Electric vehicle center console concept

Plug-and-pimp my ride

Plug-and-pimp my ride: the fight for ownership over in-car data

Car owners have always sought to customise their vehicles whether cosmetically or functionally, pimping up their cars for kudos or to improve performance. Typically this has ranged from getting a new paint job to lowering the suspension but as cars have become more sophisticated, using software to control car functions, drivers have resorted to hacking their own cars.

The practice is comparable to jailbreaking a mobile phone. Modifying an electronic device to remove restrictions placed on it by the manufacturer is often used on devices like phones and tablets to allow the owner to download unauthorised software. It’s popular because it gives the user control over their device and access to content not available in walled gardens such as the App Store but equally it means the device is no longer protected; any warranty is void and the security features associated with the ‘locked’ phone are disabled.

Apply that same scenario to a car and you start to get some idea of how choosing to hack a vehicle could have some major implications. Needless to say, hacking or customising your car will invalidate the warranty. That’s why the practice has usually been restricted to older vehicles. But users could choose to hack their new connected cars if there’s a clamp down on in-car data. This is because car manufacturers are now lobbying to lock-down diagnostic data, preventing car owners from choosing how their vehicle is repaired or serviced.

 

Whose data is it anyway?

Back in February the BBC reported that car manufacturers and independent garages were going head-to-head over who would have legal right to the in-vehicle data created by today’s connected cars. Currently under the EU Block Exemption Regulation (BER) manufacturers are required to allow owners to use independent garages to service and maintain their car for them without impacting the warranty. Independent garages are authorised in law to have access to repair and maintenance information to diagnose faults with vehicles and implement fixes. But if the European Automobile Manufacturers Association (ACEA) has its way, that data will be the preserve of manufacturers, preventing small independent garages from accessing vital information on the car.

If the ACEA is successful in arguing that diagnostic data is the preserve of the manufacturer, drivers will be forced to use dealerships to maintain their warranties. That could see connected car owners seeking their own ‘work arounds’ to bypass the security measures that prevent this data being accessed. And there’s already evidence to suggest owners are doing this, albeit with some very expensive John Deere tractors. In the US, farmers are turning to Ukrainian hackers to allow them to use cheaper repair parts and independent garages to fix their tractors, in direct contravention of the contracts they signed with John Deere. The benefits simply outweigh those associated with maintaining the warranty.

To be fair ACEA has a point about the importance of secure data access. Connected cars contain numerous computer systems running millions of lines of code that are used to control the car. In the good old days, relatively harmless modifications were made, such as opening the windows from the key fob. But with connected cars – and soon autonomous cars – the implications of hacking these systems are far more dangerous.  What about unlocking a faster mode? Turning off systems that will prevent the car moving if a seatbelt is not on? Or more even more sinister, overriding the security systems that will prevent collisions?


Code brakers

The main access point to hack these systems is the CAN Bus, an intra-vehicle data channel accessed via the OBD interface. The CAN Bus centralises and controls both hardware and software and is used to activate electronic functions such as the ventilation systems, media centre or the alarm or windows for instance. Accessing the CAN-Bus library is often surprisingly easy via the radio or even the mobile app but the hacker is limited in terms of the systems this controls which are mostly inert such as the lights or air conditioning.

To get to the interesting mechanical features it becomes necessary to reverse engineer the ECU (Engine Control Unit). The ECU is vital in controlling the driving mechanisms of the car and controls the air to fuel ratio, ignition timing and idle speed, among other mechanisms.  Reverse engineering allows the user to identify the lines of code responsible for various functions which can then allow alterations to be made. It’s not a new practice – ECU modding has been used by companies to remap and tune engines for years – but the difference is that we’re now seeing a clamp down on access to these type of systems.

Manufacturers, keen to close the door, are issuing  Over The Air (OTA) updates to curb software hacks regardless of whether they originate from genuine or malicious users. Interestingly, the update mechanism can itself be compromised, allowing an attacker to inject code into the system. One recent proof of concept showed how all the Jeeps, Chryslers and Fiats within Manhattan could be brought to a standstill, gridlocking the city.

To get around this, manufacturers want to use PKI (Public Key Infrastructure) so that once a software update is issued, the in-car system fetches the patch, checks the signature, verifies the authenticity of the patch and then performs the update. But this requires the manufacturer to have exclusive control over the process and this again strengthens the argument for them to retain data ownership.

 

Admitting liability

The only alternative is to place responsibility for patching systems on the driver and this seems to be the way the regulations are going. According to Section 3.13 of a consultation document for the Vehicle Technology and Aviation Bill, drivers must apply patches and updates or they could invalidate their insurance policy. If an Autonomous Vehicle (AV) crashes and the human occupant didn’t update the cars software to the latest version, the insurance company would be able to exclude the liability to the injured motorist. Quite how that works out if you’re out of signal range, traversing the Scottish Highlands for instance, is anyone’s guess.

Alternatively, AV cars could see us move from a fault-based insurance system to a product-based one, whereby the manufacturer will be held to account.  The EU is investigating whether to enforce the use of Event Data Recorders (EDRs) which operate like a blackbox and it’s likely that the technology will be made mandatory in autonomous vehicles to give crash data on speed, accelerator, braking, seatbelt use etc. There’s no way anyone will want EDR data to be compromised, again swinging the pendulum back in the manufacturer’s favour.

If culpability is the hot potato nobody wants to handle, car data is the golden egg. It’s not just diagnostic data that’s up for grabs here. Manufacturers are all too aware of the potential to monetise personal in-car data. From information on driver habits (which they can sell to insurers) to personal journeys (that they can sell to retailers and advertisers) the skies the limit if only they can keep control over that small space. The question is, will generations of car owners who view it as their right to tinker with their tin cans be prepared to surrender control? Or could we see more rebellious moves like the tractor farmers in the US? Only time will tell.

 

About Author:

Ken Munro can be contacted at
ken.munro@pentestpartners.com or follow him on Twitter via @thekenmunroshow

Comments

comments