Tracking Connected Vehicles

Researchers have shown that it is both easy and cheap to surveil connected vehicles.

The second link talks about various anonymization techniques, none of which I am optimistic about.

Posted on October 29, 2015 at 6:33 AM • 17 Comments

Comments

Björn PerssonOctober 29, 2015 7:49 AM

Anyone who is at least a little bit surprised that it's easy and cheap to surveil connected vehicles, raise a hand.

PedestrianOctober 29, 2015 7:53 AM

Next step:

If I walk or cycle to get around, or buy bus tickets with cash, and don't own a mobile phone [how quaint!], I must be a potential terrorist.

disconnect-guideOctober 29, 2015 8:18 AM

A guide to completely disable any wireless communications capabilities for any car model would be nice.

jonesOctober 29, 2015 8:49 AM

If more cars are going to be made electric or hybrid electric, this type of tracking may become necessary to pay for the roads.

The federal gasoline tax is about 18 cents per gallon, and was last raised by a nickel in 1993. It is not indexed to inflation.

http://financecommission.dot.gov/Documents/NSTIF_Commission_Final_Report_Exec_Summary_Feb09.pdf

For the federal insterstate system to be financially solvent, much less expanded or improved, the federal gasoline tax needs to be increased by about 43 cents per gallon -- now.

So high-tech vehicles that improve mileage are actually making the infrastructure funding problem worse. Hybrid & electric vehicles will create a need for this type of tracking technology, since it will become necessary to meter use in this way to fund the roads.

The alternative is to invest in low-tech mass transit.

Brian SOctober 29, 2015 9:35 AM

This kind of tracking is of course more detailed/real time. But even "dumb" vehicles are tracked. Almost every toll has a camera snapping license pictures, plenty of stoplights record this info as well. And that's not even accounting for dedicated license plate readers out there.

Add in your credit card, cell phones and/or other wearable smart devices.

You really don't have to worry about your car being tracked in this way as the majority of people can already be tracked with a high degree of accuracy.

Even taking the bus with a cash only payment will still likely require an ID at some point (if most/all don't already, not sure).
So you are either going to be breaking the rules (no/fake plates, fake license), or you are getting tracked.

Welcome to the digital world. People want convenience and always on connectivity. This is part and parcel to it.

paulOctober 29, 2015 10:26 AM

If V2X is going to be useful at all, some large percentage of cars is going to need receivers as well as transmitters. And we know (!) just how secure in-car data processing is. So who needs to install their own sniffers when there's a whole potential mesh botnet out there? (Yeah, you need some way to get the data out; I leave the possibilities as an exercise for the reader.)

albertOctober 29, 2015 10:38 AM

@disconnect-guide,
It might be as simple as unplugging the antenna, and possibly added a dummy (non-radiative) load. (Clive might have something to say about this).

Issues:
1. It'll void your warranty. Wonder if they already have tamper-proof connections?
2. It may become illegal, by law.
3. You _will_ become an object of scrutiny by LE.

A better solution is to get a 'pre-electronic BS' car. (I cleaned the main jet of a VW carburetor by the side of the road in New Mexico with only a screwdriver).

@jones,
The gas tax needs to be replaced by a usage tax. Only mileage and VIN needs to be transmitted; nothing else. Besides, who knows where the money goes?

Disabling auto tracking is only useful if your cell phone is disabled as well.

. .. . .. _ _ _

jasonOctober 29, 2015 12:06 PM

@albert
> Issues:
> 1. It'll void your warranty. Wonder if they already have tamper-proof connections?
> 2. It may become illegal, by law.
> 3. You _will_ become an object of scrutiny by LE.

Maybe VW will do us a favour and make a car that only broadcasts details during testing for regulatory compliance and turns that "feature" off at all other times.

@Jones
> this type of tracking may become necessary to pay for the roads.

Not really; the need to connect government expenditure with a tax somehow associated with the concerned activity is a fiction. The whole point of tax is to pay for things that are commonly good but difficult to assign cost centers such as the military, municipal police, air / water pollution control regulatory bodies, etc etc etc. As albert points out, it's not easy to tell what any particular tax money is used for.

AndyOctober 29, 2015 3:26 PM

There is bound to be a separate control module for this feature somewhere weithin the vehicle. Not every model will habe this off the line, it will be a Graduale implementiert I guess. First an Option in high value cars until it trick!es down, like most everything in automotive tech.

Pull the fuse or plug to the control unit.

But I don't get the point. It is almost as trivial to pinpoint someone through the cellphone base towers (for govt at least).

And recently the EU mandated that every new car sold from some date onwards has to have an automated emergency call system, so everyone will soon be riding shotgun with an always active SIM Card.

Gotta figure out your cars fuse schematics soon enough...

FrobozzOctober 29, 2015 8:48 PM

All transmitters have a unique "fist" so even if the transmission was "truly" random data it is possible to identify the individual unit.

Joe KOctober 29, 2015 11:31 PM

@Brian S, regarding license plates and the droids who read them…

Yes, any car with a license plate "talks" a little already, the way Hodor does, and automatic license plate readers (ALPR) are indeed listening.

The wired article mentions this in passing:

[Depending on the persistence of vehicle-pseudonyms], Petit argues the connected vehicle protocol could offer a new, relatively cheap form of vehicle tracking that could bolster existing law enforcement tracking techniques like automatic license plate readers.

It does stand to reason that insofar as anyone enjoys access to ALPR systems, with (mandated!) V2X access as well, they will enjoy the product of both significantly more.

With respect to ALPR access, the EFF has posted an article about that, wherein one can read that 3M is "very confident in the security of [their] systems."

Apparently their ALPR systems include telnet access. Go Team Retro!

P.S. Brian S concludes:

Welcome to the digital world. People want convenience and always on connectivity. This is part and parcel to it.

The implicit claim here, that "the People get what they want", is Panglossian. It is precisely the logic used by TPTB to manufacture consent.

Do people want to be spied on? Do they want it done via risibly insecure infrastructure?

I find that difficult to believe. And if one seeks the reason it is done nonetheless, is it not sufficient to ask cui bono?

Brian SOctober 30, 2015 5:30 AM

@Joe K

No, they don't want to be "spied on" per se.
But they want ultimate convenience. They want to be able to do anything instantly. And they want their preferences and needs not only remembered, but served.

That all has a cost to it. Not only can a company not do that for you without knowing who and where you are.
They are not going to do it for free.

The fact that cell phones are effectively no different than the bracelets used by criminals for house arrest (in terms of tracking you) has been common knowledge for most of the world since y2k was a thing.
Yet cell phones and smart devices are more popular and widespread than ever.

You should expect, and hold accountable, these companies to prevent your information from being used in nefarious/illegal ways. But the majority of them tell you right up front that your information is essentially a traded commodity for them.

That's assuming they read the agreements they all click on when they first start using the device/service in question.

And to answer the question of cui bono? Theirs of course. You pay for this convenience by being a product yourself.

XelandreOctober 30, 2015 8:47 AM

You probably won't have to install tracking stations all over the place, the infrastructure is already in place.

The European Union mandated the mounting in all new vehicles of a system named "E-Call", which automatically summons emergency help should a set of conditions be met, e.g., car comes to a sudden stop and airbag is deployed.

Committees of cellular network operators, automotive manufacturers, mobile equipment manufacturers, together with public safety services, hammered out a few years ago the essential details of the standard baseline module.

An issue was the signalling load which would eventually be inflicted by a potential 9-figure fleet of essentially idle terminals that don't generate any revenue. The solution was to specify that the GSM modules should never perform a location update [the operation in which a moving MS selects and registers with a new cell site], but to remain silent while continuously scanning the spectrum for the best possible channel, until the time comes.

Another issue was SIM, since the MS should be able to use any available network. Operators must already accept calls to 112 [the European approximate equivalent of 911] without a SIM installed, so the same goes for E-call. Of course, premium models could have a SIM installed, as is already the case in luxury brands.

But even though the module isn't chatty in theory, I would be rather surprised if backdoors weren't provided, or at least thought of. A standards-compliant UE can technically respond to a paging message containing the IMSI, and it would in all probability be connected to the vehicle's CAN-BUS, over which the VIN can be read. A part of the IMSI addressing space could quietly be reserved for a VIN mapping, or the IMSI to VIN correspondence could be recorded at the car factory.

European police forces already have a history of polling mobiles with "silent SMSs" to find their whereabouts, without judicial oversight, and since these also sat on the E-call committee... A perfect excuse can be readily found, such as car theft. [Robbers have a field day, as car manufacturers have no real interest in providing secure electronics.]

The rationale for mandating E-call was that a saving of X minutes for the body snatchers in reaching an accident site should save Y lives, and result in a gain of Z Euros for society. But the EU and its member states have a demonstrably awful track record when it came to defining limits for NOx and PM emissions [think of Volkswagen] or imposing and reducing a speed limit, which demonstrably saves lives, while reducing CO2 emissions.

Instead it went for the technological Band-Aid of E-call, and preserved the sacred rights of the reckless driver who must be saved at all costs with helicopters rescue and first class emergency care.

The interests of the automobile industry prevailed, as usual...

tenuous cabbageOctober 30, 2015 8:55 AM

@Andy:
"And recently the EU mandated that every new car sold from some date onwards has to have an automated emergency call system, so everyone will soon be riding shotgun with an always active SIM Card."

Yup, it's called ecall. It works with GPS and GSM. Some car models (e.g. Volvo & BMW) already have it by default. It will be required by law in the EU from 2018. The system will be activated by default and there is no easy way for the driver to switch it off.

The official website makes a vague statement about the system "sleeping" until required and therefore not tracking users.

http://ec.europa.eu/digital-agenda/ecall-time-saved-lives-saved

What precisely they mean by "sleeping" and how easy it would be to activate the tracker (e.g. by knocking) is unclear.

How to beat it? A GPS jammer connected to the car lighter. Fairly affordable ones are already available online. If you live in the EU, I'd order one quick before 2018! A more extreme solution would be to ask a friendly mechanic to rip out / physically disconnect the system from the car's power source.

albertOctober 30, 2015 10:10 AM

@tenuous cabbage,
It's almost trivial to design a system that prevents the engine from running if the ECall unit is disconnected. Integrating the unit into the existing computer is also possible.

The GPS jammer seems practical. The unit still talks, but has no location data to offer.

Opportunities abound for abuse. Look for the 'Designed for Abuse' sticker on the box.

Just kidding...

. .. . .. _ _ _ ....

XelandreOctober 30, 2015 10:34 AM

The unit still talks, but has no location data to offer.

You don't need GPS. A MS can be located with cell ID data, timing advance, and neighbouring cell signal strengths to more than a useful accuracy, and these data are already gathered, stored, and processed for that very purpose.

I would rather partially disable the RF part of the unit, or disconnect or short-circuit the E-call antenna altogether, or remove the unit to another part of the car and wrap it in tin foil.

Disconnecting power might not be effective, as BITE could indeed nag the user, or rat on him at regular inspections.

Some car manufacturers also plan to provide a semi-autonomous power supply, with battery back up in case the engine is destroyed.

The best option could be to offer an aftermarket replacement E-call module with verifiable open source software. But would people buy it?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.