Imagine an illegal hacking incident has taken place in a modern connected vehicle. We know something has happened, but we don’t know who, exactly what, how or why. We need to know these things for two reasons; firstly, to catch the bad guy, but secondly to learn how they did it, so we can (hopefully) fix the mistake in other vehicles.
Enter forensics. Digital forensics is the practice of preserving, gathering and presenting evidence from digital devices for the purposes of criminal or civil investigations. A traditional acquisition involves a suitably qualified person either seizing a computer and performing evidence acquisition in a lab or performing live acquisition on a machine such as a server. Either way, this person also ensures that their digital footprint is both minimal and fully justified, whatever they are doing.
It’s an interesting thought regarding how this might be performed on a vehicle. Depending on the make and model of the vehicle, there could be any number of places which could store evidence (including the telematics unit, the gateway module and the infotainment system). Preserving this evidence can be difficult, as there is no extra logging hardware (due to potential extra cost or weight), and data that is stored (such as recent locations) can be volatile. Getting the data off printed circuit boards could be destructive and could therefore compromise evidence.
Traditional data recording devices such as the event data recorder have limitations in terms of storage capacity and could be wiped by even an innocuous action such as starting the engine. All this data might be changed or wiped depending on whether the vehicle was stationary or hurtling down the motorway, and whether there was any interaction with or connection to an external source (for example, through telematics, GPS navigation or mobile phones).
Car components can sometimes be swapped out with other secondhand parts (thereby leaving no evidence within the vehicle itself). Electronic compromise such as the infamous relay attack (used primarily for theft currently) leaves no clue as to what has happened – except by inference – even if the car is recovered.
Beyond all this, however, is the larger picture – the only real-world evidence that vehicles are being targeted by cybercriminals is car theft – and this is a clue only because the actual vehicle goes missing. Other than alerting events where something might be wrong with the vehicle, there are currently few (if any) detection, logging or forensic measures that would enable us to tell whether communications are being jammed, whether the vehicle’s internal network is full of fake messages, or whether someone is monitoring or stealing data.
This is a multidimensional problem, as added software and hardware could affect performance, safety and efficiency in a vehicle. But with global cybercrime now worth more than US$1.5tn in revenue, can we afford not to think about it?