1 00:00:00,000 --> 00:00:01,667 CHRISTIE DUDLEY: Okay. 2 00:00:01,918 --> 00:00:02,999 Good afternoon. 3 00:00:02,999 --> 00:00:04,542 I like to say, good morning. 4 00:00:04,876 --> 00:00:10,667 Welcome, I'm here to talk about privacy in connected vehicles. 5 00:00:13,250 --> 00:00:16,209 First of all, a little bit about who I am. 6 00:00:16,209 --> 00:00:18,999 I have an electrical engineering degree. 7 00:00:19,167 --> 00:00:22,999 And I decided that work as a network engineer -- I decided that 8 00:00:22,999 --> 00:00:26,709 got boring, so I went to law school because that's where 9 00:00:26,709 --> 00:00:30,292 all the really interesting problems lie. 10 00:00:31,292 --> 00:00:34,334 The standard disclaimer: I'm not a lawyer. 11 00:00:34,334 --> 00:00:36,626 I don't give legal advice yet. 12 00:00:37,250 --> 00:00:41,000 But here is my nonstandard disclaimer. 13 00:00:41,292 --> 00:00:44,999 I was contracted to work on this and I did sign an NDA in relation 14 00:00:44,999 --> 00:00:46,876 to that work. 15 00:00:46,876 --> 00:00:51,959 However, that was only about 20 hours of work total. 16 00:00:51,959 --> 00:00:57,751 So there's not a lot of that to not disclose. 17 00:00:58,167 --> 00:00:59,751 Okay. 18 00:00:59,792 --> 00:01:00,999 This project. 19 00:01:01,626 --> 00:01:04,542 Dedicated short range communications. 20 00:01:04,999 --> 00:01:09,999 A lot of people should know what this is by now, but it's, unfortunately, 21 00:01:09,999 --> 00:01:12,250 still pretty opaque. 22 00:01:12,250 --> 00:01:16,501 The senate committee Subcommittee on Communications Technology 23 00:01:16,501 --> 00:01:21,459 and the Internet sure is aware of it and they're really excited 24 00:01:21,459 --> 00:01:24,667 about this being the panacea that solves 25 00:01:24,667 --> 00:01:29,709 the wireless spectrum problem that they anticipate. 26 00:01:29,709 --> 00:01:31,584 It's a multichannel protocol. 27 00:01:31,584 --> 00:01:34,709 I'm going to be focusing on one channel, which 28 00:01:34,709 --> 00:01:38,959 is for dedicated safety communications. 29 00:01:40,334 --> 00:01:44,083 The idea is that vehicles communicate to other vehicles and 30 00:01:44,083 --> 00:01:47,999 they also communicate with the infrastructure. 31 00:01:47,999 --> 00:01:51,501 It would be pretty nice if 380 meters out they detected you were 32 00:01:51,501 --> 00:01:56,584 approaching a red light in the middle of the night and so you never ever had 33 00:01:56,584 --> 00:01:58,999 to stop because there was never any 34 00:01:58,999 --> 00:02:00,918 cross traffic. 35 00:02:00,918 --> 00:02:06,709 The idea of infrastructure efficiency is pretty cool. 36 00:02:06,999 --> 00:02:09,959 My question will it maintain privacy? 37 00:02:11,459 --> 00:02:15,999 I am not convinced that the system as described 38 00:02:15,999 --> 00:02:21,999 will have enough protections for personal privacy. 39 00:02:21,999 --> 00:02:25,584 I think it can, but I think it needs some very serious 40 00:02:25,584 --> 00:02:29,542 people taking a very serious look at. 41 00:02:31,334 --> 00:02:34,292 There have been a few reviews, like my review. 42 00:02:34,292 --> 00:02:39,334 It was a very small project, and not a lot that's really convinced 43 00:02:39,334 --> 00:02:45,083 the auto makers who are charging forward that they need to slow 44 00:02:45,083 --> 00:02:51,501 down and consider the implications that this has on people. 45 00:02:54,083 --> 00:02:58,999 The real reason that this technology is being pushed forward is safety. 46 00:02:58,999 --> 00:03:05,876 And it's really dramatic the kind of safety expectations. 47 00:03:05,876 --> 00:03:10,292 They just finished a large scale road test and the kind 48 00:03:10,292 --> 00:03:14,792 of improvements they expect to get. 49 00:03:14,792 --> 00:03:19,918 They're expecting an 82% reduction in all automobile accidents. 50 00:03:19,918 --> 00:03:20,918 82%. 51 00:03:20,999 --> 00:03:23,999 That's a really dramatic number. 52 00:03:24,125 --> 00:03:28,334 It's revolutionizing driving. 53 00:03:30,834 --> 00:03:35,667 For example, in 2009 there were 5,000 deaths just 54 00:03:35,667 --> 00:03:39,626 from distracted driving alone. 55 00:03:39,626 --> 00:03:41,459 That doesn't include drunk driving. 56 00:03:41,459 --> 00:03:44,959 It doesn't include inattentive or emotionally distraught driving, 57 00:03:44,959 --> 00:03:48,999 which also causes a large number of accidents. 58 00:03:49,334 --> 00:03:52,709 5,000 deaths in 2009 that were totally preventable, 59 00:03:52,709 --> 00:03:57,999 this system would completely eliminate that type or virtually eliminate that type 60 00:03:57,999 --> 00:03:59,751 of accident. 61 00:04:02,751 --> 00:04:07,792 There are a lot of people who are working 62 00:04:07,792 --> 00:04:11,584 on this safety project. 63 00:04:16,999 --> 00:04:22,459 As I mentioned before, totally nontrivial effect on death. 64 00:04:23,083 --> 00:04:29,334 25% of vehicle deaths each year can be prevented even without the system. 65 00:04:29,542 --> 00:04:34,125 With the system we're going to beyond what we're talking 66 00:04:34,125 --> 00:04:39,167 about blind corners, dense fog, heavy rain, situations 67 00:04:39,167 --> 00:04:45,751 the National Institute the NTSB, National Transportation Safety Board, 68 00:04:45,751 --> 00:04:51,999 the wonderful people that brought us TSA, they have recently called 69 00:04:51,999 --> 00:04:56,459 for a mandate because of two school bus accidents 70 00:04:56,459 --> 00:04:59,083 in the last month. 71 00:04:59,999 --> 00:05:06,292 The buses were one of them the bus driver was at fault. 72 00:05:06,292 --> 00:05:10,334 He was on medication and he wasn't reacting as he should and 73 00:05:10,334 --> 00:05:14,999 he ran a red light and the bus got hit by a truck moving 74 00:05:14,999 --> 00:05:18,083 through the intersection. 75 00:05:18,083 --> 00:05:20,999 And the other instance was the school bus was moving safely 76 00:05:20,999 --> 00:05:23,999 and there was a speeding truck that couldn't slow 77 00:05:23,999 --> 00:05:27,667 down in time to avoid hitting the school bus. 78 00:05:27,667 --> 00:05:30,751 Two school buses, many school children died. 79 00:05:30,876 --> 00:05:35,125 Each of these different scenarios could have been prevented had 80 00:05:35,125 --> 00:05:40,334 the driver been warned that there was an imminent accident. 81 00:05:40,334 --> 00:05:43,626 And with 380 meters communication range, that's the spec 82 00:05:43,626 --> 00:05:46,459 for the communication range. 83 00:05:46,459 --> 00:05:49,792 It has the potential to extend out much further. 84 00:05:49,792 --> 00:05:52,083 So that's a lot of warning. 85 00:05:52,083 --> 00:05:58,999 That's a lot of ability to respond in an accident. 86 00:05:58,999 --> 00:06:02,999 Then the next question that comes up is this going to really happen? 87 00:06:02,999 --> 00:06:05,999 And the answer is yeah. 88 00:06:05,999 --> 00:06:07,626 It's already out there. 89 00:06:07,751 --> 00:06:12,751 Most auto makers have plans most high end auto makers have plans 90 00:06:12,751 --> 00:06:17,667 to include this in their 2014 model year cars. 91 00:06:18,083 --> 00:06:21,125 The NTSB is talking about making a mandate 92 00:06:21,125 --> 00:06:24,999 for 2015 model year cars, meaning every car 93 00:06:24,999 --> 00:06:29,709 on the road starting in 2015 will have this. 94 00:06:29,834 --> 00:06:32,584 ACDELCO is looking at aftermarket products, 95 00:06:32,584 --> 00:06:36,918 perhaps saving you a little money on your insurance and bring more 96 00:06:36,918 --> 00:06:39,083 money into the fold. 97 00:06:39,834 --> 00:06:41,999 And then, how soon? 98 00:06:42,209 --> 00:06:44,125 2014/2015. 99 00:06:44,125 --> 00:06:45,792 Very soon. 100 00:06:46,250 --> 00:06:49,999 They've already run large scale tests. 101 00:06:50,209 --> 00:06:55,083 In Ann Arbor, Michigan, they got all the employees of the university 102 00:06:55,083 --> 00:06:59,375 and the hospital to put the aftermarket version in their car 103 00:06:59,375 --> 00:07:03,209 and they ran around for a year, and they measured what 104 00:07:03,209 --> 00:07:07,999 the density implications were, how it dealt with the infrastructure 105 00:07:07,999 --> 00:07:11,584 and how cars dealt with each other. 106 00:07:11,792 --> 00:07:13,375 They learned a lot of lessons. 107 00:07:13,375 --> 00:07:17,209 They came out with a new version and they believe they're ready 108 00:07:17,209 --> 00:07:20,209 to move forward with this. 109 00:07:20,999 --> 00:07:24,999 This sort of technology is already deployed in Europe. 110 00:07:24,999 --> 00:07:29,083 In addition to the safety benefits, you're able to get more efficiency 111 00:07:29,083 --> 00:07:31,999 by allowing cars to move closer together, 112 00:07:31,999 --> 00:07:36,167 because as soon as somebody in front of you steps on the brake, 113 00:07:36,167 --> 00:07:40,125 you know that so you can step on the brake. 114 00:07:40,125 --> 00:07:45,542 If you're particularly alert, so you can get efficiencies, as well 115 00:07:45,542 --> 00:07:48,751 as density efficiencies. 116 00:07:50,999 --> 00:07:52,999 What is this? 117 00:07:54,292 --> 00:07:58,709 The basic safety message is part of the protocol. 118 00:07:59,083 --> 00:08:07,876 It's a digital blob that's sent out once every 10th of a second. 119 00:08:10,959 --> 00:08:13,792 It's a standard blog with predefined. 120 00:08:18,167 --> 00:08:20,999 There's no header information. 121 00:08:20,999 --> 00:08:25,709 It's for the like ASN 1 where you have the key value pairs. 122 00:08:25,709 --> 00:08:27,167 It's just the data glob. 123 00:08:28,751 --> 00:08:33,584 The idea is that the cars process the messages and warn 124 00:08:33,584 --> 00:08:39,999 the driver so that the driver isn't the driver actually gets to mitigate 125 00:08:39,999 --> 00:08:45,999 the information and interpret it as to what they should do initially, 126 00:08:45,999 --> 00:08:53,959 although the self driving car people are really excited about this technology. 127 00:08:56,083 --> 00:08:59,999 They assured me that this wasn't an autonomous thing and 128 00:08:59,999 --> 00:09:02,918 they would see that it works a few years 129 00:09:02,918 --> 00:09:06,834 before they started automating the system. 130 00:09:08,999 --> 00:09:12,792 This is what the aftermarket system looks like. 131 00:09:13,667 --> 00:09:16,959 The idea is it comes with its own sensors. 132 00:09:17,999 --> 00:09:24,751 It was told to me that it would be a self contained system. 133 00:09:24,876 --> 00:09:27,959 There would be no existing. 134 00:09:36,334 --> 00:09:39,834 They were confident they had developed 135 00:09:39,834 --> 00:09:45,876 the sensor systems well enough that they wouldn't have the concerns 136 00:09:45,876 --> 00:09:51,626 about coming between the sensor and the control unit. 137 00:09:51,876 --> 00:09:57,999 I'm not sure that's necessarily true, but they feel that by moving away 138 00:09:57,999 --> 00:10:02,250 from the architect and into this sealed system, 139 00:10:02,250 --> 00:10:08,999 they could avoid a lot of the vulnerabilities that exist now. 140 00:10:09,918 --> 00:10:16,999 So DSRC is not canned bus. 141 00:10:16,999 --> 00:10:19,999 It's not the same technology at all. 142 00:10:20,000 --> 00:10:24,417 This is a radio that communicates with other vehicles. 143 00:10:24,999 --> 00:10:32,959 It has its own inertia sensors, GPS systems, as well as other systems. 144 00:10:33,292 --> 00:10:38,999 They're very well aware with large cities with tall buildings 145 00:10:38,999 --> 00:10:45,250 as well as in tunnels and canyons, it's sometimes very difficult 146 00:10:45,250 --> 00:10:48,999 to determine GPS location. 147 00:10:48,999 --> 00:10:51,876 So they need to have alternative ways. 148 00:10:52,000 --> 00:10:53,999 They're working through that as well. 149 00:10:54,167 --> 00:10:55,918 It is not OnStar. 150 00:10:56,042 --> 00:11:00,667 I've spoken with a lot of people how is this different from OnStar? 151 00:11:00,667 --> 00:11:02,083 This is a vehicle to vehicle. 152 00:11:02,709 --> 00:11:07,999 All auto manufacturers would be running the same protocol. 153 00:11:08,459 --> 00:11:12,501 And as I mentioned before, they're talking about mandate. 154 00:11:12,999 --> 00:11:16,999 So this isn't a phone home situation. 155 00:11:16,999 --> 00:11:19,999 This is a notify everybody in the vicinity. 156 00:11:21,918 --> 00:11:23,250 Okay. 157 00:11:23,250 --> 00:11:24,792 More technical details. 158 00:11:24,792 --> 00:11:28,501 5.9 gigahertz spectrum. 159 00:11:29,542 --> 00:11:32,999 The GOP owns the spectrum. 160 00:11:39,999 --> 00:11:47,834 Only one of the channels will be used for safety messages. 161 00:11:50,459 --> 00:11:58,626 Theoretically this does not require for the safety information 162 00:11:58,626 --> 00:12:01,626 source address. 163 00:12:02,834 --> 00:12:07,751 The source address was removed from the protocol in 2010 164 00:12:07,751 --> 00:12:11,542 because of the privacy concerns. 165 00:12:11,542 --> 00:12:13,999 Anytime you have a uniquely identified vehicle, 166 00:12:13,999 --> 00:12:17,334 you have a uniquely identified vehicle. 167 00:12:17,375 --> 00:12:20,417 And you have the problem of tracking. 168 00:12:20,709 --> 00:12:23,709 So they removed that from the protocol. 169 00:12:23,709 --> 00:12:27,501 However, if you think about it, how do you route 170 00:12:27,501 --> 00:12:32,125 without a uniquely identifiable address? 171 00:12:32,125 --> 00:12:33,918 How do you validate people? 172 00:12:34,250 --> 00:12:39,999 They came up with the idea of certificates where you have 173 00:12:39,999 --> 00:12:45,709 the fingerprint that's hard coded into each radio unit, and 174 00:12:45,709 --> 00:12:51,209 the certificates are keyed to that fingerprint. 175 00:12:51,209 --> 00:12:54,959 So if you have a bad actor, the whole package 176 00:12:54,959 --> 00:13:00,999 of certificates are revoked by exposing the fingerprint. 177 00:13:02,751 --> 00:13:07,083 Each area have some real privacy challenges. 178 00:13:07,417 --> 00:13:09,918 The basic safety message. 179 00:13:09,918 --> 00:13:12,959 This is the glob that's sent out much 180 00:13:12,959 --> 00:13:21,459 like the canned bus message that SAE's come up with a standard for it. 181 00:13:22,334 --> 00:13:25,959 The idea is it has a lot of really interesting stuff. 182 00:13:25,959 --> 00:13:27,417 I don't know if you can see that. 183 00:13:27,417 --> 00:13:28,417 It's very small. 184 00:13:28,709 --> 00:13:33,918 It has location, acceleration, the status of your braking system 185 00:13:33,918 --> 00:13:39,083 and each of these headers break down into individual values, 186 00:13:39,083 --> 00:13:46,250 like for the braking system each individual brake reports its status. 187 00:13:46,584 --> 00:13:52,334 To see if your interlock braking is engaged, track control, 188 00:13:52,334 --> 00:13:55,250 stability control. 189 00:13:55,542 --> 00:14:01,167 There are some other interesting things like message count 190 00:14:01,167 --> 00:14:06,167 but it also includes your speed, your acceleration, 191 00:14:06,167 --> 00:14:10,959 anticipated trajectory and your path. 192 00:14:10,999 --> 00:14:15,999 In order for this to become effective, you need to have density, 193 00:14:15,999 --> 00:14:20,083 because the benefit in a collision avoidance is not 194 00:14:20,083 --> 00:14:25,709 from your unit transmitting anything, it's from the unit that you would 195 00:14:25,709 --> 00:14:29,876 potentially hit transmitting their data. 196 00:14:29,918 --> 00:14:33,584 So you would need the more units, the more vehicles 197 00:14:33,584 --> 00:14:38,751 on the road that have this, the safer the road is. 198 00:14:40,626 --> 00:14:46,292 So the other side of the coin is confidence. 199 00:14:46,417 --> 00:14:49,999 If you don't believe that the messages you're getting 200 00:14:49,999 --> 00:14:53,876 in are accurate, then you'll ignore it. 201 00:14:56,999 --> 00:14:59,542 And this is where hackers come in. 202 00:14:59,999 --> 00:15:12,626 I was thinking about I'll get on to that later. 203 00:15:12,626 --> 00:15:14,417 Here I would like to point out that privacy 204 00:15:14,417 --> 00:15:18,209 is particularly important because if people don't trust it, 205 00:15:18,209 --> 00:15:21,417 then people will disable it and you wind up back 206 00:15:21,417 --> 00:15:23,999 with the first problem. 207 00:15:24,083 --> 00:15:28,999 If I don't feel like it's keeping my information private, 208 00:15:28,999 --> 00:15:34,459 then I will I'm going to be disabling it if I can't go anywhere 209 00:15:34,459 --> 00:15:38,999 without everybody being able to track me. 210 00:15:39,083 --> 00:15:42,083 So in order to attack the validity problem, 211 00:15:42,083 --> 00:15:46,792 they cryptographically signed all the certificates, and 212 00:15:46,792 --> 00:15:51,999 the certificates are issued by a central authority. 213 00:15:52,959 --> 00:15:57,417 I think that should be raising some alarm bells with some of you. 214 00:15:57,709 --> 00:16:00,918 The question is who is that authority? 215 00:16:00,918 --> 00:16:04,459 There has been discussions each auto maker is its own authority. 216 00:16:04,959 --> 00:16:06,959 There's a government authority that 217 00:16:06,959 --> 00:16:08,999 issues certificates? 218 00:16:08,999 --> 00:16:09,999 Really? 219 00:16:09,999 --> 00:16:12,876 There's public private partnerships. 220 00:16:13,250 --> 00:16:15,125 All sorts of things. 221 00:16:15,125 --> 00:16:17,125 And then the revocation. 222 00:16:17,459 --> 00:16:19,999 They plan on using a black list system. 223 00:16:20,584 --> 00:16:22,584 The Internet tried that, I think. 224 00:16:26,209 --> 00:16:27,417 (laughter). 225 00:16:27,417 --> 00:16:31,834 The idea is that the system, however, should invalidate itself 226 00:16:31,834 --> 00:16:34,999 if its sensor checks fail. 227 00:16:34,999 --> 00:16:37,959 It shouldn't be transmitting bad information 228 00:16:37,959 --> 00:16:41,501 if its internal checks are not working. 229 00:16:43,709 --> 00:16:47,584 They believe they have a lot of information available 230 00:16:47,584 --> 00:16:50,250 for sensor validations. 231 00:16:50,250 --> 00:16:55,626 If they can't even control their own drones, who knows how that can go. 232 00:16:55,999 --> 00:17:00,459 So certificates, the idea is that they're limited time use so that 233 00:17:00,459 --> 00:17:03,959 you can't be tracked by a unique identifier, 234 00:17:03,959 --> 00:17:08,667 because as soon as you use the certificate for a little while, 235 00:17:08,667 --> 00:17:13,667 then it's as easy to track you by that certificate as it would be 236 00:17:13,667 --> 00:17:16,999 by any other unique identifier. 237 00:17:17,334 --> 00:17:20,375 The idea is that they're refreshed. 238 00:17:20,375 --> 00:17:24,501 You use I had discussions with people who were working 239 00:17:24,501 --> 00:17:26,999 on these radios. 240 00:17:26,999 --> 00:17:30,667 How big should we make our memory to store these certificates? 241 00:17:30,834 --> 00:17:33,501 And they were thinking on the order of three years. 242 00:17:34,584 --> 00:17:43,083 And it occurred to me three years to renew your certificates. 243 00:17:43,083 --> 00:17:45,999 By the way, you have to report the bad accuracy when you renew 244 00:17:45,999 --> 00:17:47,918 your certificates. 245 00:17:47,918 --> 00:17:51,167 So if you're only recording bad actors every three years and then you get 246 00:17:51,167 --> 00:17:53,999 a report back the next three years when you update, 247 00:17:53,999 --> 00:17:58,083 it becomes pretty clear that that's kind of a bad idea. 248 00:17:58,999 --> 00:18:00,667 So privacy. 249 00:18:00,667 --> 00:18:02,459 Here we go. 250 00:18:03,792 --> 00:18:06,999 Starting with Mac layer, at the very bottom. 251 00:18:07,626 --> 00:18:10,584 The idea is that there is a changeable source 252 00:18:10,584 --> 00:18:14,083 or no source addressed in the protocol. 253 00:18:17,250 --> 00:18:20,334 This is been debated in the past. 254 00:18:20,501 --> 00:18:25,751 Whether it does or doesn't have that source, really it will come 255 00:18:25,751 --> 00:18:30,918 down to the implementation, because anybody who has worked 256 00:18:30,918 --> 00:18:35,999 closely with protocols understands that nobody implements 257 00:18:35,999 --> 00:18:38,876 a protocol perfectly. 258 00:18:38,999 --> 00:18:45,459 And so if the leading implementation winds up demanding a source address, 259 00:18:45,459 --> 00:18:50,626 then everybody has to use source addresses. 260 00:18:50,626 --> 00:18:53,083 And this is the first to market problem rather than 261 00:18:53,083 --> 00:18:55,999 a market penetration problem, because the first 262 00:18:55,999 --> 00:18:58,667 to market sets the standard. 263 00:18:58,959 --> 00:19:01,999 I'm thinking Hayes compatible modems. 264 00:19:14,209 --> 00:19:18,751 Any traffic to these devices would be unroutable. 265 00:19:19,292 --> 00:19:23,459 This is an interesting thought, considering we're talking 266 00:19:23,459 --> 00:19:27,709 about moving vehicles if you had only an address to, like, 267 00:19:27,709 --> 00:19:30,999 an infrastructure based station. 268 00:19:30,999 --> 00:19:33,999 That would be great, but the infrastructure based station 269 00:19:33,999 --> 00:19:36,250 would move out of range very quickly 270 00:19:36,250 --> 00:19:40,292 and you would need some scheme to track that particular vehicle 271 00:19:40,292 --> 00:19:43,999 and which direction out of range it's gone and could come 272 00:19:43,999 --> 00:19:46,792 up with a pretty good tracking system, even 273 00:19:46,792 --> 00:19:49,999 if you avoided tracking individuals. 274 00:19:53,167 --> 00:20:00,209 So there's no initial privacy concern, but the implementation in how 275 00:20:00,209 --> 00:20:04,834 they use it will create a problem. 276 00:20:04,876 --> 00:20:08,375 So coming back to what I showed you earlier, up there 277 00:20:08,375 --> 00:20:14,250 in the header elements I just kind of grouped some like things. 278 00:20:14,501 --> 00:20:17,167 They have this temporary ID field. 279 00:20:17,459 --> 00:20:22,999 It is a specific field in the basic safety message itself. 280 00:20:22,999 --> 00:20:24,999 Temporary, that sounds pretty good. 281 00:20:24,999 --> 00:20:27,999 It's not a persistent identifier, but depending 282 00:20:27,999 --> 00:20:32,792 on the application implementation, it could be. 283 00:20:32,999 --> 00:20:36,918 Everybody's idea of temporary is somewhat different. 284 00:20:36,999 --> 00:20:40,334 My idea of temporary is no longer than five minutes plus 285 00:20:40,334 --> 00:20:42,334 or minus three. 286 00:20:42,334 --> 00:20:46,999 So I don't think everybody is on the same page. 287 00:20:47,125 --> 00:20:48,999 So certificates. 288 00:20:53,209 --> 00:20:57,334 They try to address the identity validity conflict. 289 00:20:57,834 --> 00:20:59,999 You want to trust somebody, but they don't want you 290 00:20:59,999 --> 00:21:02,167 to know who they are. 291 00:21:02,709 --> 00:21:07,250 And it's something that you deal with all the time struggling 292 00:21:07,250 --> 00:21:12,375 between the authenticated user and the anonymous user. 293 00:21:14,542 --> 00:21:22,125 If we have constantly changing certificates with unsteady shift, 294 00:21:22,125 --> 00:21:25,751 then that could help. 295 00:21:25,999 --> 00:21:29,125 Once again, it depends on the implementation. 296 00:21:29,125 --> 00:21:33,792 But the biggest issue is the issuing authority who can control 297 00:21:33,792 --> 00:21:38,417 it, who knows what vehicle maps to what fingerprint maps 298 00:21:38,417 --> 00:21:43,334 to what certificate and what location they are. 299 00:21:43,334 --> 00:21:47,459 There have been proposals that the units are shipped sealed and 300 00:21:47,459 --> 00:21:51,999 the fingerprint is not known to the auto maker. 301 00:21:51,999 --> 00:21:57,375 So they can't map a VIN, but then there have been proposals 302 00:21:57,375 --> 00:22:04,125 to the IATF that the VIN be used as the fingerprint, which is expose 303 00:22:04,125 --> 00:22:10,584 the VIN, expose the vehicle, the whole vehicle can no longer use 304 00:22:10,584 --> 00:22:13,834 the system ever again if there's 305 00:22:13,834 --> 00:22:20,542 a problem and then you wind up in the aftermarket use vehicle sector 306 00:22:20,542 --> 00:22:25,167 picking up radios just for their VIN. 307 00:22:30,626 --> 00:22:33,999 So the fingerprint, no correspondence. 308 00:22:34,083 --> 00:22:41,417 I think I've covered all this. 309 00:22:41,584 --> 00:22:47,209 So the delivery is the next challenge that I saw. 310 00:22:47,584 --> 00:22:51,667 How to get the certificates to the vehicle 311 00:22:51,667 --> 00:22:57,918 is we don't currently have mechanism to communicate that doesn't 312 00:22:57,918 --> 00:23:05,083 authenticate or uniquely identify both sides of the conversation. 313 00:23:05,751 --> 00:23:12,709 And most include some trackable method like I think cellular 314 00:23:12,709 --> 00:23:20,709 is the leading contender right now for certificate delivery. 315 00:23:22,542 --> 00:23:27,792 Wireless or even using DSRC end band and that hurts my head 316 00:23:27,792 --> 00:23:33,834 to think that end band certificate delivery could happen. 317 00:23:37,083 --> 00:23:40,626 There's just so many opportunities that that could entail. 318 00:23:40,999 --> 00:23:46,667 So more worrisome what's going on with this, I mentioned that 319 00:23:46,667 --> 00:23:51,375 the safety was only one channel on many channels 320 00:23:51,375 --> 00:23:54,501 of the DSRC spectrum. 321 00:23:55,125 --> 00:24:00,125 The other channels there's a lot of applications. 322 00:24:00,292 --> 00:24:06,167 They're talking about mesh networking routing, 323 00:24:06,167 --> 00:24:12,334 sharing MP3's with the other cars on the highway 324 00:24:12,334 --> 00:24:16,918 is the big joke about that. 325 00:24:17,083 --> 00:24:21,417 The advertising is one that particularly gets me, 326 00:24:21,417 --> 00:24:26,250 because that's not only a concern for people who bought 327 00:24:26,250 --> 00:24:31,083 a car and don't expect to be pummelled with advertising 328 00:24:31,083 --> 00:24:37,292 all the time, but also we've, I imagine, discussed different ways that 329 00:24:37,292 --> 00:24:42,167 advertising can be used as malware delivery. 330 00:24:42,334 --> 00:24:43,626 (laughter). 331 00:24:46,083 --> 00:24:49,334 What concerns me the most is the last one. 332 00:24:49,334 --> 00:24:51,959 I'm giving a talk tomorrow on data brokers, 333 00:24:51,959 --> 00:24:57,083 but data brokers using this fixed infrastructure, giving it to you 334 00:24:57,083 --> 00:25:02,999 for free so they can select all the data, which neighbors go to which malls 335 00:25:02,999 --> 00:25:06,292 and which neighbors go where. 336 00:25:06,999 --> 00:25:14,209 There is a lot of data in this system that cannot 337 00:25:14,209 --> 00:25:17,334 be overlooked. 338 00:25:23,542 --> 00:25:26,709 Another problem with in is law enforcement. 339 00:25:27,792 --> 00:25:32,125 You're transmitting your speed every tenth of a second, even if you're 340 00:25:32,125 --> 00:25:35,083 the most conscientious driver, occasionally you 341 00:25:35,083 --> 00:25:40,250 will be transmitting a speed that is over the posted speed limit. 342 00:25:40,375 --> 00:25:44,250 There's really published studies on there. 343 00:25:44,250 --> 00:25:45,999 There's no way to get around that. 344 00:25:46,417 --> 00:25:49,876 Downhill, cross winds, suddenly shifting wind directions can 345 00:25:49,876 --> 00:25:52,792 push you over the speed limit. 346 00:25:54,542 --> 00:26:00,083 Can small law enforcement agencies start issuing tickets by mail? 347 00:26:00,083 --> 00:26:01,999 That's not very bright. 348 00:26:04,959 --> 00:26:08,626 It's possible to correlate location and speed and get 349 00:26:08,626 --> 00:26:13,751 a nice license plate reader to go along with the system so that when you 350 00:26:13,751 --> 00:26:18,584 pass through their camera, they can catch you that way. 351 00:26:18,999 --> 00:26:31,083 It's very easy to de anonymize this and law enforcement has 352 00:26:31,083 --> 00:26:35,999 at their disposal. 353 00:26:38,417 --> 00:26:44,876 So I know if I got a speed ticket in the mail, I would disable the system. 354 00:26:45,334 --> 00:26:50,083 I'm neither the most nor the least conscientious driver, 355 00:26:50,083 --> 00:26:55,501 but I don't want to expose myself to that specific vulnerability 356 00:26:55,501 --> 00:26:57,999 and that expense. 357 00:27:02,667 --> 00:27:04,751 So what can you do? 358 00:27:04,751 --> 00:27:07,083 And this is kind of a call to action to all of you. 359 00:27:07,083 --> 00:27:08,334 You're hackers. 360 00:27:08,334 --> 00:27:11,167 You have an idea about how these things can be broken 361 00:27:11,167 --> 00:27:14,292 probably even more than I do. 362 00:27:15,292 --> 00:27:18,417 The radios are commercially available. 363 00:27:20,167 --> 00:27:25,459 COHDA is the leading manufacturer right now. 364 00:27:25,459 --> 00:27:26,999 Cisco has an interest in them. 365 00:27:27,125 --> 00:27:35,250 They just released a brand new unit that is designated 366 00:27:35,250 --> 00:27:44,999 as a reference design for production so that others can enter 367 00:27:44,999 --> 00:27:48,417 test with that. 368 00:27:52,584 --> 00:27:57,083 DSA is out there, but it's behind pay walls. 369 00:27:57,792 --> 00:28:02,125 I've tried to get a couple of other people to really play with it 370 00:28:02,125 --> 00:28:03,999 and break it. 371 00:28:04,250 --> 00:28:07,375 All the documents are behind pay walls. 372 00:28:10,667 --> 00:28:13,083 And become politically engaged. 373 00:28:13,083 --> 00:28:15,667 The senate knows what this is. 374 00:28:15,751 --> 00:28:17,959 You guys should know what this is. 375 00:28:19,751 --> 00:28:23,083 Every auto manufacturer knows what this is. 376 00:28:23,709 --> 00:28:29,667 The administrative agencies, they're all totally on board with this. 377 00:28:29,918 --> 00:28:35,292 Hackers need to be jumping in and making a difference here. 378 00:28:37,459 --> 00:28:40,209 More than anything else, that certificate authority needs 379 00:28:40,209 --> 00:28:42,083 to be hashed out. 380 00:28:42,167 --> 00:28:47,792 If we're to maintain any privacy at all, there needs to be a separation 381 00:28:47,792 --> 00:28:53,250 between the government, the auto makers and the users. 382 00:28:53,667 --> 00:28:59,459 All three of these need to have a stake in this decision. 383 00:29:00,876 --> 00:29:05,999 So that pretty much concludes my slide show. 384 00:29:06,083 --> 00:29:08,959 I'd like to acknowledge a few people. 385 00:29:09,083 --> 00:29:13,292 Professor Dorothy Glancy led me down this path, and introduced me 386 00:29:13,292 --> 00:29:16,459 to a lot of people in DC 650. 387 00:29:16,459 --> 00:29:18,125 We kind of hammered this out. 388 00:29:18,667 --> 00:29:21,083 Here is my contact information. 389 00:29:21,083 --> 00:29:21,999 If you have questions, we have a microphone up here, 390 00:29:21,999 --> 00:29:24,083 if you would like to step forward. 391 00:29:31,542 --> 00:29:38,709 (applause) How about the problem of false warnings and what would be 392 00:29:38,709 --> 00:29:43,959 the per vehicle cost of these new systems? 393 00:29:44,083 --> 00:29:46,999 How robust and the cost maintenance? 394 00:29:47,334 --> 00:29:50,999 Does it break every 30 days? 395 00:29:51,083 --> 00:29:56,709 The cost of the system, how robust, and also false warnings. 396 00:29:56,709 --> 00:29:58,083 CHRISTIE DUDLEY: Okay. 397 00:29:58,083 --> 00:30:00,501 False warnings, three questions. 398 00:30:00,501 --> 00:30:03,417 False warnings, the cost of the system, and maintenance. 399 00:30:03,417 --> 00:30:05,542 Those are all three very good questions. 400 00:30:06,209 --> 00:30:08,751 Every auto maker, of course, is going to have a different cost 401 00:30:08,751 --> 00:30:10,375 for their systems. 402 00:30:10,459 --> 00:30:13,334 The idea of this being a sealed system suggests that it's not 403 00:30:13,334 --> 00:30:16,125 going to break down for at least two or three years 404 00:30:16,125 --> 00:30:19,042 until your extended warranty is up. 405 00:30:19,042 --> 00:30:20,042 (applause). 406 00:30:20,042 --> 00:30:26,459 But the idea is it's supposed to be built very robust. 407 00:30:27,042 --> 00:30:33,626 And the third question was false positives. 408 00:30:33,667 --> 00:30:36,042 False positives is a really serious concern. 409 00:30:36,792 --> 00:30:40,584 Much of my report to the auto makers involved 410 00:30:40,584 --> 00:30:47,334 the threat of the false positive and the threat of the false report. 411 00:30:47,667 --> 00:30:52,334 There are a couple of other really obvious basic things. 412 00:30:52,876 --> 00:30:56,542 You can't cause collisions because there's a human involved, 413 00:30:56,542 --> 00:30:59,876 but you can cause traffic slowdowns. 414 00:30:59,918 --> 00:31:00,751 You can get people out of the way 415 00:31:00,751 --> 00:31:03,125 because you don't even have to tell them you're a police car, 416 00:31:03,125 --> 00:31:05,501 you can just tell them you're speeding and you're going 417 00:31:05,501 --> 00:31:08,209 to hit them and they'll get out of the way. 418 00:31:10,792 --> 00:31:13,959 So there's a lot of concern there. 419 00:31:15,834 --> 00:31:19,918 I have a question about the message globs, 420 00:31:19,918 --> 00:31:25,999 so when looking at them you said the source address is optional now 421 00:31:25,999 --> 00:31:30,626 and the ID that's included is temporary. 422 00:31:30,999 --> 00:31:34,876 How susceptible do you think they are to fingerprinting in general? 423 00:31:34,876 --> 00:31:37,542 For example, your browser could be fingerprinted 424 00:31:37,542 --> 00:31:40,999 just by the sequence of fonts that are installed 425 00:31:40,999 --> 00:31:43,375 and things like that. 426 00:31:43,375 --> 00:31:44,626 Can you comment on that? 427 00:31:44,626 --> 00:31:47,083 CHRISTIE DUDLEY: There are a couple of things. 428 00:31:47,083 --> 00:31:50,751 Another issue in the glob of data is the size of the vehicle. 429 00:31:51,834 --> 00:31:55,959 I'm fairly certain within a certain range you'll be able 430 00:31:55,959 --> 00:31:59,584 to identify manufacturer of vehicles. 431 00:31:59,667 --> 00:32:01,999 Beyond that I'm not sure. 432 00:32:01,999 --> 00:32:04,959 One of the things you bring up another point. 433 00:32:04,959 --> 00:32:09,751 One of the things that I think is very important to consider in privacy, 434 00:32:09,751 --> 00:32:14,083 you can get too far beyond where it's useful. 435 00:32:16,083 --> 00:32:19,918 Facial recognition technology is involved in my eyeballs 436 00:32:19,918 --> 00:32:24,501 and we don't consider that to be an invasion of privacy. 437 00:32:25,709 --> 00:32:28,876 If you don't consider an automatic thing 438 00:32:28,876 --> 00:32:34,584 a significant threat to your process, but as soon as the people get taken 439 00:32:34,584 --> 00:32:38,292 out of the system or the person who is operating 440 00:32:38,292 --> 00:32:43,250 the radio frequency fingerprinting, if you have to follow a car 441 00:32:43,250 --> 00:32:48,999 around to fingerprint or if you have to have careful spectrum analysis, 442 00:32:48,999 --> 00:32:53,626 I imagine you could do it at a mall parking lot or something 443 00:32:53,626 --> 00:32:58,167 like that where you're looking at the vehicle. 444 00:32:58,167 --> 00:33:01,542 But to identify a whole class of vehicles, 445 00:33:01,542 --> 00:33:08,083 you're not really narrowing it down to an individual so much. 446 00:33:08,083 --> 00:33:09,709 So it's a concern. 447 00:33:09,709 --> 00:33:15,999 It's not the biggest concern, I guess, is where I'm going with that. 448 00:33:15,999 --> 00:33:16,999 Thank you. 449 00:33:16,999 --> 00:33:17,999 Hi. 450 00:33:17,999 --> 00:33:20,999 Thank you for bringing this up to this particular community. 451 00:33:20,999 --> 00:33:23,417 You know work for one of the agencies involved. 452 00:33:23,417 --> 00:33:24,709 CHRISTIE DUDLEY: Yes. 453 00:33:26,417 --> 00:33:28,999 Could you lower the microphone? 454 00:33:29,083 --> 00:33:31,167 Okay. 455 00:33:31,959 --> 00:33:35,167 Some of us have to look at the problems you brought up. 456 00:33:35,167 --> 00:33:38,167 I'm glad you're bringing it to the attention of this group. 457 00:33:38,167 --> 00:33:41,292 If you don't mind, what I'll do is to let the group know about some 458 00:33:41,292 --> 00:33:46,334 of the data sets that we're making available from the Ann Arbor test. 459 00:33:46,334 --> 00:33:49,167 CHRISTIE DUDLEY: You might as well mention your TLA. 460 00:33:49,167 --> 00:33:51,999 That's a web address. 461 00:33:51,999 --> 00:33:53,125 I'll repeat this twice. 462 00:33:53,417 --> 00:33:59,250 It's www.its rde.net. 463 00:34:01,918 --> 00:34:06,209 Www.its rde.net. 464 00:34:07,083 --> 00:34:14,250 That is the exchange that we have set up for the Ann Arbor test data. 465 00:34:14,292 --> 00:34:18,501 All the basic safety message that Christie talked about are available 466 00:34:18,501 --> 00:34:22,999 from that and we would like to put up an informal challenge where 467 00:34:22,999 --> 00:34:26,334 government agency and we are in sequester right now 468 00:34:26,334 --> 00:34:30,083 because we can't put any cash behind this, but we would 469 00:34:30,083 --> 00:34:33,167 like to challenge the community to take a look 470 00:34:33,167 --> 00:34:37,667 at that data and use that data set to identify any of the drivers 471 00:34:37,667 --> 00:34:40,959 without using social engineering. 472 00:34:43,125 --> 00:34:45,334 Just from the data set itself. 473 00:34:45,334 --> 00:34:49,876 We think we have it, but we're still in the prototype stage. 474 00:34:49,876 --> 00:34:52,709 We would like as many holes punched into this 475 00:34:52,709 --> 00:34:57,584 as technically possible now so we can fix those. 476 00:34:57,584 --> 00:34:58,999 Thank you again, Christie. 477 00:34:58,999 --> 00:35:02,542 CHRISTIE DUDLEY: And he brings up a very important point. 478 00:35:02,542 --> 00:35:04,417 The more we can hack on this right now, 479 00:35:04,417 --> 00:35:09,083 the better chance we will have of not seeing faulty units get installed 480 00:35:09,083 --> 00:35:12,999 in vehicles, because they're ready to roll. 481 00:35:13,209 --> 00:35:17,209 And we need to stop them if they're break things. 482 00:35:17,209 --> 00:35:21,167 Do you know how they plan on switching the fingerprint? 483 00:35:21,167 --> 00:35:24,999 So or switching the certificate? 484 00:35:24,999 --> 00:35:28,751 So I imagine a couple of problems with that. 485 00:35:28,999 --> 00:35:33,209 So if you switch it while you're driving and you have that path history; 486 00:35:33,209 --> 00:35:37,542 that would probably stay the same across different certificates 487 00:35:37,542 --> 00:35:41,334 so that you could correlate them together. 488 00:35:41,334 --> 00:35:44,167 If you only do that for a single run of the car, then you know where 489 00:35:44,167 --> 00:35:47,667 they start and where they end, and so you could probably identify 490 00:35:47,667 --> 00:35:49,334 them that way. 491 00:35:49,334 --> 00:35:51,959 So it seems pretty challenging to do that. 492 00:35:51,959 --> 00:35:53,083 CHRISTIE DUDLEY: Yeah. 493 00:35:53,083 --> 00:35:56,542 My recommendations were based on the average trip length. 494 00:35:56,751 --> 00:36:00,626 And so you want assert that lasts no longer than half your average 495 00:36:00,626 --> 00:36:02,375 trip length. 496 00:36:02,999 --> 00:36:08,292 And there's a lot of discussion about when you start transmitting. 497 00:36:08,584 --> 00:36:11,501 If you want to do it at the point where 498 00:36:11,501 --> 00:36:17,250 the power door locks engage, so you don't know exactly quite where 499 00:36:17,250 --> 00:36:21,209 they started, but you do get that information 500 00:36:21,209 --> 00:36:24,584 as soon as it's necessary. 501 00:36:24,584 --> 00:36:26,999 So there's a lot of thought that's going 502 00:36:26,999 --> 00:36:29,417 into at what points. 503 00:36:29,417 --> 00:36:32,751 Like my recommendation also was not to have fixed periods, 504 00:36:32,751 --> 00:36:36,918 but rather have a plus or minus and have a little randomness 505 00:36:36,918 --> 00:36:41,417 in there so that they can't set up listening stations to track you 506 00:36:41,417 --> 00:36:44,083 as you leave their store. 507 00:36:45,667 --> 00:36:50,250 My thought is a big box store wants to know if you left and went 508 00:36:50,250 --> 00:36:56,083 to their competitor or where did you go when you left their store. 509 00:36:56,083 --> 00:36:59,584 So where were you before you came? 510 00:36:59,709 --> 00:37:05,167 The idea that having a flexible length and minimum 511 00:37:05,167 --> 00:37:10,876 of half the average trip size or maximum. 512 00:37:10,876 --> 00:37:11,876 Great. 513 00:37:14,375 --> 00:37:15,667 Thanks. 514 00:37:15,667 --> 00:37:16,667 Hi. 515 00:37:16,667 --> 00:37:18,876 This was focused mainly on emerging DSRC. 516 00:37:18,876 --> 00:37:20,209 My question is how much or are you involved in some 517 00:37:20,209 --> 00:37:23,167 of the other things that are emerging, for instance of the Calematics 518 00:37:23,167 --> 00:37:24,999 out of Detroit. 519 00:37:26,375 --> 00:37:29,999 CHRISTIE DUDLEY: I'm not really involved in any 520 00:37:29,999 --> 00:37:33,083 of the other specialty systems. 521 00:37:33,167 --> 00:37:35,709 My specialty is privacy. 522 00:37:36,876 --> 00:37:41,501 I look at a variety of embedded devices. 523 00:37:41,792 --> 00:37:44,626 Automotive privacy is very interesting to me, 524 00:37:44,626 --> 00:37:47,999 because even more than your cellphone, which 525 00:37:47,999 --> 00:37:51,999 is my previous research, even more than your cellphone, 526 00:37:51,999 --> 00:37:57,209 your vehicle tells where you've been, where you're going, and it tells 527 00:37:57,209 --> 00:38:03,542 a lot about you, who you associate with and where you spend your time. 528 00:38:03,999 --> 00:38:07,083 It says a lot about you. 529 00:38:08,459 --> 00:38:10,999 So it's critical that neither the government 530 00:38:10,999 --> 00:38:13,834 nor the advertisers take that information from you 531 00:38:13,834 --> 00:38:15,999 without your consent. 532 00:38:15,999 --> 00:38:19,999 In that case I would point you to Calematics Detroit. 533 00:38:20,083 --> 00:38:21,999 If you Google that, the session abstract 534 00:38:21,999 --> 00:38:24,918 for every session of that conference CHRISTIE 535 00:38:24,918 --> 00:38:28,125 DUDLEY: Oh, I'm aware of the conference. 536 00:38:28,125 --> 00:38:30,375 Split up all the data in the car. 537 00:38:30,751 --> 00:38:31,751 So thank you. 538 00:38:31,751 --> 00:38:33,209 CHRISTIE DUDLEY: Thank you. 539 00:38:34,959 --> 00:38:37,876 I had two questions. 540 00:38:37,876 --> 00:38:40,125 CHRISTIE DUDLEY: Closer to the microphone. 541 00:38:40,417 --> 00:38:41,667 Sorry. 542 00:38:41,959 --> 00:38:43,999 I had two questions. 543 00:38:43,999 --> 00:38:47,999 The first one was what sorts of displays would be would we be 544 00:38:47,999 --> 00:38:53,375 looking at as far as, like, getting the driver information? 545 00:38:53,375 --> 00:38:57,792 And the second question was would there be any drawbacks to, like, 546 00:38:57,792 --> 00:39:02,083 the certificates changing before the trip has ended as far 547 00:39:02,083 --> 00:39:04,125 as its safety? 548 00:39:04,501 --> 00:39:08,125 CHRISTIE DUDLEY: Okay. 549 00:39:08,501 --> 00:39:13,334 First, here is an example of the display they have in mind. 550 00:39:13,459 --> 00:39:16,999 This is one of several different things they've been 551 00:39:16,999 --> 00:39:22,667 toying around with a small display in the center of the dash. 552 00:39:22,918 --> 00:39:27,334 They have talked about lights in various places in the cockpit there 553 00:39:27,334 --> 00:39:31,999 is a lot of human interaction research that's done on what kind 554 00:39:31,999 --> 00:39:37,292 of displays and everybody has a little bit different idea. 555 00:39:37,292 --> 00:39:38,959 What was your second question? 556 00:39:38,959 --> 00:39:42,626 Is there any drawbacks to having the certificates changed 557 00:39:42,626 --> 00:39:45,876 before the trip is completed? 558 00:39:45,876 --> 00:39:49,083 Like you have one car driving and it's one car to the computers 559 00:39:49,083 --> 00:39:53,751 and then, like, instantly it changes to another car. 560 00:39:53,751 --> 00:39:56,334 CHRISTIE DUDLEY: Persistence of vision. 561 00:39:56,417 --> 00:39:57,876 Cars can do it, too. 562 00:39:58,667 --> 00:40:03,417 The cars around you don't get confused when the certificate changes. 563 00:40:03,542 --> 00:40:06,209 In fact, you wouldn't even notice. 564 00:40:06,584 --> 00:40:09,584 One of the concerns about changing certificates is well, 565 00:40:09,584 --> 00:40:13,292 if you were to be followed, then they would be able to track 566 00:40:13,292 --> 00:40:16,834 the certificate changes, but if you should be followed, 567 00:40:16,834 --> 00:40:19,459 then you're being followed. 568 00:40:22,417 --> 00:40:28,999 So the real interest is in just the persistence at the point of change. 569 00:40:28,999 --> 00:40:32,209 That shouldn't be a problem, because what the system does 570 00:40:32,209 --> 00:40:34,999 is it takes the packet and validates it 571 00:40:34,999 --> 00:40:38,584 and then strips the certificate off. 572 00:40:38,999 --> 00:40:42,999 So all the processing is done once the packet's been validated. 573 00:40:43,000 --> 00:40:46,999 So it really shouldn't change anything at all. 574 00:40:47,999 --> 00:40:49,209 Okay? 575 00:40:50,167 --> 00:40:53,918 Is this system supposed to be operating internationally? 576 00:40:53,918 --> 00:40:55,999 CHRISTIE DUDLEY: Yes. 577 00:40:55,999 --> 00:41:00,542 If yes, then how do you solve the foreign certificate issue? 578 00:41:00,542 --> 00:41:04,417 CHRISTIE DUDLEY: The European bandwidth that is available 579 00:41:04,417 --> 00:41:09,542 is the same as the bandwidth in the United States and they plan 580 00:41:09,542 --> 00:41:14,999 to do the same protocols in Europe as the United States. 581 00:41:15,083 --> 00:41:17,999 The only difference is in Japan where that bandwidth 582 00:41:17,999 --> 00:41:19,918 is not available. 583 00:41:19,999 --> 00:41:22,626 It's been allocated elsewhere. 584 00:41:28,918 --> 00:41:33,626 The law makers that are working on this, I worked with three European, 585 00:41:33,626 --> 00:41:37,918 three American, and three Japanese auto makers. 586 00:41:37,918 --> 00:41:42,918 They were adamant about having the exact same system in the U.S. 587 00:41:42,918 --> 00:41:43,918 and in Europe. 588 00:41:43,999 --> 00:41:47,292 What about certificate authorities? 589 00:41:47,292 --> 00:41:50,667 CHRISTIE DUDLEY: That's a really good question. 590 00:41:50,999 --> 00:41:54,999 And when you start crossing international borders, 591 00:41:54,999 --> 00:42:00,334 the government piece of the three interests changes. 592 00:42:00,876 --> 00:42:06,667 And there will be all sorts of interesting wrangling in that respect. 593 00:42:06,999 --> 00:42:08,459 That's a very good point. 594 00:42:10,959 --> 00:42:15,501 The gentleman from the ITSRDE described this 595 00:42:15,501 --> 00:42:18,709 as a prototype system. 596 00:42:18,918 --> 00:42:23,417 You described the user enter base as very much under development. 597 00:42:23,999 --> 00:42:28,125 You mentioned this is expected to ship on high end automobiles 598 00:42:28,125 --> 00:42:30,918 for the 2014 model year. 599 00:42:31,083 --> 00:42:32,918 Those are on the lot now. 600 00:42:32,999 --> 00:42:37,083 And 2015 cars you were thinking about that maybe being a mandate. 601 00:42:38,250 --> 00:42:41,792 That seems contradictory to me. 602 00:42:41,918 --> 00:42:43,999 Can you explain where we're at in the development cycle 603 00:42:43,999 --> 00:42:47,834 and how close we really are to having these on the road? 604 00:42:47,834 --> 00:42:55,999 CHRISTIE DUDLEY: I don't know the stuff on the lot right now. 605 00:42:56,083 --> 00:42:58,334 I don't follow model years. 606 00:42:58,334 --> 00:43:00,375 As I mentioned, my specialty is privacy. 607 00:43:00,709 --> 00:43:03,667 I do know that they were working when I spoke 608 00:43:03,667 --> 00:43:07,999 with them around this time last year, August, I wasn't able to come 609 00:43:07,999 --> 00:43:12,209 to DEF CON because I was working on this project. 610 00:43:13,459 --> 00:43:16,918 When I was speaking with them that last August, 611 00:43:16,918 --> 00:43:21,083 they were talking about already having radios. 612 00:43:21,083 --> 00:43:23,959 And I actually got to put my hands on some. 613 00:43:24,292 --> 00:43:27,083 And they already had the radios. 614 00:43:27,083 --> 00:43:29,626 They already were trying to get them in the cars. 615 00:43:29,709 --> 00:43:31,999 And so that's the best information I have. 616 00:43:33,626 --> 00:43:38,959 When I say "high end," I mean the BMW's who are doing automatic 617 00:43:38,959 --> 00:43:42,334 parking and the various where they're kind 618 00:43:42,334 --> 00:43:46,999 of going off a little bit on their own that. 619 00:43:47,375 --> 00:43:52,209 The user interfaces, there wouldn't be no uniform interface, 620 00:43:52,209 --> 00:43:57,083 just like there is no uniform car interior. 621 00:43:57,250 --> 00:44:00,167 Every auto maker will have its own interpretation 622 00:44:00,167 --> 00:44:04,918 of the kinds of alarms and the way that they will alarm you. 623 00:44:04,918 --> 00:44:08,999 That seems really scary to me. 624 00:44:08,999 --> 00:44:11,542 I mean, if I'm used to, to use your example, a BMW, 625 00:44:11,542 --> 00:44:15,876 and then I rent a Cadillac and the system is different, I'm not used 626 00:44:15,876 --> 00:44:18,999 to the warning systems, I'm sure lawyers would love 627 00:44:18,999 --> 00:44:21,876 to argue liability over that. 628 00:44:21,876 --> 00:44:24,167 CHRISTIE DUDLEY: Well, the liability of not responding 629 00:44:24,167 --> 00:44:28,167 to a warning system is what you're talking about there. 630 00:44:28,167 --> 00:44:31,999 And that's a really interesting point that I don't think anybody else 631 00:44:31,999 --> 00:44:33,834 has discussed. 632 00:44:33,918 --> 00:44:38,999 Yeah, to argue the liability for not responding, that would be 633 00:44:38,999 --> 00:44:43,667 an interesting argument because the situation you would be 634 00:44:43,667 --> 00:44:49,834 in there would be that somebody was driving erratically and it was the duty 635 00:44:49,834 --> 00:44:55,083 of the person who was not driving erratically to heed the warnings 636 00:44:55,083 --> 00:44:58,125 and get out of their way. 637 00:44:58,125 --> 00:45:01,667 So that's the only situation where the liability would be at issue. 638 00:45:01,667 --> 00:45:02,667 Thank you. 639 00:45:02,667 --> 00:45:03,999 CHRISTIE DUDLEY: Okay. 640 00:45:03,999 --> 00:45:04,999 We're done. 641 00:45:04,999 --> 00:45:05,999 Done. 642 00:45:06,083 --> 00:45:08,209 Thank you all very much. 643 00:45:08,209 --> 00:45:09,209 (applause).