My 14 year-old-car finally died, so I bit the bullet and bought a new one – with bells and whistles.  The new car has keyless entry, keyless start, integrates with my phone, contacts, traffic., weather, Facebook, etc.  My old one had a rickety old GPS that was OK for getting home.

But all the new bells and whistles come at a price – and not just the one on the sticker.

As cars become more complicated – and more connected, they become the subject of possible attacks by hackers and surveillance by governments.  Like any other connected device that becomes part of the “Internet of Things,” the devices become a source of personal information, which can be used, later in civil or criminal litigation or by insurance companies or others.  In essence, our cars become spies.  And it’s only going to get worse.

First, to my 14 year-old-car.  Before turning it in to the dealership, I realized that there were a few bits of personal information in the car itself.  Sure, I cleaned out the trunk, the glove compartment, and even looked under the seats.

But the GPS itself was programmed with my home and work addresses, as well as the last few places I had visited.  Coded into the garage door remote (which was part of the car itself) was the codes for opening the garage door.  So anyone with access to the car could easily find out where I lived, and then get into the garage.  Pretty neat!  I deleted both.  At least I think I did.  If the car were Internet connected, it would be possible to obtain this information remotely without physical access to the car.  Scary stuff.

Many of the modern conveniences relating to cars have hidden pitfalls.  Every modern car is equipped with a “black box”  called a Sensing Diagnostic Module or SDM or the Event Data Recorder (EDR) contained in it.  It records the vehicle’s speed, brakes, acceleration or deceleration, air bag deployment and a host of other bits of data recorded from sensors.

These can be used by car companies to make cars safer and avoid future accidents, by insurance companies to assign fault or liability, and by police to arrest and prosecute people.  In one such case in California in 2013, the police impounded a woman’s car after a fatal collision and obtained the SDR data without a warrant.

The California court found that the driver had no “reasonable expectation of privacy” in the contents of the black box data because they had “voluntarily exposed” the information that was collected by the black box to the public.  The court noted that:

… a person has no reasonable expectation of privacy in speed on a public highway … Similarly, a person has no reasonable expectation of privacy in use of a vehicle’s brakes because statutorily required brake lights [] announce that use to the public.  …  In this case, technology merely captured information defendant knowingly exposed to the public — the speed at which she was travelling and whether she applied her brakes before the impact.

Because the black box captures data that could have been measured by someone else legally, the data is essentially up for grabs.  No warrant is needed to get the data because no privacy expectation is impinged by it.

Cars equipped with OnStar or similar technologies also permit those accessing the car to obtain a host of information about the vehicle and its occupants.  Not only can these cars be remotely unlocked, or the engine started (if so equipped) but they can be tracked by location and speed, and even the cellular communications used to alert the operator of an emergency can be turned on.  In one case, a user inadvertently turned on the communications while discussing a drug deal.

In another case, the FBI obtained a warrant and used a suspect’s OnStar system as a “roving bug” to enable them to listen in on the conversations inside the vehicle – all while the owner incurred service charges for the use of the service, and was unable to actually use in in the event of an emergency.

When the Supreme Court ruled  that the government could not install GPS tracking devices on people’s cars without a warrant, the government was undaunted.  It simply used the GPS tracking devices already installed in the car – either the OnStar type one, or more generally the GPS tracking in the occupants’ cell phones.

No warrant is necessary for either of these – a simple court order or even a subpoena will do.  Indeed, using certain technologies like Stingray, the government (any anyone with such a device) can collect this information.

Modern cars do a lot more and are a lot more connected.

The Wall Street Journal’s Priya Anand reports that modern cars have about 60 microprocessors which contain more than 10 million lines of code ad that “there were more than 26 million connected cars on the road last year, a figure that will rise to 152 million by 2020…”

While these more “intelligent” cars permit users to remotely start their cars using apps, turn on the heat or air conditioning so the car is the appropriate temperature when they get there, set the seat positions and a host of other things, these interconnected cars are a gold mine for hackers or for companies that want the information that can be gleaned from them.

The code was never designed to be secure, and the authentication protocols are rudimentary.  A person with access to the vehicle can take over the control of the vehicle remotely, change the steering, brakes, acceleration or display.

Indeed, if past  experience has shown us anything, it demonstrates that anything with a processor or sensor can be hacked, modified, or altered to do things it was not intended to do.  With interconnected cars, this can also happen remotely.

Some states are moving to track the movements of specific cars.  With electric and more fuel efficient cars dragging down gasoline tax revenues while continuing the cost of maintaining highways, states like Oregon are looking at imposing taxes based on actual miles driven on state highways.

To do this, the state would have to track where residents are, and where they drive – a gold mine for hackers, cops and divorce attorneys everywhere.

We’re already voluntarily giving up a bunch of data.  Devices like Progressive Insurance “snapshot” are touted as ways to share information with the insurer to capture driving patterns and save the customer money – unless of course it doesn’t.

That new data stream must also be secured and protected against both improper and unauthorized uses.  Apps like Waze, which crowd source traffic reporting can be used to identify driving patterns and location.

So in the future, we can expect to “See the USA in our Chevrolet.”  We can also expect the USA to see us.  For good or for evil.

Leave a Reply