Plug-And-Pimp My Ride: The Fight for Ownership Over In-Car Data – Lawyer Monthly | Legal News Magazine

Plug-And-Pimp My Ride: The Fight for Ownership Over In-Car Data

By Ken Munro, Partner, Pen Test Partners

Jailbreaking – modifying an electronic device to remove restrictions placed on it by the manufacturer – is often used on devices like phones and tablets to allow the owner to download unauthorised software.  The practice varies with some estimates suggesting up to 50% of Mac devices are jailbroken in China. It’s popular because it gives the user control over their device and access to content not available in walled gardens such as the App Store. Jailbreak your phone and the worst that can happen is you’ll be scuppered by malware; jailbreak your car and it’s a whole different story.

 

When it comes to older cars, jailbreaking or customisation has resulted in some relatively harmless modifications. A minority of users have used the OBD2 port to make alterations such as opening the windows from the key fob. But the move to connected cars opens up a host of possibilities, due to the fact these vehicles now run millions of lines of code and have automated the vast majority of car functions.

 

The Car as a Computer

Connected cars are an array of computers all of which run off the CAN Bus, an intra-vehicle data channel accessed via the OBD (On Board Diagnostics) interface. The CAN Bus is a controller area network that centralises and controls both hardware and software and is used to activate electronic functions such as the ventilation systems, media centre or the alarm or windows, for instance. Accessing the CAN-Bus library is often surprisingly easy; hackers often favour the radio or even the mobile app used to control functions remotely.

It’s also possible to access and reverse engineer the ECU (Engine Control Unit). The ECU is vital in controlling the driving mechanisms of the car and controls the air to fuel ratio, ignition timing and idle speed, among other mechanisms. Hacking the ECU has some real implications as it can allow the owner to override safety features to ‘improve’ performance.

Of course, hacking or customising your car in this way will invalidate the warranty. So why would anyone do this? The answer lies in the move away from a competitive market. Back in February the BBC reported that car manufacturers and independent garages were going head-to-head over who would have legal right to the in-vehicle data created by today’s connected cars. If the European Automobile Manufacturers Association (ACEA) has its way, that data will be the preserve of manufacturers, preventing small independent garages from accessing vital information on the car.

 

Data Ownership

Currently under the EU Block Exemption Regulation (BER) manufacturers are required to allow owners to use independent garages to service and maintain their car for them without impacting the warranty. Independent garages are authorised in law to have access to repair and maintenance information to diagnose faults with vehicles and implement fixes.

However, if the ACEA is successful in arguing that this data is owned by the manufacturer and any third-party access could be deemed a security risk, these independent garages will be deprived of access to in-vehicle data and drivers will be forced to use dealerships to maintain their warranties. That could see connected car owners seeking their own ‘work arounds’ to bypass the security measures that prevent this data being accessed.

If that sounds far-fetched, consider that there’s already evidence to suggest owners are doing this, albeit with some very expensive John Deere tractors rather than cars. In the US, farmers are turning to Ukrainian hackers to allow them to use cheaper repair parts and independent garages to fix their tractors, in direct contravention of the contracts they signed with John Deere. The benefits to be gained simply outweigh those associated with maintaining the warranty making this a no-brainer, particularly for those owners who intend to keep the vehicle past its warranty period.

To be fair ACEA is right to raise the point about secure data access. Aside from the issue of physically servicing cars, there’s also the issue of how to keep all that software patched and up-to-date.

Currently the favoured method is using OTA (Over the Air) downloads but this mechanism can itself be maliciously hacked, allowing an attacker to inject code into the system. One recent proof of concept showed how all the Jeeps, Chryslers and Fiats within Manhattan could be brought to a standstill, gridlocking the city. To get around this, manufacturers want to use PKI (Public Key Infrastructure) so that once a software update is issued, the in-car system fetches the patch, checks the signature, verifies the authenticity of the patch and then performs the update. But this requires the manufacturer to have exclusive control over the process; an issue drivers are likely to reject as it’s for the lifetime of the vehicle.

 

Who’s Liable?

If, however, responsibility for patching systems falls to the driver, this could cause issues in its own right from a legal point of view. According to Section 3.13 of a consultation document for the Vehicle Technology and Aviation Bill, if an Autonomous Vehicle (AV) crashes and the human occupant didn’t update the cars software to the latest version, the insurance company would be able to exclude the liability to the injured motorist. If the software wasn’t at the latest version (perhaps it was only missing a patch for the air conditioning system) the insurance company could now have a loophole to avoid paying out in the event of an accident.

Alternatively, we could see the current fault-based insurance system which looks at driver liability, change to a product-based one, whereby the manufacturer will be held to account.  The EU is investigating whether to enforce the use of Event Data Recorders (EDRs) which operate like a black box and it’s likely that the technology will be made mandatory in autonomous vehicles to give crash data on speed, accelerator, braking, seatbelt use etc.

If we do see this kind of drastic overhaul of the insurance model manufacturers are almost certainly going to have more say over data and could well win the argument to restrict access. And perhaps they have a point because with autonomous cars, plug-and-pimp my ride practices could become deadly. What about unlocking a faster mode? Turning off systems that will prevent the car moving if a seatbelt is not on? Or more even more sinister, overriding the security systems that will prevent collisions? In all likelihood, this will see the end of customisation and could see an increase in leasing. And car ownership – that too could become a thing of the past.

 

Ken Munro can be contacted at ken.munro@pentestpartners.com or follow him on Twitter via @thekenmunroshow

Ken is passionate about empowering the user and blowing away the fear, uncertainty and doubt (FUD) peddled by security vendors. He is a successful entrepreneur and is a founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. Last year Ken hacked the Mitsubishi Outlander PHEV SUV and is actively involved in campaigns to improve connected car security. Ken has been in the info security business for 15 years.

Pen Test Partners LLP is a limited liability partnership for one very good reason; being in a partnership means that our people have a vested interest in the company. It’s that employee ownership which inspires and drives quality in what we do. It means that we can meet and exceed the needs of people like you who may feel underserved by their pen testing providers.

 

 

 

Most Recent
By Lawyer Monthly 0
d.marsden

Dan Marsden is the head of Web Development at Universal Media

You might also like More from author
Leave A Reply