Serious Privacy Risks Lie in the Path of Vehicle Automation
Written by Joseph Lorenzo Hall
Yesterday, CDT joined four top cryptography and security experts – Leonid Reyzin, Anna Lysyanskaya, Vitaly Shmatikov, and Adam D. Smith – in raising serious privacy concerns with proposed next-generation vehicle-to-vehicle communication standards (find our comments here).
The National Highway Traffic Safety Administration (NHTSA) has proposed a new standard – a Federal Motor Vehicle Safety Standard (FMVSS) – that details the messaging formats for communications between vehicles for future vehicle automation. While we raise concerns here, make no mistake: increased automation of land vehicles like cars and trucks holds great promise, from drastically reducing injuries and deaths in accidents to streamlining traffic in order to route vehicles in the most efficient ways possible. To do this, our vehicles will be increasingly talking to each other and to other infrastructure on the road such as traffic signals, signage, and lane boundaries in order to keep us safe. At the same time, in the race towards promising applications, we need to be careful that we don’t introduce features that may reduce the trust and freedom we have in our vehicles.
It’s clear that the current set of proposed standards fall short of what we need in a next-generation vehicle-to-vehicle (V2V) standard. In addition to our critique, other commenters like Alishah Chator and Matthew Green from John Hopkins University describe in their comments how the credential management system has a number of serious weaknesses.
In our comments, we point out that the Basic Safety Message (BSM) – a message broadcast ten times a second with granular data about position, speed, direction, and path history – poses serious privacy risks to drivers and passengers:
- The BSM must report location accuracy to 1.5m, sufficient enough to pinpoint the parking spot of a car or even the specific driveway or garage in a suburban environment where the car is located, allowing a specific vehicle to be linked to its BSM messages.
- The BSM includes a temporary ID and a security certificate that change every 5 minutes ostensibly to destroy any linkability; however, there is enough continuity between other data in the message – path history, speed, acceleration, and yaw – to link BSMs across a change in these credentials.
- If an observer misses one of these credential changes, other data like vehicle size (.2m precision in each dimension) or the inherent relationship among the speed, acceleration, steering angle, and yaw will vary subtly among different makes and models, helping to link a specific vehicle to its BSMs.
- The security certificates themselves can allow an observer to link BSM messages. A vehicle will at most have 20 of these certificates active each week and a car starting and stopping in the same place (e.g., a driveway) will permit an observer to link most of a vehicle’s weekly allotment of certificates to the same driveway and, thus, to the same vehicle.
Needless to say, we have serious concerns about the level of granular privacy leakage possible with the BSM message format in its current design. It’s no exaggeration to say that this design makes it possible to track the entire vehicular movements of a neighborhood or small town with a single antenna and computer for under a few thousand dollars. While of course it’s possible to follow vehicles physically, track them via GPS/cellular signals, or use license plate-reading cameras to follow their movements, none of these can be accomplished with such easily concealed, cheap tools that require no access to private infrastructure. We go on in the comment to discuss shortcomings in the privacy study for the proposed standard, pointing out that tools can be made much cheaper and more powerful than suggested in the privacy study, with only a bit of extra effort.
We call for this system to be explicitly opt-in or for the design to be significantly reconsidered so as to avoid the problems we identify. There are some promising tools from applied cryptography that could be leveraged to design a system that would impact driver and passenger privacy to a much lesser extent. Technologies such as anonymous tokens can give a vehicle the ability to send anonymously authenticated messages that have the property of removing anonymity – and revoking credentials – if the vehicle misbehaves. Further research in this area and a deeper engagement with the cryptography and privacy research communities are likely to yield a design that can give us the benefits of V2V communication without such devastating privacy costs.
Part of the difficulty here is that NHTSA has largely disclaimed any ability or interest in policing non-safety applications of V2V information, leaving the field open to unexpected commercial uses as well as privacy-invasive uses like those we discuss above. While we are hopeful that the standard could be improved to drastically reduce the current extent of privacy risks, we feel that NHTSA should be more engaged with entities like the Federal Trade Commission who have the authority and expertise to deal with non-safety privacy issues. And we are very glad to see the upcoming joint FTC/NHTSA workshop this summer which should be a perfect venue for further discussion of these risks and potential fixes.