As you might have expected, my ability to remain relentlessly cheery lasted about a week. Not that I’m going full-on depressing again, but today’s piece is a downer.
Remember last year’s Jeep security fiasco? The one where a couple of researchers found a way to use cellphones to take over any Cherokee and drive it remotely?
Alison Chaiken used that story as an example of how the automotive industry is heading in the wrong direction when it comes to security. Linux Weekly News has a good writeup of her presentation, but unfortunately, it’s “subscribers only”*. The slide deck is here, albeit without a lot of useful context.
* LWN does allow linking of subscribers only articles, but for economic reasons asks that such links not be made publicly-available. If you want to read this piece, drop me an e-mail and I’ll see what I can do.
The gist is that not only are automakers emphasizing “gosh-wow” features over security, but regulators are focusing on the wrong things. The result is that nobody is paying attention to serious questions of privacy and security.
For example, Ms. Chaiken notes that the US National Highway Traffic Safety Administration requires that infotainment* systems that have a rear-view camera must boot within two seconds. That number was, she says, chosen arbitrarily and proved extremely difficult to attain. Allowing three seconds would have saved “countless hours and costs” that could have been used better elsewhere.
* Can we agree that, the word “infotainment” is at least as obnoxious as “phablet”? But that it’s equally well-embedded in the vernacular and unlikely to go away? If we can agree, I’ll spare you the five hundred word rant I trimmed from the first draft of this post.
More critically, where regulations are being made with an eye towards safety, regulators aren’t giving sufficient thought to privacy. Ms. Chaiken cites rules covering what data must be recorded by “black boxes” for analysis of accidents. The rules don’t prevent using the same information for other purposes, so consumers have been denied warranty coverage (and, I believe, insurance coverage) based on non-accident-related information captured by the black boxes in their cars.
In cases where regulations haven’t been made yet, manufacturers aren’t considering privacy either. The push in infotainment systems is to provide access to more and more different services. Some of those services will inevitably require user information–hell, some of them already do: Pandora, for example, needs to know who you are so it can offer your customized stations. Sooner or later, some apps will store un- or lightly-encrypted passwords, GPS presets and trip data, credit card numbers, and other NPI. What happens when your infotainment system is stolen? For that matter, what happens when you sell your car? As far as I can tell, none of the systems offer a way to securely wipe the storage, even in cases where they allow some form of “reset to defaults”.
Fun times ahead.
That said, as Ms. Chaiken points out, there are positive signs. Publication of the Jeep Cherokee issue and other automotive security failures are forcing manufacturers to design more secure systems. (Although it should be noted that the DMCA makes it risky for security researchers to study automotive electronics.)
The California Department of Transportation is currently writing rules to cover self-driving vehicles. There’s a window in which they can be encouraged to build in privacy and security coverage. Of course, this is Caltrans we’re talking about… Keep your fingers crossed–and get involved. This is a great opportunity to drop a note to your state representative.