Experts Have No Confidence That We Can Protect Cars and Streets From Hackers

Patrick O'Neill writes: Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they'll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office. "The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. ... At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing 'a more active leadership role' for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational."

RESTORE CONFIDENCE!

[TheRealHocusLocus]

Buy some new experts.

Really?

[koan]

So no matter what we are going to attach cars and the "street" to the Internet? That's a good idea?
And there is a serious question as to whether that control should be privatized?

Let me convey my feelings about that as one concerned citizen.

Never has it been more insulting, and dangerous, than to consider privatizing public utilities and assests, and thereby making people dependent on corporations to manage something we all use and need.
Privatization never turns out well for the end user, and no matter what you say about the government running things, it's a damn sight better than some corporation.

Re:Really?

[jellomizer]

Also if you are going to have internet access in your car, have it on a separate computer then what you are using for the core services, with the entertainment system.
You engine, steering, breaking, and lights should be on a separate computer without any form of wide area network. Just a plug for manual software updates.

Your other systems, that are not directly affecting your driving can be hooked up to the internet. Where hackers cannot harm the person.

Not everything needs to be hooked up to the internet.

Re:Really?

[RingDev]

This isn't about internet access.

Disclaimer: I work for a state DOT as a software development manager and I consult on systems that are impacted by these systems.

This is about V2V and V2I communications platforms. In the 2017 model year, all new vehicles will require V2V communication systems. And another ~5 years after that we'll likely see V2I requirements.

Currently, when you see those signs that say "X minutes to exit Y", they pull that data in one of a few ways:
1) Buy it from Google or other cell phone tracking companies
2) Use radar speed cameras to calculate the average speed and travel time
3) Use roadside Bluetooth detectors to identify specific vehicle travel times between two detectors
4) Magnetic loop vehicle counters and an algorithm to compare rate to volume and travel time.

V2V communication systems don't directly communicate with the infrastructure system. But similar to the Bluetooth detection system, we can identify that a specific car with a V2V system has passed a point, and then measure the travel time for it to reach the next meter point. Currently we capture ~2% of traffic using Bluetooth, with the new V2V system being mandated for 2017 and a ~5% annual fleet replacement rate, by 2018 we should over double our data collection.

There's nothing fancy there though. The detail data is only retained for the segment measurements, and since all we know is effectively a GUID, we can't identify specific people. But if you were to learn of a GUID associated with someone's vehicle or phone's Bluetooth, and you were to capture and store the meter data, you could, in theory, determine their travel habits across the specific place those meters are installed (pro-tip: there aren't many of them)

Where V2I starts getting really cool is when we can actually communicate with vehicles about the environment. For example, If you have a densely populated area with significant street parking (say like pretty much any down town metro in the country) as the street parking fills, you get more surface traffic of people looking for parking. At ~50% parking capacity roughly 80% of the traffic is searching for parking. V2I communication can cut that rate tremendously by informing vehicles of the closest available parking spots.

Another cool use that's already being done in Vegas is that the infrastructure can inform the car as to the optimum speed to travel at to hit all of the green lights.

Then you get into the really cool stuff, next gen and all that. Where a vehicle that has it's route information can report travel times for each road segment, and share this data between V2V and V2I, allowing the other vehicles and infrastructure perform vastly more efficient route planning, alleviating traffic jams, minimizing road surface damage, etc...

That data can also feed our construction plans giving us hard analytical data to determine where construction projects are needed. Where safety needs to be improved, where volume is changing rapidly. It can help plan lane closures and route plans for over sized-over weight vehicles. It can replace a ton of what is currently labor intensive and best-guess analysis with cold hard facts.

But it needs to be shepparded by people who are aware of the security impacts and unwilling to overstep bounds.

At one stakeholder meeting, a senior member of a policing branch of the state government asked if the system could be used to disable the vehicles of people who were driving recklessly. Or if they would be able to query the system to identify suspects in relation to a crime.

Some of the ops folks were really excited about the idea of identifying common traffic routes, to be able to see how individual drivers get from point A to point B.

But there were those of us in the group who were willing to say, no, killing someone's ignition at 90 mph is a bad idea. No, having a searchable database with PII is bad. No, showing full route information is a horrible intrusion in the drivers' privacy.

These are the battles that are being had, across the country, in your own Department of Transportation.

If you are concerned about it, contact your local DOT, that's where the magic is happening right now.

-Rick