Vehicle-Based Surveillance Workshop

Transcript

1. Hello and welcome to our Vehicle-Based Surveillance Workshop by Future

   Ada. Photo Attribution: https://unsplash.com/photos/fXxhKqRWG_o
2. None
3. None
4. None

5. Source: https://www.mckinsey.com/industries/automotive-and-assembly/our- insights/monetizing-car-data Report: https://www.mckinsey.com/~/media/McKinsey/Industries/Automotive%20and%20Ass embly/Our%20Insights/Monetizing%20car%20data/Monetizing-car-data.pdf McKinsey & Company is

   a marketing firm which in 2016 analyzed the potential revenue car manufacturers could gain from selling car data. The result of this was a pretty extensive report which went into detail about how auto manufacturers could go about implementing the selling of customer data, and ballparked the significant figure we see here of $750 billion in revenue from this practice. The biggest takeaway from this is that car manufacturers are highly incentivized to collect as much data as possible on their customers and drivers. Let’s take a look at what kind of data your vehicle collects.

6. An Event Data Recorder, is kind of like a black

   box, as you’ll find in aviation, which collects data about a crash event. These devices are federally regulated under Title 49 of the Code of Federal Regulations, section 563: https://www.law.cornell.edu/cfr/text/49/part-563. They have been mandatory on all vehicles manufactured since 2012, short of a few exceptions. Legally, the data from these devices can’t be accessed by just anyone, Driver Privacy Act (Enacted December 2015): https://www.congress.gov/bill/114th-congress/senate-bill/766 What is important to note, is that you can consent to the retrieval of this information during a visit to your auto repair shop or dealership for “vehicle diagnosis, service, or repair”. I could not find any information regarding what repair shops and dealerships could do with that information after retrieving it. Image source: https://aronberglaw.com/event-data-recorder-edr-technology-car-

7. records-driving/

8. Type of data collected is related to crashes, such as

   speed, safety belt status, airbag deployment and more depending on what kind of features you have in your vehicle. Unlike those black boxes you’ll hear about on aircrafts, these do not record audio or video. If curious, Full list of data collected: https://www.law.cornell.edu/cfr/text/49/563.7 Image source: https://aronberglaw.com/event-data-recorder-edr-technology-car- records-driving/

9. According to data from 2016, the average car has 30

   to 50 different computers, and high-end cars have as many as 100, and they’re accompanied by 60 to 100 different electronic sensors. These include: Cameras, radar, GPS, tires, oil, brakes, thermometers, USB ports, Bluetooth, seat weight, and more As we see a push for autonomous vehicles, and complex safety features such as driver drowsiness and alertness detection, this number is likely to continue rising. Source: https://www.ceinetwork.com/cei-blog/auto-computers-means-complicated- costly-longer- repairs/#:~:text=The%20average%20car%20has%2030,to%20100%20different%20el ectronic%20sensors. https://www.consumerreports.org/automotive-technology/who-owns-the-data-your- car-collects/ Photo Attribution: https://unsplash.com/photos/TR3lC79qzw4

10. When you think of the computers in your car, you

    may also think about the one you interact with the most: the infotainment system. Typically, drivers will connect their phone to them to make use of hands-free features such as making calls or listening to music. Once a connection has been established, the infotainment system will start to pull data from the phone, such as: Contacts, call logs, app data if you have certain apps that integrate with the car, music playlists and more. The infotainment system, or another computer, will also be keeping track of location information via GPS. It will record a log of your driving routes, locations, and over time may learn which address is your home, your work, your favorite coffee shop, relatives’ homes, etc. Image attribution: https://unsplash.com/photos/81kSm-UugZY

11. Source: https://www.washingtonpost.com/technology/2019/12/17/what-does-your- car-know-about-you-we-hacked-chevy-find-out/ With that being said, what are some

    measures we can take to prevent some this data collection? Image attribution: https://unsplash.com/photos/GckgQqyHoa4

12. I present to you the Ron Swanson Threat Model Someone

    who highly values privacy and prefers to have as little data about themselves relinquished to other parties. This threat model is the one which fits most for the privacy measures I’m about to suggest
13. None

14. This brings us to Public Vehicle Data.

15. For this section, we will be focusing on Open Source

    Intelligence gathering techniques. For the purposes of this workshop, we will simply define OSINT as ...

16. Let’s say I have a license plate. Maybe from a

    neighbor, a used car I want to buy, any US license plate. What kind of information can I gather from it? Photo Attribution: https://unsplash.com/photos/drw6RtOKDiA
17. None
18. None
19. None

20. Let’s say I have a license plate. Maybe from a

    neighbor, a used car I want to buy, any US license plate. What kind of information can I gather from it? Caveat: does not seem to work on larger commercial trucks or law enforcement vehicles based on plates I found on social media

21. Photo Attribution: https://unsplash.com/photos/DAHXjK2NeDM

22. None
23. None

24. What about DMV data? Valuable as it would be accurate:

    likely contains home address and previous residences. Easiest way to find a vehicle based on a name or address, or vice versa According to an investigation and FOIA requests made by journalists at Motherboard, the DMV has been selling driver information to third parties for years. Access to this data is regulated by the Federal Driver’s Privacy Protection Act (DPPA). A lot of folks think that DMV data can only be accessed by law enforcement and that is false. If you take a look at the DPPA, there are 14 different permissible uses for this data, which includes law enforcement but also research, towing, private investigations and more. DPPA: https://www.govinfo.gov/content/pkg/USCODE-2011-title18/pdf/USCODE- 2011-title18-partI-chap123-sec2721.pdf This is in line with Motherboard’s investigation, who found several PI’s using this information, but they also found that Credit bureaus Repossession agents Bail bond agents Also had access to this data. So depending on which state you’re located in, if

25. regulations are lax for these industries, then theoretically, like in

    the state of Texas, you can end up with felons having access to this data. Data usually includes name and address, but can also include: DOB Phone number Email address The data which is released to those third parties varies by state. Source: https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private- investigators-making-millions-of-dollars Photo attribution: https://fox8.com/news/what-you-need-to-know-about-the-new- drivers-license-in-ohio/

26. Persistent opponent or stalker, often a former intimate partner who

    may be tech-savvy This threat model is the one which fits most for the privacy measures I’m about to suggest ...

27. Which is because there are no easy measures you can

    take against this type of information distribution.

28. Let’s move on to Apps and Subscriptions Data

29. Nowadays, every car manufacturer offers their own app. This permits

    them to collect even more data that the vehicle can: Additionally, it can be synced with your car so that you can access features such as location services, auto lock, auto start directly from your smartphone Image attribution: https://unsplash.com/photos/y1yQQmozTBw

30. More information on subscription services: “How do you track your

    stolen car?“ Jill Ciminillo. ABC News Tulsa: https://www.wfla.com/news/pinellas-county/police-say- husband-uses-gps-to-track-wife-in-high-tech-stalking-case/ Image attribution: https://unsplash.com/photos/_SKIDRiIEtk

31. For your convenience, I’ve listed the apps and subscription names

    for some popular manufacturers. However, you can easily find the associated app in Google Play store or App Store by simply inputting the manufacturer’s name.

32. If we are using the Ron Swanson threat model, the

    following privacy measures can be applied… Someone who highly values privacy and prefers to have as little data about themselves relinquished to other parties

33. More information on subscription services: “How do you track your

    stolen car?“ Jill Ciminillo. ABC News Tulsa: https://ktul.com/news/auto-matters/how-do-you-track- your-stolen-car

34. However, if you are using the Tammy 2 threat model,

    things get more complex. Persistent opponent or stalker, often a former intimate partner who may be tech-savvy

35. “In an incident report, police say the victim contacted Onstar

    and asked them to turn off the tracking feature, but they would not because the account is in her husband’s name.” https://www.wfla.com/news/pinellas-county/police-say-husband-uses-gps-to-track- wife-in-high-tech-stalking-case/

36. This brings us to our last section, vehicle tracking devices

37. There are different types of GPS vehicle trackers. Some can

    be plugged in directly into a vehicle’s power source such as the two models up top, which requires internal access to the vehicle. First one: plugs into a power source inside the dash of a car Second one plugs into Onboard Diagnostics port, typically located under the driver’s side dash. Both are often used for keeping location data for company owned vehicles, you could install one in your own vehicle if you didn’t want to pay for a subscription such as OnStar but wanted to use location services. Keep in mind this information may also be sold or not properly secured/maintained by the third party hosting that data for you. The third model is your typical external tracker. It’s usually a GPS

38. device which requires a subscription to activate, and is inserted

    into a box with a strong magnet. Some folks may also plug the tracking device into a battery to extend its longevity. Usually requires a monthly subscription. 3 models based on Brickhouse security inventory. Vendor which claims to serve a significant amount of companies and law enforcement agencies: https://www.brickhousesecurity.com/our-clients/

39. If you suspect someone may have placed a tracking device

    on your car but hasn’t had access to the inside of the vehicle, you can follow these steps Video which covers checking for both external and internal devices: https://www.youtube.com/watch?v=6Cuoyuqzm60 Image attribution: https://unsplash.com/photos/zzKuy0Stx7U

40. Video which covers checking for both external and internal devices:

    https://www.youtube.com/watch?v=6Cuoyuqzm60 Image attribution: https://unsplash.com/photos/OZappTWzZHQ

41. Image attribution: https://unsplash.com/photos/zzKuy0Stx7U

42. If you would like to take your privacy and security

    even further, or learn more about security basics, I’ve compiled a list of my favorite resources and some great articles that cover just that.

43. I suggest even exploring anything on eff.org. They are a

    valuable resource
44. None
45. None

46. We would love your questions and feedback! Thank you for

    attending, if you loved this workshop we have one every month! If you’d like to support us, consider a donation (even if just 5$!) to Future Ada, a Spokane- based 501(c)3.