Episode 73
It's Time To Bust the Ghosts in Our Cars with Eric Monterastelli Halloween Series Part III
October 31st, 2023
39 mins 18 secs
About this Episode
In the final, crossover episode of our three-part Halloween series, Eric Monterastelli, Public Sector SE at Delinea, Founder, Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast, joins Carolyn Ford and Tracy Bannon to discuss the scary reality of car security. Is your car spying on you? Can a nefarious actor take over your car? Does your car know your deep personal data like your immigration status, race and more? Hint: It can and it does.
Key Topics
- 00:02:05 Technology advances put vehicles at risk.
- 00:06:25 Hijacked Jeep's wireless signal, turning it off.
- 00:07:35 Chrysler systems hacked due to digital admission.
- 00:10:47 New EV platforms streamline technology for efficiency.
- 00:15:13 Disconnect, purge and be careful: data can be accessed.
- 00:18:58 Using TrueCar, author obtained personal information illegally.
- 00:21:54 Pre-OBD2 Mercedes is OBD1.
- 00:25:12 Mozilla uncovers alarming auto data collection.
- 00:28:29 Future vehicles will have integrated alcohol-detection systems.
- 00:32:48 Routers, cars can be hacked, collect data.
- 00:35:42 Read your vehicle's owner's manual for instructions.
- 00:36:55 Speak to rental clerk about removing data.
The Intersection of Cybersecurity, Car Security and the Ghostbusters Mission
Ghostbusters Mission: Car Security & Car Hacking
Eric Monterastelli talks about how cars have evolved to include more computing technology, which opens them up to potential attacks. He gives the example of a Jeep that was hacked to shut off while driving, demonstrating the real dangers.
Tracy Bannon contrasts U.S. car manufacturers that use many third-party components versus Tesla's more integrated system. She argues Tesla's approach may lend itself to more car security. The hosts explore different potential attack vectors into vehicles, like Bluetooth connections.
Mozilla Participants Share Automotive InfoSec Insights
Eric Monterastelli shares findings from a Mozilla report about the wide range of deep personal data that can be collected from cars. Including things like facial expressions, weight, health information and more. The hosts are alarmed by the privacy implications.
Tracy Bannon advocates that car manufacturers need to make cybersecurity a priority alongside traditional safety. She indicates cars are data centers on wheels, collecting information that gets sent back to big cloud data centers. They emphasize the need for vigilance from car owners about what information they allow their vehicles to collect.
Concerns About Data Collection in Modern Vehicles
Modern Car Security: Braking, Speed and Steering Patterns
Eric discusses the extensive data that is now collected by modern vehicles, especially EVs. He notes that information is gathered on things like stopping distances, brake pressure applied, vehicle speed and overall driving habits. This data is no different than the type of driver performance analysis done in race cars. Automakers are collecting real-world usage data from customer vehicles to analyze driving patterns and vehicle responses. Tracy adds that the average new vehicle contains over 100 different computers and millions of lines of code that are all networked together. This networked data covers areas like powertrain functions, safety features and infotainment systems. All of this interconnected data presents opportunities for tracking very detailed driving behaviors.
Privacy Risks in Driving: Collecting Personal Data and Concerns
Eric cites a concerning report that modern vehicles can potentially collect extremely sensitive personal data simply through normal driving. Including information on immigration status, race, facial expressions, weight, health conditions and even genetic data. He explains that optical facial recognition software could be applied to cameras already present in many vehicles. Other data like weight and health metrics can be gathered from sensors in seats or wearable devices synced to the vehicle. The interconnected nature of modern vehicle computers and far-reaching data collection enables mining of very private user information that goes well beyond basic driving statistics. Carolyn reacts with disbelief at the potential extent of personal data gathering described.
Car Security Comparisons Between Traditional Manufacturers and Tesla
Challenges in U.S. Car Manufacturing Component Compatibility
Tracy explained that traditional U.S. car manufacturers have said they use components from hundreds of different distributors and providers. These components were not necessarily created to work together, unlike the approach taken by Tesla. Since traditional manufacturers are buying piece A and knitting it together with piece B, piece C and piece D, there can be integration challenges. The components may not align well since they were not designed under the same umbrella with a holistic approach.
Comparing Tesla's Integrated Approach to Enhance Car Security
Tracy contrasted the traditional manufacturers' approach with Tesla, which has created everything under one umbrella. Tesla told any component providers what the requirements were and how the components needed to align to what Tesla needed. This holistic approach within Tesla results in more seamlessly integrated and likely more secure vehicles compared to cobbling together components from many different organizations.
Tesla's Privacy Concerns: "But Tesla, there's been reports and there's been investigations showing that they can turn on the cameras inside the car and see what you're doing. They've been spying on people. There's been all sorts of allegations that have been thrown out there." — Eric Monterastelli
Combining Car Parts from Various Sources Raises Security Risks
Eric and Tracy discussed how having disparate systems talking over a common bus and language can introduce vulnerabilities. While a proprietary closed system like Tesla's may have risks if it is fully hacked. Assembling many components from different providers can also have downsides. There are more potential holes or vulnerabilities when piecing together parts from various organizations. Compared to having everything designed and built under one umbrella.
Integration of Systems in Modern Cars
Unified Mainframe Powers Modern Electric Vehicles, Replacing Separate Components
Eric discusses how newer electric vehicles like Teslas, Ford Mach-Es, and Porsches have a single mainframe that controls and interacts with all the components of the vehicle. In contrast, older cars had separate systems for the engine/drivetrain and infotainment that did not necessarily communicate with each other. For example, in a 2000s Chrysler, the infotainment system running the radio was separate from the encrypted Bosch system controlling the engine. Integrating all these components into one mainframe makes the new electric vehicles more convenient but also introduces potential vulnerabilities.
Single Computer Control and Car Security Vulnerabilities Explored
Tracy elaborates that the average new car today has over 100 different embedded computers. plus modules networked together and communicating via a CAN bus system. So there is one central computer that can interact with the engine, transmission, safety systems and infotainment features. While this integration is designed for efficiency and effectiveness of the software systems, it also means one access point can potentially control multiple components of the car. This is different from older cars where systems were more isolated from each other. The interconnectedness makes modern vehicles potentially more susceptible to cyber attacks.
The Vulnerabilities of Modern Vehicles: "For me, that's a scary reality. And it actually has shied me away from buying the newest of the new cars even though there are some really exciting things out there because what am I opening myself up to, if I buy a Ford Mach-E or a Tesla Model 3 or something else." — Eric Monterastelli
Vulnerabilities and Risks in Modern Cars
Integrating ML and AI into Cars through Computing Advancements
Eric discussed how cars have evolved significantly in engineering since the early 1900s. He highlighted that around 2000, more powerful computing technology like ML and AI computers were integrated into vehicles to make decisions about engine performance and interact with various systems. This advancement allowed for additional "creature comforts" in cars. But also opened them up to potential attacks and vulnerabilities that older cars did not face.
Future of DUI Prevention: "It's gonna become standard issue like power windows and remote locks and things like that where you're not even gonna be able to drive and operate a vehicle if it senses that you're in any way inebriated or under the influence." — Eric Monterastelli
Modern Vehicles' Complexity Heightens Vulnerabilities and Security Risks
Eric further acknowledged that consolidating disparate systems into one mega computer, while making things more convenient, also introduced vulnerabilities. With everything controlled by one mainframe, the attack surface is larger. He contrasted modern vehicles to cars from the mid-2000s, where engines were still separate from entertainment systems. Now they are fully integrated, which provides more connectivity but less isolation among components.
The Electric Vehicle Boom and Its Impact on Digital Systems
According to Eric, the rise of electric vehicles has led to even more potential issues, as they rely even more heavily on electrical systems and digital connectivity like over-the-air updates. Features that make EVs exciting also make them more susceptible to cyber threats compared to traditional internal combustion cars. The reality that EVs open owners up to unknown risks has made Eric shy away from the newest vehicles.
Differences in Car Security Among Manufacturers
Contrasting Tesla and Porsche Systems: Unified Communication vs. Proprietary Approach
Eric compared Tesla's interconnected systems to Porsche's components from various suppliers like Bosch. He said Tesla has full access to proprietary systems through the air, while Porsche uses a CAN bus for disparate systems to communicate. The closed nature of Tesla's system makes it completely open to them.
Tracy added more context, mentioning Porsche is connected to VW and Audi, who work with Bosch for many electromechanical parts like sensors and multifunction interfaces. She reiterated that these disparate systems in Porsche communicate via a CAN bus system.
Eric acknowledged Tracy's point that both brands use a CAN bus for the back-end electrical system. However, he still sees more risks with Tesla having full access to a closed proprietary system through the air versus Porsche's various supplier components that don't directly communicate beyond the CAN bus.
Risks of Personal Data Storage in Cars
Storing Personal Data in Car Infotainment Beyond Phone Disconnect
Tracy explained that even after disconnecting your phone from a car's infotainment system, personal data like contacts and GPS history can remain cached in the system. She warned that simply pressing "disconnect" does not purge the infotainment system of your data. Eric added that unless you fully wipe the system, your data remains stored even after trading in or selling your car. He gave the example of someone pulling a used head unit from a junkyard car, and upon powering it up having full access to the previous owner's contacts and address history.
Cyber Security Perspective on Data Collection in Cars: "They can collect deep personal data such as sexual activity, immigration status, race, facial expressions, weight, health, and genetic information while you're driving." — Eric Monterastelli
Car Disposal Doesn't Ensure Personal Data Erasure from Head Unit
Tracy shared that her husband takes extensive precautions to prevent others from accessing personal data, such as degaussing old hard drives before disposal. She explained these same precautions should be applied to cars, since simply trading in or scrapping a car does not mean personal data is removed from components like the infotainment system. Eric affirmed this concern, stating that short of an EMP blast, data remains recoverable from the car's memory chips even after the car changes owners. He advised thoroughly wiping car systems before sale to prevent exposing personal information.
About Our Guest
Eric Monterastelli is the Public Sector SE at Delinea, Founder and Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast. He has more than 18 years of experience in information technology, specializing in systems engineering, virtualization and software development. His previous stops include Dynatrace, BAE Systems, Raytheon, the Department of Defense, LogRhythm and Symantec, among others.
Episode Links
- Break/Fix Podcast
- Andy Pilgrim Episode of Break/Fix Podcast
- Mozilla Article on Car Privacy
- Tech Transforms Halloween Series Episode 1
- Tech Transforms Halloween Series Episode 2