Are Automotive 'Black Boxes' Secure?

The National Highway Traffic Safety Administration (NHTSA) proposed a rule this month ordering automakers to put so-called "black boxes" in all new vehicles by late 2014, but some experts are concerned that the new rule won't protect the security of the data stored inside.

A member of a working group at the Institute of Electrical and Electronics Engineers (IEEE) has cited problems with the new rule because electronic data recorders (EDRs, also known as "black boxes") could reportedly be accessed by anyone who wants to tamper with data after an accident. "We're all for event data recorders," Tom Kowalick, chairman of the IEEE Global Standards for Motor Vehicle EDRs and an author of seven books on EDRs, told Design News. "But we're also for some kind of basic consumer protection."

Kowalick contends that numerous companies already make software-based solutions for downloading and altering data after a crash. "Last time I looked, there were 23 companies making products that allow someone to erase your crash data," Kowalick told us.

Today, data can be easily collected with legitimate data retrieval systems that link up to a vehicle's onboard diagnostics (OBD-II) connector. Devices such as Bosch Diagnostics' Crash Data Retrieval systems make data accessible to professionals -- automakers, insurance investigators, accident reconstruction experts, and law enforcement agencies -- using the right software tools.

But Kowalick worries that the methodology leaves an opening for aftermarket products specifically targeted at tampering with the data. A simple search on YouTube using the terms "erase crash data" reveals numerous software products aimed at erasing or changing EDR data, he said. Some of those YouTube videos show tens of thousands of hits. Those systems, he said, enable others to change such data as wheel speed, engine speed, throttle position, steering wheel angle, airbag deployment, or other parameters after an accident has occurred. "Why would 100,000 people be looking at this?" Kowalick asked us. "Don't you think it's possible that someone is buying this software and using it?"

NHTSA's proposed mandate calls for all light passenger vehicles to install EDRs, beginning Sept. 1, 2014. A press release on the agency's website explains that the installed devices would only monitor such parameters as vehicle speed, brake usage, crash forces, throttle position, seat belt usage, and air bag deployment, among others. It added that the devices, which are now installed in as many as 96 percent of new cars, would not monitor personal identifying information. NHTSA did not respond to calls from Design News regarding data security issues, however.

Kowalick told us that he wants NHTSA to incorporate a set of IEEE standards (IEEE1616 and IEEE1616a) into its EDR description. The standards call for EDRs to use 86 additional data elements that reportedly aren't called out in NHTSA's description.

Kowalick also proposes addition of a mechanical lockout device that would help prevent data tampering. He is founder of a company called AirMika Inc. that makes an automotive cybersecurity lock.

Kowalick emphasized that the IEEE is not against the proposed NHTSA mandate. "There's no going back now -- the toothpaste is out of the tube," he said. "We're just saying that the data should be secure at the time of the crash, so it will still have scientific value."

Related posts: