There are growing calls for the need for a firewall… for your car. The information presented here summarizes the issues and proposes some solutions. This article is intended for consumption by a non-technical audience and is kept brief for the sake of time.
Increasing Levels of Car Connectivity
Vehicles being manufactured have increasing levels of connectivity and computerized capabilities. There are better experts on this than your humble author here. This connectivity increase convenience, but also introduce roughly two new areas of concern: privacy and exploit-ability.
The connectivity is increasingly non-optional (except for those determined to maintain their privacy) and includes different types of connections, detailed under some other articles (e.g. Compass). Connectivity includes Vehicle to Infrastructure (V2I), Vehicle to Vehicle (V2V), Vehicle to Pedestrian (V2P), Vehicle to Network (V2N). The connection to cellular networks is also being used, and then the industry enters the world of End User License Agreements and Privacy of data.
Privacy as Administrative Control or Technical Control
In Cyber Security, there are different types of controls. Controls protect against risks and threats, to roughly summarize this.
Administrative controls, like writing a policy, complement technical and physical controls to create a robust, multi-layered defense against cyber threats. They are essential for guiding the behavior of individuals and the operation of systems within an organization, ensuring that security measures are well-documented, communicated, and enforced.
Technical controls prevent, block, detect and respond to violations of policy. These are hardware and software solutions designed to protect systems and data from unauthorized access or malicious activities. They are automated and enforce security through technology. Enter the Firewall.
Regulations, on the other hand, are laws or standards enforced by government authorities or regulatory bodies that require organizations to implement specific cybersecurity practices and standards. The FTC has some information regarding unlawful collection vehicles. Some headlines from this source below:
- Geolocation data is sensitive and subject to enhanced protections under the FTC Act.
- Surreptitious disclosure of sensitive information can be an unfair practice.
- Using sensitive data for automated decisions can also be unlawful.
This is My House
Some links below from frustrated vehicle owners demonstrate a mentality from some customers that take the perspective “This is my house”. They do not seem to appreciate the privacy intrusions nor consider the options to disable them accessible and straight forward.
Additionally, it can be argued the vehicle manufacturer’s need to fundamentally identify who their customer is. Is it the data companies? Or is it the vehicle purchaser?
What is a Firewall?
Firewalls inspect network packets and decide whether to allow or block them based on criteria like source and destination IP addresses, ports, and protocols. A firewall can be configured with rules that allow or deny communication traffic based on the configuration of one or many rules.
If a firewall blocks traffic, the software, hardware or elements of the system can attempt to transmit information, but they will not succeed. While the connection occurs, it fails to complete or send data to anyone.
Firewalls can be deployed which only deal with network traffic (destination IPs, ports, protocols) or they can deal with allowed or denied applications (programs) on the computer system. Some do both.
A Firewall For A Vehicle
It is reasonable to infer the coming need for a firewall in cars. You’ll recall that Windows operating systems did not have a firewall until the Windows XP deployment. The need was there.
- This firewall should differentiate between essential functions (like transmission and engine actions) versus privacy associated data. It should also differentiate between diagnostic applications/data, privacy related applications/data and entertainment applications/data.
- This firewall should come with the ability to block applications which contain privacy/telemetry collection from accessing connectivity.
- This firewall should include a monitoring and logging component (because this, arguably, is going to become a thing folks). We’re going to need to ship those logs for monitoring. In a SOC.
Privacy. In Your Car.
Do cars record telemetry – activity – and report that data to third parties? Apparently, yes. (source, source)
Is there technology that can record what you say and use that information? It would appear so according to this report.
Have there been instances of vehicle manufactures allegedly crossing the line of allowable/legal/ethical or otherwise acceptable behavior? You be the Judge:
Consumer Reports applauds FTC’s settlement with GM regarding alleged privacy violations
Senators Expose Car Companies’ Terrible Data Privacy Practices
Texas scrutinizes four more car manufacturers on privacy issues (updated)
Judge rules it’s fine for car makers to intercept your text messages
US car manufacturers violate privacy, mass tort claims dismissed
US Federal Judge Upholds Automakers’ Right to Record Texts, Call Logs
Modern cars are surveillance devices on wheels with major privacy risks – new report
Conclusion – Let’s Fuse This Information
In the interests of keeping this article short, here is a brief Conclusion. Car manufacturer’s are enabling connectivity to cars and some are patenting what can be characterized as borderline eavesdropping software. The FTC has expressed concerns about this.
“These cases underscore the significant potential liability associated with the collection, use, and disclosure of sensitive data, such as biometrics and location data. As the FTC has stated, firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service, and firms shouldn’t let business model incentives outweigh the need for meaningful privacy safeguards.” -FTC Statement
There is supporting evidence that manufacturers are challenged in adhering to privacy principles (source, source, source) and are creating a target for hacking/unintended exposure of this data.
The car owner is arguably not in control of this data, some are characterizing this as a ‘Privacy Nightmare’ (source, source), the FTC seems uncomfortable with this, and the owners of the car lack simple technical controls to force adherence to their wishes.
Meanwhile, the emerging area of Car Hacking is becoming a thing (source, source). There are costs associated with this from the software manufacturers.
Logo from Car Hacking Village.
All of this, arguably, comes with economic impact due to the opportunity cost of battling settings and software updates versus productive economic activity. Sub optimal.
In the event that a car manufacturer develops a car model which is specifically a ‘privacy’ model, having limited connectivity, there is likely a segment of the population that will seek this out and purchase those models.
Among other solutions, the automotive industry can benefit from a firewall for cars (for non-essential functions) which place the user in control of what is allowed from a choke point. I run one of these on my cell phone and do not allow applications to connect to the internet unless I explicitly allow them, while my cell phone still works fine.
Car Hacking and Vulnerabilities
Vulnerabilities get introduced when software is developed.
“Researchers from IOActive highlighted vulnerabilities in various automotive components, including telematics, OBD2 dongles, 5G modems, MQTT servers, and mobile apps. These vulnerabilities could be exploited to gain full control over fleets of vehicles, trucks, and cranes” (source).
“The cost of patching vulnerabilities can be substantial. For example, a team of 100 developers might spend around $708,000 annually on patching, assuming an average salary of $100,000 per developer and considering the time spent on triage, development, and validation”. (source)
Consider Microsoft’s “Patch Tuesday” and some other high profile incidents where updates caused outages/failures on a broad scale. Those in the automotive industry may want to consider if an update causes an ‘outage’ in a vehicle traveling on the roads. What other considerations are needed?
Who is in Control of The Technical Controls?
When deploying technical controls which block things, the concept of who is in control of those controls is a topic to ponder. For example, the firewall I run on my cell phone isn’t controlled by anyone other than me. This is because the legal and regulatory enforcement occurs after the horse has left the barn, so to speak.
So one solution is a technical control which is in the hands of the vehicle owner. They should be the deciding factor of allowed or not allowed.
In Closing
There is much to unpack here, but suffice to cover the issue, hopefully assist and raise awareness.
There is convenience, which is desirable. Then there are privacy intrusions, which are not desirable from the customer. But that implies that the customer of the vehicle manufacturer is still the vehicle owner.
Do we need the equivalent of the CAN-SPAM act for cars?