MOTOR VEHICLE ‘EDR’ GLOBAL STANDARDIZATION
AND RELATED ISSUES
MOTOR VEHICLE ‘EDR’ GLOBAL STANDARDIZATION
AND RELATED ISSUESThomas M. Kowalick, November 16th 2010Thomas M. Kowalick, November 16th 2010
1616a-2010
1616-2010
Committee for a Study of Electronic Vehicle Controlsand Unintended Acceleration
National Research Council / National Academies Keck Center, 500 Fifth St., NW, Washington, DC
PRESENTATION GOALPRESENTATION GOAL
1) To present timely and important IEEE Motor Vehicle Event Data Recorder (MVEDR) standards
initiatives and 2) to focus attention on related issues
regarding the use/misuse of EDR technologies.
30 MINUTE OUTLINE30 MINUTE OUTLINE
IEEE & MVEDR
IEEEIEEE
The Institute of Electrical and Electronics Engineers (IEEE) is the world’s largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity.
IEEE and its 375,000 + members inspire a global community through IEEE's highly cited publications, conferences, technology standards, and professional and educational activities.
STANDARDS ASSOCIATION
The IEEE Standards Association (IEEE-SA) promotes the engineering process by creating, developing, integrating, sharing, and applying knowledge about electro- and information technologies and sciences.
For over a century, the cornerstone of the IEEE-SA is its established standards development program - a program that offers balance, openness, due process, and consensus. Each year, the IEEE-SA conducts over 200 standards ballots, a process by which proposed standards are voted upon for technical reliability and soundness.
In addition to producing the prominent 802® Standards for Local and Metropolitan Area Network Wireless, IEEE-SA also develops the standards for:
Intelligent highway systems and vehicular technology
Distributed generation renewable energy
Voting Equipment Electronic Data Interchange
Rechargeable Batteries for PCs
Motor Vehicle Event Data Recorder
Public Key Infrastructure
Certificate Issuing and Management
Components Architecture for Encrypted Shared Media
Organic Field Effect Technology
IEEE-SA thrives because of the technical diversity of its 20,000 plus participants, consisting of technology leaders from around the globe, including individuals in corporations, organizations, and government agencies. Through their collective knowledge, members contribute to the integrity and value of IEEE standards.
IEEE MVEDR PROJECT GOALIEEE MVEDR PROJECT GOAL
Create a Voluntary Consensus Based Standard
By Combining Best Efforts of Industry & Government Towards Enhanced
Vehicle & Highway Safety
IEEE MVEDR REFLECTS A WIDE-RANGE:IEEE MVEDR REFLECTS A WIDE-RANGE:
InsuranceLaw EnforcementLegalFleetsMedical InjuryAuto TechniciansAcademiaEMT, EMS, 911ReconstructionistCrash Data ResearchersPublic
Vehicle OEMs Government Aftermarket Suppliers Telematics Wireless Human Factors Research Component Suppliers Connector Industry Survivability Safety Advocates
IEEE MVEDR STANDARDSIEEE MVEDR STANDARDS
IEEE-1616-2010Standard for Motor Vehicle Event Data Recorder (171 pages).
IEEE-1616a-2010 Standard for Motor Vehicle Event Data Recorders (MVEDRs) Amendment 1: Motor Vehicle Event Data Recorder Connector Lockout Apparatus (MVEDRCLA) (19 pages).
AVAILABLE at www.ieee.org
4.2 INTERNATIONAL USE OF EDR DATA4.2 INTERNATIONAL USE OF EDR DATA
Users of MVEDR data include, but are not limited to, the following:1) Global development of treaties on roads and transport2) Reports on international road safety3) Government transport agencies4) International road safety databases5) Country specific road safety issues6) Regional road issues7) International organizations on road safety8) United Nations road safety initiatives9) European Union road safety initiatives10) Organization for Economic Co-operation and Development (OECD)11) International non-governmental organizations12) World Health Organization (WHO) road safety initiatives
8. MVEDR DATA DICTIONARY8. MVEDR DATA DICTIONARY
A data dictionary is a collection of entries specifying the name, source, usage and format of each data element used in a system or set of systems.
The MVEDR data dictionary is a collection of 86 data definitions.
Data definition is a description of the format, structure, and properties of data elements in a data dictionary.
For this standard, data elements are uniquely named as a defined component of data definition—a data “cell” in which items (actual values) can be placed.
4.7 CRASHWORTHINESS4.7 CRASHWORTHINESS
The MVEDR memory shall be capable of meeting the crashworthiness requirements outlined in Table 10.
Judicious placement of the MVEDR within the vehicle may also help to minimize the likelihood of damage as a result of a crash.
CRASHWORTHINESS / SURVIVABILITYCRASHWORTHINESS / SURVIVABILITY
SOURCE: IEEE 1616-2010 page 31
CRASHWORTHINESS / SURVIVABILITY (Cont’d)CRASHWORTHINESS / SURVIVABILITY (Cont’d)
Survivability requirements should be considered when selecting and installing connectors to the nonvolatile memory and other MVEDR components.
Although protection of the MVEDR as a whole is important, the priority for crashworthiness is protection of the nonvolatile memory.
CRASHWORTHINESS / SURVIVABILITY (Cont’d)CRASHWORTHINESS / SURVIVABILITY (Cont’d)
The manufacturer should document, and make available to whomever requests it, the reliability, confidence level, and minimum lifetime information for a particular MVEDR.
The MVEDR processor should continually operate when subjected to the vehicle environment where it is located.
During a crash, at a minimum, the processor should operate long enough to attempt capturing the buffered memory within the nonvolatile memory. After an event, the processor should operate for at least the minimum duration specified by the data elements being recorded.
CRASHWORTHINESS / SURVIVABILITY (Cont’d)CRASHWORTHINESS / SURVIVABILITY (Cont’d)
The manufacturer shall specify what crashworthiness requirements were used for the following conditions: impact shock, penetration, static crush, fire, and fluid immersion.
The requirements may be met by the design of the storage device within the vehicle body envelope (e.g., to take advantage of the crashworthiness and fire- barriers properties of the vehicle body), or by a combination of these approaches.
CRASHWORTHINESS / SURVIVABILITY (Cont’d)CRASHWORTHINESS / SURVIVABILITY (Cont’d)
MVEDRs shall meet the requirements for applicable data elements and format in crash tests specified in FMVSS 208, 214, and 301.
To provide both a check on MVEDR performance and ensure a basic level of survivability, data shall be required to be retrievable by the method specified by the vehicle manufacturer after the crash test.
CRASHWORTHINESS / SURVIVABILITY (Cont’d)CRASHWORTHINESS / SURVIVABILITY (Cont’d)
The MVEDRs of light vehicles are part of the air bag module that is located in the occupant compartment of vehicles, providing protection against crush in all but the most severe cases.
Moreover, because MVEDRs are part of the air bag module, their electronics are designed to operate in a shock environment; however they lack protection from fire and immersion in water and motor vehicle fluids.
1616a: CONNECTOR LOCKOUT APPARATUS1616a: CONNECTOR LOCKOUT APPARATUS
This protocol is applicable to all types and classes of motor vehicles that include MVEDRs. An MVEDRCLA Manual Lockout Device Protocol is a method of operation for a device (the MVEDRCLA) that holds the associated device (the DLC) inoperative to tampering unless a predetermined manual function (key or coded signal) is performed to release the locking feature.
DLC
CLA
ACCESSIBILITYACCESSIBILITY
MVEDRCLA security connectors designed to prevent data tampering, odometer fraud, VIN theft, or reengineering of vehicle networks shall be accessible and controlled by the vehicle owner and shall not prevent emissions testing, vehicle maintenance, or repair of in-vehicle electronic systems, subsystems, computers, sensors, actuators, or control modules, including the air bag control module.
STANDARD S
How are Voluntary Standards used in Regulations? How are Voluntary Standards used in Regulations?
Government agencies use externally developed standards in a wide variety of ways, including the following:
Adoption: An agency may adopt a voluntary standard without change by incorporating the standard in an agency's regulation or by listing (or referencing) the standard by title. For example, the Occupational Safety and Health Administration (OSHA) adopted the National Electrical Code (NEC) by incorporating it into its regulations by reference.
Strong Deference: An agency may grant strong deference to standards developed by a particular organization for a specific purpose. The agency will then use the standards in its regulatory program unless someone demonstrates to the agency why it should not.
HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS
Basis for Rulemaking: This is the most common use of externally developed standards. The agency reviews a standard, makes appropriate changes, and then publishes the revision in the Federal Register as a proposed regulation. Comments received from the public during the rulemaking proceeding may result in changes to the proposed rule before it is instituted.
Regulatory Guides: An agency may permit adherence to a specific standard I as an acceptable, though not compulsory, way of complying with a regulation.
HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS
Guidelines: An agency may use standards as guidelines for complying with general requirements. The guidelines are advisory only: even if a firm complies with the applicable standards, the agency may conceivably still find that the general regulation has been violated.
Deference in Lieu of Developing a Mandatory Standard: An agency may decide that it does not need to issue a mandatory regulation because voluntary compliance with either an existing standard or one developed for the purpose will suffice for meeting the needs of the agency.
RELATEDISSUES
SET- IN - STONE ON THE NAS BUILDINGSET- IN - STONE ON THE NAS BUILDING
“THE RIGHT TO SEARCH FOR TRUTH IMPLIES ALSO A DUTY; ONE MUST NOT CONCEAL ANY
PART OF WHAT ONE HAS RECOGNIZED AS TRUTH.”
Albert Einstein 1897-1955
DISCLAIMERDISCLAIMER
‘RELATED ISSUES’ EXPRESSED IN THIS PRESENTATION ARE SOLELY THOSE OF
THOMAS M. KOWALICK
SYMPTOMS OF A PROBLEMSYMPTOMS OF A PROBLEM
“Motor vehicle-related injury and death is the nation’s largest public health problem.”
“Globally, more than one million people die each year.”
National Safety Council (NSC)National Safety Council (NSC)
World Health Organization (WHO)World Health Organization (WHO)
33,808 highway deaths/year16 million crashes/year
Leading cause of death for ages 4 to 34
U.S. MODES OF TRANSPORTATIONU.S. MODES OF TRANSPORTATION
There are five modes of transportation:
AviationRail
MarinePipelineHighway
All modes utilize Event Data Recorders (EDRs)to analyze data. In the Highway mode EDRs are
commonly termed ‘Black Boxes’.
WHAT IS AN EDR?WHAT IS AN EDR?
An event data recorder (EDR) means a device or function in a vehicle that records the vehicle's dynamic, time-series data during the time period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event (e.g., delta-V vs. time), intended for retrieval after the crash event.
For the purposes of this definition, the event data do not include audio and video data.
Who?
What?
Where?
When?
Why?
Much of the
information
to be derived
from EDRs
is information
that eyewitnesses
could NOT provide
even if they were
ACCURATE
in all their
observations.
EVOLUTION OF EDR SCOPE & PURPOSEEVOLUTION OF EDR SCOPE & PURPOSE
In the beginning EDR technology was built into a sensing diagnostic module in each vehicle that controls the air bag deployment.
The initial product liability motivation for the generation of a retrievable record was to defend against claims that the air bag system had malfunctioned and caused personal injuries and the safety motivation was to enable improvements to the deployment system.
EVOLUTION OF SCOPE & PURPOSE (Cont’d) EVOLUTION OF SCOPE & PURPOSE (Cont’d)
Once the data was compiled for these purposes, it evolved to re-analyze the data in broader terms to promote a better understanding of vehicle and operator behavior before crashes (CAUSATION)
EDR access has become standard procedure for crash investigations in both criminal and civil areas.
DEVICE OR FUNCTIONDEVICE OR FUNCTION
Is the Event Data Recorder (EDR) a "device" or a "function" and why does this matter? How can it be both?
Well that's simple, rather than describing a specific device or product, "EDR" actually is a catch-all term defining a “means” of collecting data distributed along a vehicle's Controller–area network (CAN or CAN- bus).
CONTROLLED AREA NETWORK (CAN)CONTROLLED AREA NETWORK (CAN)
CAN is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within a vehicle without a host computer. CAN is also a message based protocol, designed specifically for automotive applications.
ELECTRONIC CONTROL UNITS (ECU’s)ELECTRONIC CONTROL UNITS (ECU’s)
A modern automobile may have as many as 70 electronic control units (ECU) for various subsystems.
Typically the biggest processor is the engine control unit, which is also referred to as "ECU" in the context of automobiles; others are used for transmission, airbags, antilock braking, cruise control, audio systems, windows, doors, mirror adjustment, etc.
Some of these form independent subsystems, but communications among others are essential.
CAN SYSTEMCAN SYSTEM
A subsystem may need to control actuators or receive feedback from sensors. The CAN standard was devised to fill this need. The CAN bus may be used in vehicles to connect engine control unit and transmission, or (on a different bus) to connect the door locks, climate control, seat control, etc.
1998-2010
NHTHA REG +
49 CFR 563: Event Data Recorders (EDRs)49 CFR 563: Event Data Recorders (EDRs)
Final Regulatory Evaluation
Final rule
Frequently Asked Questions and Additional Information
NHTSA REG WOEFULLY LACKING NHTSA REG WOEFULLY LACKING
The National Highway Traffic SafetyAdministration (NHTSA) rule 49 CFR 563:Event Data Recorders does not addressthese issues:
the ownership of EDR data;
the authenticity of EDR data;
the security of EDR data at the time of a crash;
the chain of custody of EDR data following a crash;
NHTSA REG WOEFULLY LACKING (Cont’d)NHTSA REG WOEFULLY LACKING (Cont’d)
tampering and manipulation of EDR data;
how EDR data can be used/discovered in civil litigation;
how EDR data may be used in criminal proceedings;
whether EDR data may be obtained by the police without a warrant;
whether EDR data may be developed into a driver-monitoring tool;
and the nature and extent that private parties will have or may contract for access to EDR data.
PENDING NHTSA ACTIONPENDING NHTSA ACTION
www.regulations.gov
Search: NHTSA-2008-0004
Seven Petitions for Reconsideration and Letters of Support
NHTSA ESTIMATE: EDRS IN LIGHT VEHICLESNHTSA ESTIMATE: EDRS IN LIGHT VEHICLES
NHTSA ESTIMATED EDR COSTSNHTSA ESTIMATED EDR COSTS
NHTSA EDR ESTIMATED COSTS (Cont’d)NHTSA EDR ESTIMATED COSTS (Cont’d)
STATESTATUES
STATE EDR STATUES 2004-10STATE EDR STATUES 2004-10
Arkansas Code 27Arkansas Code 27--3737--103103 California Code 9950California Code 9950--99539953 Colorado Statutes 12Colorado Statutes 12--66--44 Connecticut Public Act 07Connecticut Public Act 07--235235 Maine Statutes 29AMaine Statutes 29A--11--1717--33 New Hampshire Statutes 357New Hampshire Statutes 357--GG New York Laws 4A16 416New York Laws 4A16 416--BB Nevada Statutes 484.638Nevada Statutes 484.638 North Dakota Code 51North Dakota Code 51--0707--2828 Oregon House Bill 2568 (644)Oregon House Bill 2568 (644) Texas Statutes 547.615Texas Statutes 547.615 Virginia Code 46.2Virginia Code 46.2--1088.61088.6Washington 46Washington 46--35.01035.010
13 States have EDR legislation and there is case law in 29 states.
NCHRP17-24
NCHRP RESEARCHNCHRP RESEARCH
Objective– Recommend minimum set of
EDR data elements for vehicle and roadside safety analysis
Sponsor– Transportation Research Board– NCHRP 17-24
NCHRP 17-24 Use of EDR TechnologyFor RoadsideCrash Data Analysis
EC VERONICA
II
EUROPEAN COUNCIL VERONICA PROJECTEUROPEAN COUNCIL VERONICA PROJECT
VERONICA IIVehicle Event Recording based on Intelligent Crash Assessment
Passive SafetyDuration from 1/05/2007 until 30/04/2009
http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf
VERONICA II is to specify the technical and legal requirements for a possible implementation of Event or Accident Data Recorders in vehicles in Europe. Of major importance is the definition of the trigger sensitivity in order to capture not only hard crash data but also data from collisions with 'soft objects', i.e. vulnerable road users which represent a relevant part of road users and victims in accidents.
J-EDR
JAPANESE-EDR (J-EDR)JAPANESE-EDR (J-EDR)
http://www.mlit.go.jp/kisha/kisha08/09/090328_.html
J-EDRJ-EDR
The Japanese Ministry of Land, Infrastructure, Transport and Tourism (J-MLIT) decided on the technical requirements for the application of EDRs to light vehicles (3500 kg GVWR or less) in March 2008 [J-MLIT website, 2008]. This requirement—so called J-EDR technical requirement—is comparable to the US Part 563. However, J-EDR is adding two data elements which are the pre-crash warning andthe pre-crash brake operating status. EDRs are now being installed in ACMs by several automakers.SOURCE: Study on Pre-Crash and post-Crash Information Recorded in Electronic Control Units (ECUs) Including Event Data Recorders, Hirotoshi Ishikawa, Nobuaki Takubo, Ryo Oga, Kenshiro Kato, Takeshi Ikari, Enhanced Safety of Vehicles (ESV) Conference, Paper Number 09-0375., The 21st International Technical Conference on the Enhanced Safety of Vehicles Conference (ESV) - International Congress Center Stuttgart, Germany, June 15–18, 2009.
ESVEDR
PAPER
ENHANCED SAFETY OF VEHICLES PAPERENHANCED SAFETY OF VEHICLES PAPER
ABSTRACTABSTRACT
http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdf
CONCLUSIONSCONCLUSIONSThe conclusions are summarized as follows:The pre-crash velocities recorded by the EDR were highly accurate and reliable when cars proceeded without braking prior to the collision. The accuracy and reliability of the EDR impact velocity could be affected by the braking conditions and the EDR time zero information.
The accuracy and reliability of the maximum delta-V recorded by the EDR decreased under highly complex or severe crash conditions, as compared to the results obtained from the standardized crash tests.
The factors responsible for this result were attributable to the characteristics of the accelerometers used in EDR, the large deformation at the location of the airbag control module, vehicle body rotation in a collision, etc.
CONCLUSIONS (Cont’d)CONCLUSIONS (Cont’d)
When one of the ABS sensors installed in an impacted vehicle was damaged during collision, the ABS-ECU recorded the vehicle speed and the tire rotational velocity of the four wheels at the event of an ABS malfunction.
The engine-ECU could record the vehicle speed information when the engine was damaged during collision. In order to obtain and understand the information of the engine-ECU, crash tests are recommended to be carried out with the engine running.
ACKNOWLEDGEMENTSACKNOWLEDGEMENTS
ESV PAPER ACKNOWLEDGMENTS:
We sincerely thank the Ministry of Land, Infrastructure, Transport and Tourism of Japan for providing the J-NCAP data and Toyota for their support in retrieving the EDR data.
SUA
71
Crash recorders – opening up the boxCrash recorders – opening up the box
Anders KullgrenHead of road traffic safety research at Folksam
-10
0
10
20
30
40
50
60
0 50 100 150
acceleration (g)change of velocity (km/h)
time (ms)
Delta-V 52.1 km/hMean acc 12.6 gPeak acc 31.7 g
http://www.etsc.eu/documents/13_Kullgren.ppt
EXAMPLE OF SUA ITEMEXAMPLE OF SUA ITEM
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624
GAONHTSA
GAO REPORTGAO REPORT
A United States Government Accountability Office (GAO) Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate (GAO-09-56) titled HIGHWAY SAFETY: Foresight Issues Challenge DOT’s Efforts to Assess and Respond to New-Technology-Based Trends recommends that DOT (1) develop an approach to guide decision-making on new, fast moving trends that can affect highway safety; (2) evaluate whether new data systems and analytic techniques are needed to provide information on such trends; and (3) employ specific strategies and schedules in communicating with Congress about these and other trends. DOT disagreed with the first of these and did not comment on the other two. GAO continues to recommend all three.
GAO-09-56 at www.gao.gov/new.items.d0956.pdf
GAO REPORT GAO REPORT
The GAO report concludes that “New fast- moving technology-based trends are characterized by uncertainties and the main criteria that DOT’s National Highway Safety Administration (NHTSA) officials use in determining how to respond – quantitative evidence that a sizeable problem exists and knowledge of a promising countermeasure – do not address uncertainty.
GAO-09-56: www.gao.gov/new.items.d0956.pdf
INTELECTUALPROPERTY
INTELLECTUAL PROPERTY EXAMPLEINTELLECTUAL PROPERTY EXAMPLE
RESEARCHPATENTS
TO DETERMINETHE STATE OF
THE ART
DETERMINEWHAT
PUBLIC PATENT
APPLICATIONS APPLY
TO SUDDEN UNINTENED
ACCELERATION
SEEK RESEARCH SUPPORT FROM A
UNIVERSITY PATENT
DEPOSITORY
ANOTHER PATENT EXAMPLEANOTHER PATENT EXAMPLE
PATENTS OFFER SOLUTIONSPATENTS OFFER SOLUTIONS
TAMPER
AUTOMAKERS ADVOCATES
NO EDR CONSUMER PROTECTION
GOVERNMENT
EVIDENCE OF TAMPERINGEVIDENCE OF TAMPERING
http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1
http://www.youtube.com/watch?v=t7La2kkUdQ0
IN JUST A FEW MINUTES (ONLINE)ONE CAN LOCATE PRODUCTS AND
SERVICES TO ROLL BACK ODOMETERS AND ERASE ECU CRASH DATA!
All light vehicles sold in the United States since 1996 All light vehicles sold in the United States since 1996 are required to have a Onare required to have a On--Board Diagnostics Board Diagnostics connector, for easy access to the car's Controller Area connector, for easy access to the car's Controller Area Network (CAN) bus.Network (CAN) bus.
The Society of Automotive Engineers (SAE) J1962 Diagnostics Connector has been designed the primary physical interface to access EDR data elements in light vehicles for post-crash analysis. Data elements are commonly accessed by connecting an electronic diagnostic tool to this vehicle port.
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
ANYONE WITH AN eTOOL CAN PLUG-INANYONE WITH AN eTOOL CAN PLUG-IN
ELECTRONIC TOOLSELECTRONIC TOOLS
A variety of electronic tools are manufactured and marketed to re-engineer vehicle networks, reset odometers and tamper or erase vehicle data via this port which is generally unsecure and prone to misuse of the original safety and emissions diagnostic related purpose.
Unauthorized access, whether malicious or inadvertent, must be prevented in order to protect the integrity of connected devices, vehicles, and systems.
ONLINE SITES MARKET& SELL eTOOLSONLINE SITES MARKET& SELL eTOOLS
TIP OF THE ICEBERG!TIP OF THE ICEBERG!
eTOOLSeTOOLS
ONLINE TOOLS TO TAMPER DATAONLINE TOOLS TO TAMPER DATA
Publicly advertised tools that have the ability to clear “locked data” from crash records in Event Data Recorders (typically SRS ECUs):
1. http://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.html2. http://www.tradekey.com/product_view/id/811757.htm3. http://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters- needed-for-airbag-repair-and-programming/prod_345.html4. http://www.adkautoscan.com/Production/R101.htm5. http://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda- SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.html6. http://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdf7. http://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software- /prod8. http://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool- by-obdii/prod_88.html
TAMPERING MOTIVATIONTAMPERING MOTIVATION
GIVEN SUFFICIENT MOTIVATION, SOMEONE WILL TRY TO TAMPER AN EDR.
As a general rule motivation can bedescribed as a possible gain which isconsidered more desirable by theundertaker than the possible lossassociated with the risks.
#1 – Evasion of Legal Prosecution #2 – Financial Gain#3 – Technical Reputation
LEGAL USAGELEGAL USAGE
EDR DATA, TOGETHER WITH THE EXPERT’S ANALYSIS MAY BE USED IN COURT OR BY OTHER PARTIES TO DETERMINE QUESTIONS OF GUILT AND ANY PENALITIES.
GENERIC THREATSGENERIC THREATS
•CONFIDENTIALITY
•INTEGRITY
•AVAILABILITY
•AUTHENTICITY
TURN-KEY SOLUTION TURN-KEY SOLUTION
SEAL THE DATA!
SAFETY VS. PRIVACYSAFETY VS. PRIVACY
The balance between privacy and public safety will be tested as EDRs become more commonplace.
The price of safer roads is thus the risk that private EDR data may be used by insurance companies, the legal system, or other bodies.
RECOMMENDATION
RECOMMENDATION: AMEND 49 CFR 563RECOMMENDATION: AMEND 49 CFR 563
ADD this section:
§ 563.13 Motor Vehicle Event Data Recorder Connector Lockout Apparatus (MVEDRCLA).Each manufacturer of a motor vehicle equipped with an EDR shall ensure that a motor vehicle event data recorder connector lockout apparatus (MVEDRCLA) as standardized by the Institute of Electrical and Electronics Engineers Standards Association (IEEE 1616a-2010) to protect the security, integrity, and authenticity of the data that are required by this part is attached to the vehicle’s SAE J1962 (ISO/DIS 15031-3) vehicle diagnostic link connector (DLC) at the point of motor vehicle sale, including leased and rented vehicles.
AUTHOR INFORMATIONAUTHOR INFORMATION
Thomas M. Kowalick is widely recognized as a leading researcher on EDR technologies. He is a member of the Author's Guild, and a retired professor in Southern Pines, North Carolina. Kowalick serves as Chair of the Institute of Electrical and Electronics Engineers (IEEE) global project 1616 ® to create the world’s first automotive ‘black box’ standard, contributed to the development of the National Highway Traffic Safety Administration (NHTSA) web site for EDR research, and as a panel member on the National Academies of Sciences project studying EDRs. He is the author of FATAL EXIT: The Automotive Black Box Debate (John Wiley) and six other books specifically covering EDR history, standardization, legislation, regulation, legal issues and consumer protection. Kowalick is also author of the EDR segment in the McGraw Hill 2009 Yearbook of Science & Technology.
REFERENCESREFERENCES• A Review of Jurisprudence Regarding Event Data Recorders: Implications for the Access
and Use of Data for Transport Canada Collision Investigation, Reconstruction, Road Safety Research, and Regulation, prepared for the Road Safety and Motor Vehicle Regulation, Transport Canada. http://www.carsp.ca/downloads/edr_jurisprudence.pdf March 31, 2005
• U.S. Dept. of Transportation, National Highway Traffic Safety Administration, Final Rule, 49 CFR Part 563, Event Data Recorders, http://www.nhtsa.gov/Laws+&+Regulations/Vehicles Aug. 21, 2006.
• Use of Event Data Recorder (EDR) Technology for Highway Crash Data Analysis, Transportation Research Board NCHRP (Project 17-24), Transportation Research Board, http://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdf December 2004.
• Vehicle Data Recorders - FMCSA-PSV-06-001, Federal Motor Carrier Safety Administration, http://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders- dec05/vehicle-data-recorders-dec05.htm December 2005.
• Institute of Electrical and Electronics Engineers (IEEE) global standards for Motor Vehicle Event Data Recorders (MVEDRS); IEEE 1616-2010 and IEEE 1616a-2010 at http://grouper.ieee.org/groups/1616a/ May, 2010.
• GAO -09-56 Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate: HIGHWAY SAFETY Foresight Issues Challenge DOT’s Efforts to Assess and Respond to New Technology-Based Trends. www.gao.gov/new.items/d0956.pdf October 2008.
REFERENCES (Cont’d)REFERENCES (Cont’d)• Analysis of Event Data Recorder Data for Vehicle Safety Improvement,
USDOT/NHTSA DOT HS 810 935 at www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdf
• Vehicle Event Recording based on Intelligent Crash Assessment (VERONICA-II) European Commission / Directorate-General for Energy and Transport, at http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf June 2009.
• USDOT/NHTSA Docket No. NHTSA-2004-18029 comments from Public Citizen, Consumer Union, Advocates for Vehicle and Highway Safety and Electronic Privacy Information Center (EPIC), see www.regulations.gov
THANKS FOR YOUR ATTENTIONTHANKS FOR YOUR ATTENTION
CONTACT INFOCONTACT INFO
THOMAS M. KOWALICK305 SOUTH GLENWOOD TRAILSOUTHERN PINESNORTH [email protected]
TAMPERADDENDUM
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
• CONFIDENTIALITY is defined as the“property of data that indicates the extent towhich these data have not been madeavailable or disclosed to unauthorizedindividuals, processes, or other entities”([ISO/IEC 2382-8: 1998], 08.01.09).
• The assumption that EDRs only provide data linked to a specific vehicle, but not a specific driver, ignores the data privacy issues outside the vehicle.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
Although it may seem feasible to avoid privacy issues by restricting the recorded data to a minimal set of sensor and status data and to only record a time span of about one minute around the crash event – it is highly probable that next generation memory module technologies will increase the recording time, therefore making privacy issues unavoidable.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
• Increasing numbers of people will obtain access to EDR data.
• The minimum requirement to access EDR data is physical access to the vehicle’s interior and the SAE J1962 connector.
• Therefore, access to EDR data will always be possible unless a technical countermeasure is utilized.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
• The DRIVER and OWNER will always have physical access to the EDR device (via the SAE J1962 Diagnostic Link Connector (DLC) common on all light vehicles.
• This is a problem if the owner can access data that would indicate a crash in which the vehicle was involved and where a driver other than the owner was involved in the crash.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
• For example, a car rental company or transport fleet could regularly access data to find out about the crashes by drivers.
• Even if the rental company does not sue the driver immediately, the company (or even a group of cooperating rental companies) could use the data to keep a ‘black list’ of drivers involved in crashes.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
• Since the USDOT/NHTSA is seriously considering mandating EDRs in light vehicles it is highly likely that lease, fleet and rental vehicles will have EDRs.
• Therefore, since DRIVERS are supposed to notify the company about any crash, accessing the EDR data would only change the situation for those drivers who had not informed the company about the crash.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
Although this might be an issue in the case of low-priority (unreported to law enforcement) crashes, access to the data by the OWNER in this scenario, especially the COMBINATION OF EDR DATA AND PERSONAL DATA requires the consent of the DRIVER and would need to be explicitly agreed in the rental contract.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
The combination of EDR data with driving records creates data records that require consumer data protection to avoid creating ‘black lists’.
The potential to ‘misuse’ EDR data will greatly increase.
Following a crash, many vehicles are taken to a workshop where access to the EDR data is possible.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
Workshops can sell data to car or insurance companies for statistical purposes, or sell data for marketing purposes.
A rare/extreme motivation for workshops to download EDR data is blackmailing of drivers or owners which is more likely to occur with high-profile crashes.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
After a crash, it may be possible that neitherDRIVER or OWNER is capable of controllingphysical access to the vehicle.
Therefore, an opportunity does exist for thirdparties to access EDR data from the vehicle,although they may have no rights to accessthem.
It is technically possible to gather EDRevidence since the port is unprotected.
INTEGRITYINTEGRITY
INTEGRITY is defined as the “property of data whose accuracy and consistency are preserved regardless of changes made” (data integrity, [ISO/IEC 2382-8:1998], 08.01.07). For systems (like the EDR itself), integrity means “the quality of a data processing system fulfilling its operational purpose while both preventing unauthorized users from making modifications to or use of resources and preventing authorized users from making improper modifications to or improper use of resources” (system integrity, [ISO/IEC 2382-8: 1998], 08.01.17).
INTEGRITY ISSUESINTEGRITY ISSUES
The most obvious threat to an EDR is the manipulation of the data.
After a crash, a DRIVER or OWNER of a vehicle may be interested to tamper EDR data in order to avoid prosecution.
Manipulation / Tampering may take several forms, like replacing all data with a forged set of records, changing only selected records, or even changing only selected entries within a record.
INTEGRITY ISSUESINTEGRITY ISSUES
From an IT security point of view, all manipulations / tampering of data is considered as unauthoritized – however, it still happens.
An attacker may delete data from the EDRs event storage creating the impression that the crash did not happen at all.
INTEGRITY ISSUESINTEGRITY ISSUES
An attacker may overwrite incriminating data in a way that suggests that the EDR or its attached sensors did not function correctly, thus making the EDR data useless for prosecution.
An attacker may consistently change EDR records in a way that suggests that the accident did happen, but the driver did not violate any driving regulations.
INTEGRITY ISSUESINTEGRITY ISSUES
For example, an attacker can change the vehicle speed prior to a crash to a lower value, indicating that the vehicle was being driven within the permitted speed limit.
NOTE. Such manipulations are the most complex ones, because not only the speed needs to be changed, but also the acceleration/deceleration values, time values, and other data need to be changed consistently.
INTEGRITY ISSUESINTEGRITY ISSUES
Forging / Tampering / Manipulation is most likely following a crash, unless an attacker has exact knowledge of a pending crash and seeks to influence the post-crash analysis of that crash data.
Therefore, most manipulation of data will occur following a crash before it has been downloaded (and secured as evidence) by an authorized party.
INTEGRITY ISSUESINTEGRITY ISSUES
Once the EDR data has been secured as evidence by time stamping and digitally signing the downloaded records, manipulation will be useless, since any record presented in court would have to compete with credibility with the original record already downloaded and introduced into the legal process by the appointed trustworthy expert.
INTEGRITY ISSUESINTEGRITY ISSUES
Therefore, we can assume that manipulation of EDR data is only a threat during the ‘window of opportunity’ between the crash itself and the point in time where the EDR is secured as evidence.
In Hit & Run cases the ‘window of opportunity’ is larger.
There is also a threat of manipulating data prior to selling the vehicle.
INTEGRITY ISSUESINTEGRITY ISSUES
With a USDOT/NHTSA EDR mandate a large base of installed EDRS (80+ million) will trigger development of sophisticated manipulation tools, especially if such a manipulation can be programmed in software.
Electronic tools exist to manipulate EDRs and to alter digital odometers.
AVAILABILITYAVAILABILITY
AVAILABILITY is defined as the “property of data or of resources being accessible and usable on demand by an authorizedentity”([ISO/IEC 2382-8:1998], 08.01.17).
AVAILABILITY ISSUESAVAILABILITY ISSUES
Threats to EDR data are similar to theINTEGRITY threats because they havesimilar affects, although they can havedifferent causes.
The EDR or some of its sensors could malfunction, be severely damaged in the crash or the power supply to the EDR could be cut.
AUTHENTICITYAUTHENTICITY
AUTHENTICITY deals with the origin and genuineness of data. In EDR issues AUTHENTICITY has its own set of threats relative to EDR security architecture.
EDR data is used as evidence in disputes, and therefore its authenticity must be guaranteed to a degree acceptable by courts.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
EDRs raise critical issues including:
who should have access to the data stored;
under what circumstances access should be granted;
whether EDRs are tamper-proof; and
whether they are resistant to accidental spoliation.
AUTHENTICITY ISSUES AUTHENTICITY ISSUES
Access to EDR data is possible by anyone having physical access to the vehicle interior and plugging an electronic tool into the SAE J1962 connector.
The Court, or any higher authority must be convinced that the data presented to it can be linked unambiguously to an event and a certain vehicle.
AUTHENTICITY ISSUES AUTHENTICITY ISSUES
AUTHENTICITY needs to be protected during the data transition from the EDR to the court.
The current design of EDR architecture and data model provides a link between the EDR and the vehicle.
However, the EDR itself would not provide a digital signature of any kind to prove that the data originates from the EDR.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
As the records are not signed by the EDR, everybody in the chain could modify it.
Such modifications would be hard to spot if the original record is not integrity- protected.
EDR data needs to be sealed at the time of the crash.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
If not sealed at crash time, it is crucial to keep the time window between crash and download of the EDR data as small as possible.
Signing the records by the EDR itself cannot be implemented without a significant overhead for a security infrastructure.
AUTHENTICITY ISSUES AUTHENTICITY ISSUES
However, sealing the EDR data at the time of crash via a CLA is both technically feasible and economically sound.
SIMPLE: Amend 49 CFR 563 “NOW”!
Reliable proof of AUTHENTICITY of EDR data is achieved via an IEEE 1616a CLA.
NCHRPADDENDUM
NCHRP RESEARCHNCHRP RESEARCH
Objective– Recommend minimum set of
EDR data elements for vehicle and roadside safety analysis
Sponsor– Transportation Research Board– NCHRP 17-24
NCHRP 17-24 Use of EDR TechnologyFor RoadsideCrash Data Analysis
NCHRP 17-24 LEGAL QUESTIONSNCHRP 17-24 LEGAL QUESTIONS
Does the Federal government have the regulatory authority to mandate the use and collection of EDR data?
May the Federal government require manufacturers to install EDRs?
What authority permits NHTSA and the various State DOT’s to include information in their own State databases?
NCHRP 17-24 LEGAL QUESTIONS (Cont’d)NCHRP 17-24 LEGAL QUESTIONS (Cont’d)
What limitations do private parties face when attempting to use the information contained in EDRs?
May private parties obtain the data contained in EDRs without the consent of the vehicle owner as part of the discovery in preparation for trial?
May private parties, such as insurance adjusters, private attorneys, and researchers, obtain the data contained in the EDR at the scene of the crash or through pre-trial discovery without the consent of the vehicle owner?
NCHRP 17-24 LEGAL QUESTIONS (Cont’d)NCHRP 17-24 LEGAL QUESTIONS (Cont’d)
May private parties obtain and use EDR data when unrelated to trial discovery?
Does the search of an automobile to obtain information contained in an EDR raise a Fourth Amendment question?
May police officers seize EDR data during post-crash investigations without a warrant?
NCHRP 17-24 PRIVACY QUESTIONSNCHRP 17-24 PRIVACY QUESTIONSDo car owners have reasonable
expectation of privacy in EDR devices as a component of the automobile?
Does a car owner have a reasonable expectation of privacy in the telemetry data provided by EDR devices?
May police officers obtain the data without the owner’s consent after obtaining a warrant for both criminal and non- criminal investigations?
NCHRP 17-24 RIVACY QUESTIONS (Cont’d)NCHRP 17-24 RIVACY QUESTIONS (Cont’d)
What other privacy and legal issues are important in considering the use of EDR data?
What are the implications of the Fifth Amendment and EDRs?
What are the Federal Rules of Evidence and the use of EDR at trial?
NCHRP 17-24 FINDINGSNCHRP 17-24 FINDINGS
• USDOT/NHTSA may require the installation of devices that demonstrably improve highway safety or advance some other significant policy interest.
• There is public policy interest in installing EDRs.
PUBLIC QUESTIONSPUBLIC QUESTIONS
• How do professionals analyze EDR data - - what special equipment do they use?
• How do EDRs function during pre-crash, crash and post-crash mode?
• Under what circumstances can third parties, such as law enforcement or insurance companies, download data from the EDR?
• How do third parties, such as insurance companies, collect and manage electronically recorded event data?
NCHRP 17-24 FINDINGS (Cont’d)NCHRP 17-24 FINDINGS (Cont’d)
With respect to Fourth Amendment concerns, the police (or other government accident investigators) may properly seize such devices (or otherwise collect the data therefrom) without a warrant during post-accident investigations.
NCHRP 17-24 FINDINGS (Cont’d)NCHRP 17-24 FINDINGS (Cont’d)
• Authority is premised on two legal issues:
– Seizure of a required safety device does not constitute a search implicating the Fourth Amendment.
– Seizure of a safety device qualifies under the exemptions for conducting a warrantless search.
NCHRP 17-24 FINDINGS (Cont’d)NCHRP 17-24 FINDINGS (Cont’d)
• Law Enforcement authority to conduct warrantless searches may be affected by how soon after the crash the search occurs.
– The more immediate the search occurs following the crash, the greater the officer’s authority to conduct a warrantless search.
NCHRP 17-24 FINDINGS (Cont’d)NCHRP 17-24 FINDINGS (Cont’d)
• Absent a crash, law enforcement may not seize such data without a warrant or express legislative action.
• Although the data and the recorder itself may be “owned” by the vehicle owner or lessee, that data may be used as evidence against the owner (or other driver) in either a civil or a criminal case.
NCHRP 17-24 FINDINGS (Cont’d)NCHRP 17-24 FINDINGS (Cont’d)
• Nothing within the Federal Rules of Evidence (“FRE”) or the Fifth Amendment’s protection against compelled self-incrimination would exclude the use of data recorded by EDRs.
• Owners might be prohibited from tampering with the data if litigation is pending.
MYTHS, MYSTERY, MISSINFORMATIONMYTHS, MYSTERY, MISSINFORMATION
• What is the difference between an EDR and a "black box" common to airplanes?
• Why are automakers installing EDRs in modern vehicles?
• Why do safety advocates believe we need these emerging technologies?
• What do privacy advocates fear about them?
PUBLIC QUESTIONSPUBLIC QUESTIONS
• What are the positive and negative perceptions of EDRs to the public?
• What types of crash data do EDRs record and for what duration?
• Can the EDR record where a vehicle traveled -- or how fast it was going at any given time?
• Under what circumstances will people have access to EDR data?
PUBLIC QUESTIONSPUBLIC QUESTIONS
• Who has access to crash data? • What is the U.S. government proposal for
EDRs? • What's in your vehicle? • What recording capability will be in the
next new vehicle that you drive -- maybe a rental car?
• How is it possible to balance safety and privacy?
