Cyber Defense

Automotive Infotainment Systems Collect Sensitive Data

Automotive cybersecurity | e-Discovery | Connected CarModern motor vehicles are becoming "smartphones on wheels." They collect and store a growing volume of information that could surprise the people who drive or occupy the vehicles. The collected information could embarrass individuals, or could leak secrets about the organizations for whom the individuals work.

From a cyber defense perspective, one risk is that your firm's executive will rent a car. Then the car's infotainment system collects confidential information belonging to the firm, such as the executive's contact list. Watch out! Executives need training on this topic.

Following is an exchange I had with a forensic expert, Chris Wells of Scout Computer Forensics.

Benjamin Wright

Benjamin Wright, SANS Senior Instructor


I'm getting involved in the bleeding-edge field of vehicle forensics, and wanted to get you thinking about any legal issues associated with an aspect of this kind of work.

Many cars now have "infotainment" systems built-in ... such a system allows the user to do navigation, play music, monitor key vehicle systems, and communicate via voice and TXT after connecting (via USB or Bluetooth) to a smartphone. Of course, the system stores copies of everything behind the scenes; a vehicle forensic examination entails extracting this info.

It's the "connecting a smartphone" aspect wherein my questions arise. Turns out that infotainment systems love to suck information off of connected phones without necessarily notifying the phone owner. Even if you just plugged your phone into a car's USB port to charge it, the infotainment system will likely download contacts, music playlists, etc.; the moral of this particular story is not to plug your phone into a rental car :). The infotainment systems will also record information that could uniquely identify the connected phone (e.g., make/model, s/n, MAC address, IMEI, cell number) and thus possibly its owner.

Soooo ... car-renters and passengers certainly don't sign consent forms allowing the infotainment system to download all their info. However, if I'm hired to do a vehicle forensic examination (for instance, by the car owner or lawyer of same, either/both of which give me their consent), I may be getting hold of non-consenting people's info. What are the legal ramifications of this as far as I'm concerned? Any conceptual changes needed to my service agreement or consent-to-search form? Anything else come to mind about this type of forensics work?

FWIW, this same basic issue also arises in the phone-charging-via-USB kiosks at airports: power goes in, info flows out. Yikes.

Thanks in advance for your insights.

-Chris Wells


I have four general principles to recommend, although these apply to everything you do in digital forensics e-discovery, not just motor vehicles forensics.

First, be logical.

Be sure that you have a reason for gathering information and looking at information and storing information. If the investigation does not logically justify access to or management of certain data or records, then stay away from them.

Second, be sure to document your investigation.

Good documentation explains what the investigator did and why he did it. Thus, if you inadvertently come across some sensitive information that belongs to someone else, you should have records that shows what you were doing and what happened at that particular situation. The records should support that you were behaving logically and responsibly under the circumstances.

Third, exercise restraint.

It is very tempting to expand the investigation beyond what is necessary and start to fish around out of curiosity. But you are wise to resist that temptation. If you are logical and restrained in your work, you're less likely to do something that will needlessly make someone else unhappy or uncomfortable.

Fourth, use good judgment.

Think about the feelings of other people, possibly innocent parties, when you gather information or store or disclose it to someone else. In a couple of weeks I will give a SANS Institute webcast that you will probably be notified about. In that webcast I will talk about the Absolute Software case, where an investigator came into contact with very sensitive sexual information and the investigator failed exercise the best judgment. As I will be explaining in the webcast, I argue the case teaches all investigators to exercise discretion and anticipate the emotional impact of their actions. In that particular case, as you will learn at the webcast, Absolute Software gave some sexually explicit records about an innocent party to the police, and then the police embarrassed the innocent party. The innocent party sued Absolute Software! Absolute settled because it could not withstand the publicity of a jury trial on the topic.

And, of course, if you encounter child pornography, you are wise to promptly to call law enforcement.

-Ben Wright

Post a Comment


* Indicates a required field.