three of these need to have a stake in this decision. And so that pretty much concludes my slide show. I'd like to acknowledge a few people. Professor Dorothy Glancy, she led me down this path. Introduced me to a lot of people in DC 650. We hammered this out. And here's my contact information. If you have questions, we have a microphone up here if you'd like to step forward. How about the problem of false warnings and what would be the per vehicle cost of these new systems and how robust and the cost of maintenance of the system? Does it break every 30 days? But the cost of the system, how robust and also false warnings. Okay. False warnings, there are three questions. False warnings, the cost of the system and maintenance. Those are all three very good questions. Every auto maker of course is going to have a different cost for their systems. The idea of this being a sealed system suggests that it's not going to break down for at least two or three years until your extended warranty is up. But the idea is that it doesn't break down. It's supposed to be built very robust. And the third question was, oh, false positives. False positives is a really serious concern. And much of my report to the automakers involved the threat of the false positive. And the threat of the false report and there are a couple of other really, really obvious, basic things. You can't cause collisions because there's a human involved. But you can cause traffic slowdowns. You can get people out of the way because you don't even have to tell them you're a police car. You can just tell them you're speeding and you're going to hit them and they'll get out of the way. So, yeah, there's a lot of concern there. I have a question about the message blobs. So when looking at them, you said the source address is optional now. And the ID that's included is temporary. How susceptible do you think they are to fingerprinting in general? So, for example, your browser could be fingerprinted just by the sequence of fonts that are installed and things like that. There are a couple of things. Another issue in the glob of data is the size of the vehicle. I'm fairly certain within a certain range you'll be able to identify manufacturer of vehicles. Beyond that, I'm not sure. One of the things, you bring up another point, one of the things that I think is very important to consider in privacy, you can get too far beyond where it's useful. Facial recognition technology is involved in my eyeballs and we don't consider that an invasion of your privacy. So if you have to be physically there, if you can't deal with something as an automatic process, then it's not considered a significant threat to your privacy. But as soon as the automatic processes come in, as soon as the people get taken out of the system or the person who's operating the radio frequency fingerprinting, if you have to follow a car around to fingerprint or if you have to have a careful spectrum analysis, I imagine you could do it at a mall parking lot or something like that where you're looking at the vehicle. But to identify a whole class of vehicles, you're not really narrowing it down to an individual so much. So it's a concern, it's not the biggest concern, I guess, is where I'm going with that. Thank you. Thank you for bringing this up to this particular community. You know, I work for one of the agencies involved. Yes. So there's a number of us trying to address some of the problems that you brought up. Could you lower the microphone? How's that? Yeah. So some of us have been looking at some of the problems you brought up and I'm glad you're bringing to this attention of this group. If you don't mind, what I want to do is to let the group know about some of the data sets we're making available from the NRB test. Okay. We might as well mention your TLA. Yeah. There's a web address, I'm going to repeat this twice. Okay. It's www.its-rde.net. One more time. www.its-rde.net. That is the research data exchange that Rita has set up for the NRB test bed. All of the basic safety message that Christie talked about are available from that. And we'd like to put up an informal challenge. We're a government agency and we're in the sequester right now so we can't put any cash behind us. I'm sorry, guys. But we would like to challenge the community to take a look at that data set and see if they are able to use that data set to identify any of the drivers without using social engineering. Okay. Just from the data set itself, we think we have a good design but you know what? We're still in the prototype stage. We would like as many hosts punch into this as technically possible now so we can fix those. Thank you, again, Christie. And he brings up a very important point. The more we can hack on this right now, the better chance we have of not seeing faulty units get installed in vehicles because they're ready to roll. And we need to stop them if they're breaking things. Okay. Do you know how they plan on switching the fingerprints? So I am switching the certificate so I imagine a couple of problems with that. Okay. So if you switch it while you're driving, then you have that path history that would probably stay the same across different certificates so then you could correlate them together. If you only do that for a single run of the car then you know where they start and where they end and so you could probably identify them that way. So it seems pretty challenging to do that. Yeah. My recommendations were based on the average trip length. And so you want a certificate that lasts no longer than half your average trip length. And there's a lot of discussion about when you start transmitting if you want to do it like at the point where the power door locks engage. So you don't know exactly quite where they started. But you do get that information as soon as it's necessary. So there's a lot of thought that's going into at what points. Like my recommendation also was not to have fixed periods but rather have a plus or minus and have a little randomness in there so that they can't set up listening stations to track you as you leave their store. That sort of thing. My thought is a big box store wants to know if you left and went to their competitor. Or where did you go when you left their store? So where have you been before you came? So yeah, the idea that having a flexible length and a minimum of half the average trip size or maximum. This was focused mainly on emerging DSRC and my question is how much are you or are you involved in some of the other things that are emerging right now coming out of industry? Like for example, telematics Detroit, are you familiar with that? I'm not really engaged in any of the other automotive control systems. My specialty is privacy. And so I look at privacy in a variety of embedded devices. Automotive privacy is very interesting to me mostly because even more than your cell phone, which is my previous research, even more than your cell phone, your vehicle tells where you've been, where you're going. And it tells a lot about you, who you associate with and where you spend your time. It says a lot about you. And so it's critical that neither the government nor the advertisers take that information from you without your consent. In that case, I would point you to telematics Detroit. If you Google that, the session abstract for every session of the conference is essentially... I'm aware of that conference. Split up all the data in the car. So thank you. I had two questions. The first one was, what sorts of displays would we be looking at as far as getting the driver information? And the second question was, would there be any drawbacks to like the certificates changing before the trip has ended as far as safety? Okay. First, here's an example of what we have in mind. This is one of several different things they've been toying around with a small display in the center of the dash. They've also talked about putting lights in various places in the cockpit. And there's a lot of human interaction research that's done on what kinds of displays that they're working on with this. And everybody has a little bit different idea. What's your second question? Is there any drawbacks to having the certificates change before the trip is completed? You have one car driving and it's one car to the computers and then instantly it just changes to another car or something like that? Persistence of vision. Cars can do it too. The cars around you don't get confused when the certificate changes. In fact, you wouldn't even notice. One of the concerns about changing certificates is well, if you were to be followed then they would be able to track the certificate changes. But if you were to be followed then you're being followed. So the real interest is in just the persistence at the point of change. And that shouldn't be a problem because what the system does is it takes the packet, validates it, and then strips the certificate off. And so all the processing is done once the packet has been validated. So it really shouldn't change anything at all. Okay? Is this system supposed to be operating internationally? Yes. And if yes, then how we solve the foreign certificate of rotation? The European bandwidth that is available is the same as the bandwidth in the United States. And they plan to implement the same radios, the same protocols in Europe as in the United States. The only difference is in Japan where that bandwidth is not available. The spectrum has been allocated elsewhere. So that's kind of where it is. The automakers that are working on this, European, I worked with three European, three American, and three Japanese automakers. And they were adamant about having the exact same system in the U.S. and in Europe. What about certificate authorities? That's a really good question. And when you start crossing international borders, the government piece of the three interests changes. And there will be all sorts of interesting wrangling in that respect. That's a very good point. So. The gentleman from the ITS RDE described this as a prototype system. You described the user interface as still very much under development. Earlier in the talk you mentioned that this was expected to ship on high-end automobiles for the 2014 model year. Those are on now. And 2015 cars, you were thinking about that maybe being a mandate. That seems contradictory to me. Can you explain where we're at in the development cycle and how close we really are to having these on the road? I don't know the stuff on the lot right now. I don't follow model years. As I mentioned, my specialty is privacy rather than. I do know that they were working. When I spoke with them around this time last August, I wasn't able to come to DEF CON because I was working on this project. When I was speaking with them that last August, they were talking about already having radios and I actually got to put my hands on some. And they already had the radios. They already were trying to get them in the cars. And so that's the best information I have. When I say high-end, I mean the BMWs who are doing automatic parking and the various where they're kind of going off on their own a little bit on that. The user interface is there will be no uniform user interface. Just like there is no uniform car interior. Every auto maker will have its own interpretation of the kinds of alarms and the way that they will alarm you. So. That seems really scary to me. I mean if I'm used to, to use for example a BMW and then I go and rent a Cadillac and the system's different, I'm not used to the warning systems. I'm sure lawyers would love to argue liability over that. The liability of not responding to a warning system is what you're talking about there. And that's a really interesting point that I don't think anybody else has discussed. But yeah, to argue the liability for not responding, that would be an interesting argument because the situation you would be in there would be that somebody was driving erratically and it was the duty of the person who was not driving erratically to heed the warnings and get out of their way. So that's the only situation where the liability would be an issue. Thank you. Okay. We're done. Okay. Thank you all very much.