Privacy in DSRC connected vehicles
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 112 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/38910 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2194 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
Information privacyConnected spaceDigital signalComputer networkStudent's t-testKontraktion <Mathematik>Standard deviationConnected spaceGoodness of fitInformation privacyBitDegree (graph theory)Physical lawSoftwareStandard deviationTotal S.A.Theory of relativityProjective planeComputer animation
00:57
DecimalTelecommunicationProjective planeInformation and communications technologyDigitizingMetreInternetworkingCommunications protocolComputer animation
02:05
Information privacyInformation privacyProjective planePhysical systemComputer animation
02:52
NumberPhysical systemType theorySoftware testingExpected valueReduction of orderScaling (geometry)Computer animation
04:01
Projective planeBus (computing)Range (statistics)TelecommunicationPhysical systemMultiplication signPopulation densityMetreSound effectInstance (computer science)Computer animation
05:56
Endliche ModelltheorieAsynchronous Transfer ModeProduct (business)PlanningArithmetic meanProtein foldingComputer animation
06:39
Scale (map)Function (mathematics)Computer hardwareRevision controlSoftware testingQuicksortUniverse (mathematics)Artificial neural networkAdditionPopulation densityScaling (geometry)Computer animation
07:49
Message passingKey (cryptography)InformationCommunications protocolPhysical systemStandard deviationEmailCore dumpCAN bus2 (number)Computer animation
09:05
Vulnerability (computing)Physical systemCAN busGame controllerComputer architectureBus (computing)Execution unitComputer animation
10:09
Wind tunnelDeterminantPositional notationBuildingPosition operatorCommunications protocolSpectrum (functional analysis)
11:21
Information privacyAddress spaceCommunications protocolOpen sourceCommon Intermediate LanguageAddress spacePublic key certificateOpen sourceFingerprintData transmissionReal numberCommunications protocolRoutingInformationArmExecution unitInformation privacySpectrum (functional analysis)Message passingMultiplication signTrailComputer animation
13:06
Message passingStandard deviationInterface (computing)Musical ensemblePhysical systemCountingControl flowGame controllerTrajectoryMessage passingOrder (biology)Standard deviationEmailUniform resource locatorForceComputer animation
14:09
Message passingInformationBroadcasting (networking)Parameter (computer programming)Message passingExecution unitConfidence intervalHacker (term)Population densityCollisionInformation privacyMultilaterationComputer animation
15:03
Decision tree learningMessage passingPhysical systemInformationParameter (computer programming)Validity (statistics)Trigonometric functionsInformationInformation privacyPublic key certificateQuicksortPhysical systemAuthorizationValidity (statistics)InternetworkingOrder (biology)Computer animation
16:52
Multiplication signIdentifiabilityPublic key certificateSemiconductor memoryTraffic reportingOrder (biology)Information privacyLimit (category theory)Computer animation
17:58
Information privacyOpen sourceComputer networkAlgorithmInformation privacyCommunications protocolModemAddress spaceNumbering schemeRange (statistics)Direction (geometry)ImplementationOpen sourcePerfect groupTrailGoodness of fitStandard deviationComputer animation
20:03
Message passingOpen sourceImplementationField (computer science)EmailWeb pageElement (mathematics)Group actionIdentifiabilityMessage passingCartesian coordinate systemComputer animation
20:45
Validity (statistics)Public key certificateValidity (statistics)FingerprintExecution unitCorrespondence (mathematics)Multiplication signUniform resource locatorPhysical systemShift operatorLevel (video gaming)ImplementationIdentity managementAuthorizationMappingRevision controlInformation securityComputer animation
22:30
FingerprintWeightCorrespondence (mathematics)Data conversionDisk read-and-write headMusical ensemblePublic key certificateNoise (electronics)Mechanism designWireless LANAuthenticationComputer animation
23:39
NoiseEndliche ModelltheorieNoise (electronics)Latent heatInformationNeighbourhood (graph theory)Type theoryService-oriented architecturePhysical systemCartesian coordinate systemSpectrum (functional analysis)MP3Polygon meshMalwareMultiplication signVermaschtes NetzComputer animation
25:22
Uniform resource locatorCross-correlationLimit (category theory)Observational studyPhysical systemDirection (geometry)Email2 (number)Computer animation
26:38
DecimalSCSIHacker (term)Meta elementCommunications protocolLatent heatSystem callHacker (term)Vulnerability (computing)WhiteboardRight angleExecution unitPhysical systemDifferent (Kate Ryan album)AuthorizationGroup actionPublic key certificateProduct (business)Decision theoryFlow separationInformation privacyEmailSoftware testingComputer animation
29:00
Information securityElectric currentInformation privacySlide ruleInformationPosition operatorInformation privacySoftware maintenanceIdentifiabilityPhysical systemPoint (geometry)Process (computing)Pattern recognitionRange (statistics)Open sourceComputer fontAddress spaceCausalityTraffic reportingCollisionWeb browserBlock (periodic table)Message passingSequenceFrequencyFingerprintComputer animation
32:46
Message passingInformation privacyFingerprintPower (physics)TelematikSet (mathematics)AverageQuicksortMultiplication signAbstractionLengthElectronic visual displaySoftware testingWeightPoint (geometry)Group actionScripting languageCASE <Informatik>InformationWorkstation <Musikinstrument>Data storage deviceGoodness of fitFrequencyRandomizationLevel (video gaming)Right angleUniform resource locatorCuboidPrototypeMathematical analysisSpectrum (functional analysis)Maxima and minimaNumberSocial classKey (cryptography)Variety (linguistics)Execution unitData exchangePublic key certificateSocial engineering (security)Control systemCellular automatonArtificial neural networkContext awarenessComputer animation
38:55
Open sourceComputer networkAlgorithmInformation privacyMessage passingInformationParameter (computer programming)Standard deviationInterface (computing)Address spaceCommunications protocolFunction (mathematics)Scale (map)Computer hardwarePublic key certificateElectronic visual displayPhysical system2 (number)MathematicsInteractive televisionPoint (geometry)NeuroinformatikProcess (computing)Machine visionBitBand matrixDifferent (Kate Ryan album)Validity (statistics)Computer animation
41:03
Parameter (computer programming)Physical systemEndliche ModelltheorieCycle (graph theory)Information privacyCommunications protocolBand matrixDifferent (Kate Ryan album)Interpreter (computing)Spectrum (functional analysis)Point (geometry)PrototypeInformationProjective planeUniformer RaumInterior (topology)User interfaceMultiplication signSoftware developerPublic key certificateMathematicsAuthorizationQuicksortRight angleBit
Transcript: English(auto-generated)
00:00
Okay. Good afternoon, or as I like to say, good morning. Welcome. I'm here to talk about privacy and connected vehicles. First of all, a little bit about who I am. I have an electrical engineering degree. And I decided that that ‑‑ worked as a network
00:23
engineer and decided that got boring. So I went to law school because that's where all the really interesting problems lie. Standard disclaimer. I'm not a lawyer. I don't give legal advice yet. But ‑‑ and here's my nonstandard disclaimer. I was
00:42
contracted to work on this and I did sign an NDA in relation to that work. However, that was only about 20 hours of work total. So there's not a lot ‑‑ not a lot to not disclose. Okay. This project. Dedicated short‑range
01:03
communications. A lot of people should know what this is by now, but it's unfortunately still pretty opaque. The Senate committee ‑‑ subcommittee on communications technology and the Internet sure is aware of it and they're really excited about this being the
01:22
panacea that solves the wireless spectrum problem that they anticipate. It's a multichannel protocol. I'm going to be focusing on one channel, which is for dedicated safety communications.
01:40
The idea is that vehicles communicate to other vehicles and they also communicate with the infrastructure. It would be pretty nice if 380 meters out they detected you were approaching a red light in the middle of the night and so you never ever had to stop because there was never any cross traffic. The idea of infrastructure efficiency is
02:04
pretty cool. And my question is, will it maintain privacy? I'm not convinced that the system as described and built will have enough protections for
02:20
personal privacy. I think it can, but I think it needs some very serious people taking a very serious look at it. There have been a few reviews. Like my review, it was a very small project. And not a lot that's really convinced the auto makers
02:43
who are charging forward that they need to slow down and consider the implications that this has on people. The real reason that this technology is being pushed forward is safety. And it's really dramatic, the kind of safety expectations. They just finished
03:06
a large scale road test. And the kind of improvements they expect to get, they're expecting an 82% reduction in all automobile accidents. 82%, that's a really dramatic number.
03:23
It's revolutionizing driving. For example, in 2009, there were 5,000 deaths just from distracted driving alone. That doesn't include drunk driving. It doesn't
03:41
include inattentive or emotionally distraught driving, which also causes a large number of accidents. 5,000 deaths in 2009 that were totally preventable, the system would completely eliminate that type of ‑‑ or virtually eliminate that type of accident.
04:03
There are a lot of people who are working on this safety project. As I mentioned before it's a totally non‑trivial effect on death. 25% of vehicle deaths each year can be prevented
04:27
even without the system. With the system, we're going beyond. We're talking about blind corners, dense fog, heavy rain. Situations, the National Institute ‑‑ or the NTSB,
04:45
National Transportation Safety Board, the wonderful people who brought us TSA. They have recently called for a mandate because of two school bus accidents in the last month. The buses
05:01
were ‑‑ one of them, the bus driver was at fault. He was on medication and he wasn't reacting as he should. He ran a red light and the bus got hit by a truck moving through the intersection. And the other instance was the school bus was moving safely
05:21
and there was a speeding truck that couldn't slow down in time to avoid hitting the school bus. Two school buses, many school children died. Each of these different scenarios could have been prevented had the driver been warned that there was an imminent accident. And with
05:40
380 meters communication range, that's the spec for the communication range. It has the potential to extend out much further. So that's a lot of warning and that's a lot of ability to respond in an accident. And then the next question that comes up,
06:00
is this going to really happen? And the answer is, yeah. It's already out there. Most auto makers have plans ‑‑ most high end auto makers have plans to include this in their 2014 model year cars. The NTSB is talking about making a mandate for 2015 model
06:23
year cars, meaning every car on the road starting in 2015 will have this. AC Dell Coast looking at aftermarket products, perhaps save you a little money on your insurance and bring more cars into the fold. And then how soon? As I said, 2014, 2015, very
06:44
soon. They've already run large scale tests. In Ann Arbor, Michigan, they got all the employees of a university in a hospital to put the aftermarket version in their car and they ran around for a year and they measured what the density implications were,
07:06
how it dealt with the infrastructure and how cars dealt with each other. They learned a lot of lessons. They came out with a new version and they believe they're ready to move forward with this. It's already ‑‑ this sort of technology
07:22
is already deployed in trucks in Europe. In addition to the safety benefits, you're able to get more efficiency by allowing cars to move closer together because as soon as somebody in front of you steps on the brakes, you know that and so you can step on the brakes if you're particularly alert. So you can get wind efficiencies as well as
07:46
just density efficiencies for the highways. So what is this? We've been talking about it. The basic safety message is the core of the protocol. It's just a digital
08:02
blob that's sent out once every tenth of a second. It's a standard glob with predefined values very much like a CAN bus message. There's no header information. It's not like
08:21
ASN 1 where you have the key value pairs. It's just the data glob. The idea is the cars process the messages and warn the driver so that the driver isn't ‑‑ the driver actually gets to mitigate the information and interpret it as to what they should do
08:47
initially. Although the self‑driving car people are really excited about this technology. They assured me that this wasn't an autonomous thing and they would definitely deploy it
09:02
for a few years and see how it worked before they started automating the system. This is what the aftermarket system looks like. The idea is that it comes with its own sensors. It comes ‑‑ it was told to me that it would be a self‑contained system,
09:24
that there would be no existing things on the system that would be potentially open for compromise. They were absolutely confident that they had developed the sensor systems
09:41
well enough that they wouldn't have the concerns about coming between the sensor and the control unit. I'm not sure that's necessarily true, but they feel that by moving away from the CAN bus architecture and into this quote sealed system, they can avoid a lot of
10:04
the vulnerabilities that exist now. So DSRC is not CAN bus. It is not the same technology at all. This is a radio that communicates with other vehicles. The idea
10:24
that it has its own inertial sensors, it has its own GPS positioning system as well as other positioning systems, because they're very well aware that in large cities with tall buildings as well as in tunnels and canyons, it's sometimes very difficult
10:45
to determine GPS location. So they need to have alternative ways and they have ‑‑ they're working through that as well. It is not OnStar. I've spoken with a lot of people who ‑‑ how is this different from OnStar? Well, this is a vehicle to vehicle.
11:03
All auto manufacturers will be running the same protocol. And as I mentioned before, they're talking about a mandate. So this isn't a phone home situation. This is a notify everybody in the vicinity. Okay. More technical details. 5.9 gigahertz spectrum. The idea
11:29
for that is the DOT owns the spectrum. So it's not used by anything else. There ‑‑ the DSRC is a channelized protocol. Only one of the channels will be used for safety
11:46
messages. Theoretically, this does not require source address for these transmissions
12:01
of the safety information. The source address was removed from the protocol in 2010 because of the privacy concerns. Any time you have a uniquely identified vehicle, you have a uniquely identified vehicle. And you have the problem of tracking. So they removed that from the
12:22
protocol. However, if you think about it, how do you route without a uniquely identifiable address? How do you validate people? They came up with the idea of certificates where you have the fingerprint that's hard coded into each radio unit. And the certificates
12:47
are keyed to that fingerprint. So if you have a bad actor, the whole package of certificates are revoked by exposing the fingerprint. Each layer of this, there are some real serious
13:05
privacy challenges. So the basic safety message, this is the glob that's sent out that's much like the Canvas message. The SAEs come up with a standard for it. The
13:22
idea is it has a lot of really interesting stuff. I don't know if you can see that. It's very small. It has location, acceleration, the status of your braking system. And each of these headers breaks down into two different individual values like for the braking system,
13:42
each individual brake reports its status to include if your braking system is engaged, your airbags deployed, attraction control, stability control. There are some other interesting things like the message count, but it also includes your size, your speed, your acceleration,
14:05
your anticipated trajectory, and your previous path. In order for this to become effective, you need to have density. Because the benefit in a collision avoidance is not from your
14:22
unit transmitting anything. It's from the unit that you potentially hit transmitting their data. So you would need the more units, the more vehicles on the road that have this, the safer the road is. So the other side of the coin is confidence.
14:45
If you don't believe that the messages you're getting in are accurate, then you'll ignore it with the ‑‑ and this is where hackers come in. I was thinking about ‑‑
15:02
I'll get on to that later. Here I would like to point out that privacy is particularly important because if people don't trust it, then people will disable it
15:21
and you wind up back with a first problem. If I don't feel like it's keeping my information private, then I'm going to be disabling it if I can't go anywhere without everybody being able to track me. So in order to attack the validity problem,
15:42
they cryptographically signed all the certificates. And the certificates are issued by a central authority. I think that should be raising some alarm bells with some of you. The question is who is that authority? There's been discussions, each automaker is its own authority.
16:05
There's a government authority that issues certificates, really. There's public private partnerships, all sorts of things. And then the revocation. And they plan on using a blacklist system. The Internet tried that, I think.
16:26
The idea is that the system, however, should invalidate itself if its sensor checks fail. It shouldn't be transmitting bad information if its internal checks are not working.
16:43
They believe that they have a lot of information available for sensor validations, but if they can't even control their own drones, who knows how that can go. So certificates. The idea is that they're limited time use so that you can't be tracked by a unique identifier
17:05
because as soon as you use a certificate for a little while, then it's as easy to track you by that certificate as it would be by any other unique identifier. The idea is that they're refreshed. You use ‑‑ I had discussions with people who
17:25
were working on these radios, how big should we make our memory to store these certificates? And they were thinking on the order of three years. And it occurred to me three years
17:40
to renew your certificates, oh, and by the way, you have to report the bad actors when you renew your certificates. So if you're only reporting bad actors every three years and then you get the report back the next three years when you update this, it becomes pretty clear that that's kind of a bad idea. So privacy. Here we go.
18:04
Starting with the MAC layer, starting at the very bottom, the idea is that there's a changeable source or no source address in the protocol. This is ‑‑ this has been debated in the past. Whether it does or doesn't have
18:22
that source, really it will come down to the implementation because anybody who's worked with ‑‑ closely with protocols understands that nobody implements a protocol perfectly. And so if the leading implementation winds up demanding a source address, then everybody
18:48
has to use source addresses. And this is a first to market problem rather than a market penetration problem because the first to market sets the standard. I'm thinking of haze compatible modems. I know I used a lot of haze compatible modems but I never
19:04
used a haze modem. So the idea that we have no source address means that any traffic to these devices would be unroutable. This is an interesting
19:20
thought considering we're talking about moving vehicles. If you had only an address to like an infrastructure base station, that would be great, but the infrastructure base station would move out of range fairly quickly and you'd need some scheme to track that particular vehicle and which direction out of range it's gone and so on. And you
19:43
could come up with a pretty good tracking scheme even if you avoided tracking individual vehicles. So there's no initial privacy concern, but the implementation and how they use it will create a problem. So coming back to the BSM that I showed you
20:08
earlier, up there in the header elements I have ‑‑ I just kind of grouped some like things. They have this temporary ID field. It is a specific field in the basic safety
20:21
message itself. Temporary, that sounds pretty good. It's not a persistent identifier. But depending on the application implementation, it could be. Everybody's idea of temporary is somewhat different. My idea of temporary is no longer than five minutes plus or minus
20:41
three. So I don't think everybody is on the same page. So certificates, they try to address the identity validity conflict. You want to trust somebody, but they don't want you to know who they are. And it's something in infosec
21:04
you deal with all the time, struggling between the authenticated user and the anonymous user. If we have constantly changing certificates with unsteady shift, then that could help.
21:25
But once again, it depends on the implementation. But the biggest issue is the issuing authority. Who can control it? Who knows what vehicle maps to what fingerprint maps to what certificate and what location they are. There have been proposals that the units are shipped
21:46
sealed and the fingerprint is not known to the automaker. So they can't map a VIN but then there have been proposals to the IETF that the VIN be used as the fingerprint,
22:06
which is a ‑‑ expose the VIN, expose the vehicle. The whole vehicle can no longer use the system ever again if there's a problem. And then you wind up in the aftermarket used vehicle sector picking up radios just for the VIN.
22:30
So the fingerprint, no correspondence. I think I've covered all of this. So the delivery
22:44
is the next challenge that I saw. How to get the certificates to the vehicle is ‑‑ we don't currently have any mechanism to communicate with that doesn't authenticate
23:01
or uniquely identify both sides of the conversation. And most include some trackable method. I think cellular is the leading contender right now for certificate delivery. Wireless
23:23
or even using DSRC in‑band and that just really hurts my head to think that certificate delivery could happen. There's just so many opportunities that that can fail.
23:41
So more worrisome noise is going on with this. I mentioned that the safety was only one channel on many channels of the DSRC spectrum. The other channels, there's a lot of applications. They're talking about mesh networking routing, which would be fun. Sharing
24:06
MP3s with the other cars on the highway is a big joke about that. But the advertising is one that particularly gets me because that's not only a concern for people who bought
24:28
a car and don't expect to be pummeled with advertising all the time, but also we've, I imagine, discussed different ways that advertising can be used as malware delivery.
24:45
So what concerns me the most is this last one, and I'm giving a talk tomorrow on data brokers, but data brokers using this fixed infrastructure, giving it to you for free so they can collect all the data. Maybe they're not collecting data on specific cars,
25:02
but which model cars go to which malls, which neighborhoods drive which types of cars. There's a lot of rich information for data brokers in this system that cannot be overlooked.
25:23
Another problem with this system is law enforcement. You're transmitting your speed every tenth of a second. Even if you're the most conscientious driver, occasionally you will be transmitting a speed that is over the posted speed limit, and there's published
25:42
studies on this. There's no way to get around that. Downhill crosswinds, suddenly shifting wind directions can push you over the speed limit. Can small law enforcement agencies start issuing tickets by mail? That's not very right.
26:04
It's possible to correlate location and speed and get a nice license plate reader to go along with the system so that when you pass through their camera they can catch you that way. It's very easy to de-anonymize this even if you're transmitting anonymous
26:26
signals simply by using another method that law enforcement has at their disposal. So I know if I got a speeding ticket in the mail, I would disable the system. I'm
26:46
neither the most nor the least conscientious driver, but I don't want to expose myself to that specific vulnerability and that expense.
27:02
What can you do? This is kind of a call to action to all of you. You're hackers. You have an idea about how these things can be broken, probably even more than I do. The radios are commercially available. Coda, C-O-H-D-A, is the leading manufacturer right
27:24
now. Cisco has an interest in them. They just released a brand new unit that is designated as a reference design for production so that others can use it.
27:44
So, inner test with that. So hack the protocols. DSRC is out there, but mostly it's behind pay walls. I've tried to get a couple of other people to really play with it and break
28:03
it and all the documents are behind pay walls. And become politically engaged. The Senate knows what this is. You guys should know what this is. Every auto manufacturer knows
28:21
what this is. The administrative agencies, they're all totally on board with this. Hackers need to be jumping in and making a difference here. And more than anything else, that certificate authority needs to be hashed out. If we're to maintain any privacy at all, there needs
28:47
to be a separation between the government, the auto makers and the users. And all three of these need to have a stake in this decision. And so that pretty much concludes
29:02
my slide show. I'd like to acknowledge a few people. Professor Dorothy Glandon, who is led me down this path, introduced me to a lot of people in DC 650. We kind of hammered this out. And here's my contact information. If you have questions, we have a microphone
29:22
up here if you'd like to step forward. How about the problem of false warnings and what would be the per vehicle cost of these new systems and how robust and the
29:45
cost of maintenance of the system? Does it break every 30 days? But the cost of the system, how robust and also false warnings. Okay. False warnings, there are three questions. False warnings, the cost of the system and maintenance. Those are all three very
30:03
good questions. Every auto maker, of course, is going to have a different cost for their systems. The idea of this being a sealed system suggests that it's not going to break down for at least two or three years until your extended warranty is up. But the idea is that
30:23
it's supposed to be built very robust. And the third question was, oh, false positives. False positives is a really serious concern. And much of my report to the auto makers
30:41
involved the threat of the false positive. And the threat of the false report. And there are a couple of other really, really obvious basic things. You can't cause collisions because there's a human involved. But you can cause traffic slowdowns. You can get people
31:00
out of the way because you don't even have to tell them you're a police car. You can just tell them you're speeding and you're going to hit them and they'll get out of the way. So, yeah, there's a lot of concern there. I have a question about the message blobs. So when looking at them, you said the source
31:25
address is optional now and the ID that's included is temporary. How susceptible do you think they are to fingerprinting in general? So, for example, your browser could be fingerprinted just by the sequence of fonts that are installed and things like that.
31:43
There are a couple of things. Another issue in the glob of data is the size of the vehicle. I'm fairly certain within a certain range you'll be able to identify manufacture of vehicles. Beyond that, I'm not sure. One of the things ‑‑ you bring up another
32:04
point. One of the things that I think is very important to consider in privacy, you can get too far beyond where it's useful. Facial recognition technology is involved in my eyeballs and we don't consider that an invasion of your privacy. So if you have
32:24
to be physically there, if you can't deal with something as an automatic process, then it's not considered a significant threat to your privacy. But as soon as the automatic processes come in, as soon as the people get taken out of the system or the person
32:41
who is operating the radio frequency fingerprinting, if you have to follow a car around to fingerprint or if you have to have a careful spectrum analysis, I imagine you could do it at a mall parking lot or something like that where you're looking at the vehicle. But to identify
33:01
a whole class of vehicles, you're not really narrowing it down to an individual so much. So it's a concern. It's not the biggest concern, I guess is where I'm going with that. Thank you. Thank you for bringing this up to this particular community. I work for one of the agencies
33:22
involved. So there's a number of us trying to address some of the problems that you brought up. Could you lower the microphone? Sure. How's that? Yeah. So some of us have been looking at some of the problems you brought up and I'm glad you're bringing to this attention of this group. If you don't mind, what I want to do is to let the group know about some of the data sets that we're making available from
33:44
the Ann Arbor test. We might as well mention your TLA. Yeah. There's a web address. I'm going to repeat this twice. It's www.its-rde.net. One more time.
34:01
www.its-rde.net. That is the research data exchange that Rita has set up for the Ann Arbor test bed. All of the basic safety message that Christy talked about are available from that and we'd like to put up an informal challenge. We're a government agency and we're in
34:28
crisis, guys. But we'd like to challenge the community to take a look at that data set and see if they're able to use that data set to identify any of the drivers without using social engineering. Okay. Just from the data set itself. We think
34:45
we have a good design, but you know what? We're still in the prototype stage. We'd like as many hosts punch into this as technically possible now so we can fix those. Thank you again, Christy. And he brings up a very important point. The more we can hack on this right now, the
35:05
better chance we have of not seeing faulty units get installed in vehicles because they're ready to roll. And we need to stop them if they're breaking things. Okay. Do you know how they plan on switching the fingerprints? So I am ‑‑ or switching
35:23
the certificates. So I imagine a couple of problems with that. So if you switch it while you're driving, then you have that path history that would probably stay the same across different certificates. So then you could correlate them together. If
35:41
you only do that for a single run of the car, then you know where they start and where they end. So you could probably identify them that way. So it seems pretty challenging to do that. Yeah, my recommendations were based on the average trip length. And so you want a certificate that lasts no longer than half your average trip length. And there's a lot of discussion
36:05
about when you start transmitting, if you want to do it like at the point where the power door locks engage. So you don't know exactly quite where they started. But you do get that information as soon as it's necessary. So there's a lot of thought
36:25
that's going into at what points. Like my recommendation also was not to have fixed periods but rather have a plus or minus and have a little randomness in there so that they can't set up listening stations to track you as you leave their store. That
36:47
big box store wants to know if you left and went to their competitor or where did you go when you left their store. So where have you been before you came? So, yeah, the idea that having a flexible length and minimum of half the average
37:07
trip size or maximum. Thanks. This was focused mainly on emerging DSRC. My question is how much are you or are you
37:20
involved in some of the other things that are emerging right now coming out of industry? Like for example, telematics Detroit. Are you familiar with that? I'm not really engaged in any of the other automotive control systems. My specialty is privacy. And so I look at privacy in a variety of embedded devices.
37:41
Automotive privacy is very interesting to me, mostly because even more than your cell phone, which is my previous research, even more than your cell phone, your vehicle tells where you have been, where you are going, and it tells a lot about you, who you associate with and where you spend your time. It says a lot about you.
38:06
And so it's critical that neither the government nor the advertisers take that information from you without your consent. In that case, I would point you to telematics Detroit. If you Google that, the session
38:22
abstract for every session of that conference is essentially ‑‑ I'm aware of that conference. We're going to split up all the data in the car. So thank you. Yeah. Yeah. I had two questions. The first one was ‑‑ Closer to the mic. Huh? Closer.
38:40
Oh, sorry. I had two questions. The first one was what sorts of displays would we be looking at as far as like getting the driver information? And the second question was would there be any drawbacks to like the
39:01
trip has ended as far as like safety? Okay. First, here's an example of the display they have in mind. This is one of several different things they've been toying around with, with a small display in the center of the dash. They've also talked about putting lights
39:24
in various places in the cockpit. And there's a lot of human interaction research that's done on what kinds of displays that they're working on with this. And everybody has a little bit different idea. What was your second question? Is there any drawbacks to having the certificates changed before the trip is completed?
39:45
Like you have one car driving and it's one car to the computers and then like instantly it just changes to another car or something like that? Persistence of vision. Cars can do it, too. The cars around you don't get confused when the certificate changes. In fact, you wouldn't even notice.
40:06
One of the concerns about changing certificates is, well, if you were to be followed, then they would be able to track the certificate changes. But if you were to be followed, then you're being followed. So the real interest is in just the persistence at the point of change.
40:28
And that shouldn't be a problem because what the system does is it takes the packet, validates it, and then strips the certificate off. And so all the processing is done once the packet's been validated.
40:43
So it really shouldn't change anything at all. Okay? Is this system supposed to be operating internationally? How do we solve the foreign certificate issue?
41:01
The European bandwidth that is available is the same as the bandwidth in the United States. And they plan to implement the same radios, the same protocols in Europe as in the United States. The only difference is in Japan where that bandwidth is not available. The spectrum has been allocated elsewhere.
41:23
So that's kind of where it is. The automakers that are working on this, European ‑‑ I worked with three European, three American, and three Japanese automakers, and they were adamant about having the exact same system
41:41
in the U.S. and in Europe. What about certificate authorities? That's a really good question. And when you start crossing international borders, the government piece of the three interests changes.
42:01
And there will be all sorts of interesting wrangling in that respect. That's a very good point. So ‑‑ The gentleman from the ITSRDE described this as a prototype system. You described the user interface as still very much under development.
42:23
Earlier in the talk you mentioned that this was expected to ship on high‑end automobiles for the 2014 model year. Those are on the lot now. And 2015 cars you were thinking about that maybe being a mandate. That seems contradictory to me.
42:41
Can you explain where we're at in the development cycle and how close we really are to having these on the road? I don't know the stuff on the lot right now. I don't follow model years. As I mentioned, my specialty is privacy rather than ‑‑ I do know that they were working.
43:04
And when I spoke with them around this time last August, I wasn't able to come to DEF CON because I was working on this project. When I was speaking with them that last August, they were talking about already having radios.
43:21
And I actually got to put my hands on some. And they already had the radios. They already were trying to get them in the cars. And so that's the best information I have. When I say high‑end, I mean the BMWs who are doing automatic parking. And the various ‑‑ where they're kind of going off on their own a little bit on that.
43:47
The user interfaces, there will be no uniform user interface. Just like there is no uniform car interior. Every automaker will have its own interpretation of the kinds of alarms and the way that they
44:03
will alarm you. So ‑‑ That seems really scary to me. I mean, if I'm used to, for example, a BMW and then I go and rent a Cadillac and the system is different, I'm not used to the warning systems. I'm sure lawyers would love to argue liability over that.
44:22
Well, the liability of not responding to a warning system is what you're talking about there. And that's a really interesting point that I don't think anybody else has discussed. But, yeah, to argue the liability for not responding, that would be an interesting
44:41
argument because the situation you would be in there would be that somebody was driving erratically and it was the duty of the person who was not driving erratically to heed the warnings and get out of their way. So that's the only situation where the liability would be at issue.
45:02
Okay. We're done. Okay. Thank you all very much.