[5/9/17/ EFF] Imagine if your car could send messages about its speed and movements to other cars on the road around it. That’s the dream of the National Highway Traffic Safety Administration (NHTSA), which thinks of Vehicle-to-Vehicle (V2V) communication technology as the leading solution for reducing accident rates in the United States. But there’s a huge problem: it’s extremely difficult to have cars “talk” to each other in a way that protects the privacy and security of the people inside them, and NHTSA’s proposal doesn’t come close to successfully addressing those issues. EFF filed public comments with both NHTSA and the FTC explaining why it needs to go back to the drawing board—and spend some serious time there—before moving forward with any V2V proposal.
NHTSA’s V2V plan involves installing special devices in cars that will broadcast and receive Basic Safety Messages (BSMs) via short-range wireless communication channels. These messages will include information about a vehicle’s speed, brake status, etc. But one big problem is that by broadcasting unencrypted data about themselves at all times, cars with these devices will be incredibly easy to track. All you would need is a device that could intercept these messages. NHTSA is aware of this huge privacy problem and tried to develop a plan to make it harder to link V2V transmissions with particular vehicles, while still including enough information for the receiver to be able to trust a message’s content. But NHTSA’s plan—which involves giving each car 20 rotating cryptographic certificates per week to be distributed and managed by a complicated public key infrastructure (PKI)—didn’t achieve either objective.
One of the fundamental problems with NHTSA’s plan is that assigning each vehicle a mere 20 identities over the coarse of an entire week will do the opposite of protecting privacy; it will give anyone who wishes to track cars a straightforward way to do so. NHTSA proposes that a car’s certificate change every five minutes, rotating through the complete batch of 20 certificates once every 100 minutes. The car would get a new batch of 20 certificates the next week. As we explained in our comments, while a human being might find it confusing or burdensome to remember 20 different identities for the same vehicle, a computer could easily analyze data collected via a sensor network to identify a vehicle over the course of one day. It would then be able to identify and track the vehicle for the rest of the week via its known certificates. The sensor network would have to complete this same process every week, for every new batch of certificates, but given how simple the process would be, this wouldn’t present a true barrier to a person or organization seeking to track vehicles. And because human mobility patterns are “highly unique,” it would be easy—in the case of a vehicle used in its ordinary way—to recognize and track a vehicle from week to week, even as the vehicle’s list of 20 assigned certificates changed.
NHTSA seems to presume that no one will make long-term, systematic efforts to track vehicles. But this presumption is incredibly naïve. We have learned the hard way that both the government and private companies will go to great lengths to track vehicles—just look at the proliferation of Automated License Plate Readers (ALPR). V2V will make these tracking efforts easier, by making it significantly cheaper to get more reliable information about a vehicle’s whereabouts, more of the time, in more situations, in a clandestine manner, without requiring a line-of-sight to a vehicle’s license plate.
There are other fundamental problems with NHTSA’s plan. First, NHTSA proposes the creation of a new public key infrastructure (PKI) to solve a problem that PKIs simply cannot—and were never intended—to solve, demonstrating a serious misunderstanding of the technology. The sole purpose of a distributed PKI system is to determine who or what produced a validly signed message. A PKI system, for example, cannot establish that the content of the message is “safe” and truthful and therefore the reliable basis for decisions. But NHTSA’s plan suggests that use of a PKI would enable vehicles to assess whether messages it receives are “safe” in this way. This will create widespread—and potentially quite dangerous—confusion about the level of confidence that should be placed in the contents of a validly signed message. NHTSA’s failure to understand the inherent limits of PKIs is deeply troubling.
Second, NHTSA’s envisioned PKI is much larger and more complicated than anything in existence, yet it fails to account for known—and considerable—technical challenges presented by smaller systems. For instance, in the WebPKI—used to distribute and manage HTTPS certificates for websites—it has proven extraordinarily difficult to phase out cryptographic algorithms after they are discovered to be insecure. It took four years, for instance, to phase out (or deprecate) the hash algorithm SHA-1. NHTSA proposes a more complicated PKI, which would issue orders of magnitude more certificates, without even attempting to address the fundamental functional challenges that we already know exist.
Third, NHTSA’s plan for dealing with “bad actors” is to revoke their certificate and push out certificate revocation lists (CRLs) to all vehicles participating in the system. But this just won’t work. Not only will after-the-fact revocation be too late to prevent the first—and potentially catastrophic—attack, but sending out CLRs to every single vehicle participating in the system would take a tremendous amount of data. CRL distribution in the WebPKI has received widespread criticism for being extremely traffic-intensive and inefficient, and the CRLs NHTSA envisions would be orders of magnitude larger than the largest CRLs used in the WebPKI—we’re talking gigabytes of data being distributed to each car in the United States on a regular basis.
What’s more, the plan opens cars up to an entirely new surface of attack while failing to address serious security concerns, putting people at risk of potentially grave harm.
And the plan makes absolutely no sense from a cost-benefit perspective. Because V2V only works when lots of cars have the devices, it will take a great deal of time and money—$33 billion to $75 billion over the course of 15 years—before there is any payoff in terms of increased safety. And by that time, given the exponential rate of technological development in mobile data networks alone, it’s likely the technology will be obsolete. Automobile manufacturers have come out in support of the proposal, arguing that over $1 billion has already been invested in V2V. But that’s not a reason to keep moving ahead with a flawed idea, especially when so much more will need to be spent. As laid out in detail by Brad Templeton, Chairman Emeritus of EFF’s Board and a developer of and commentator on self-driving cars, “[V2V’s] cost is high, and those resources could be much better spent.” For this reason alone, NHTSA needs to move on from its outdated and backwards looking proposal.
We’ve made sure both NHTSA and the FTC heard our concerns loud and clear. Since submitting comments to the FTC, we’ve been invited to participate in a workshop in June dedicated to examining the privacy and security issues posed by connected vehicles. Senior Staff Technologist and former autonomous vehicle researcher Jeremy Gillula will be there to explain why the FTC should put the brakes on NHTSA’s misguided and potentially disastrous plan.
EFF is not alone in our concern over NHTSA’s V2V plan. Many other organizations have filed comments expressing their own concerns with the troubling proposal. We hope NHTSA heeds these warnings—for the good of all of us.