Public Interest Groups Raise Security Concerns About Auto-Safety Deployments
Public Knowledge and the Open Technology Institute at New America filed an emergency FCC petition Tuesday seeking a stay of operation of dedicated short-range communications systems in the 5.9 GHz band. The groups are leading proponents of Wi-Fi sharing the band with DSRC, which is designed to prevent vehicle accidents. The FCC recently released a public notice seeking to refresh the record on the 5.9 GHz band (see 1605260059). The agency didn’t comment.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“The DSRC service lacks rules to protect user privacy or to protect DSRC units from malware or other forms of cybersecurity attacks,” the petition said. “Because General Motors has announced an intent to deploy DSRC units in some model cars this fall, the Commission must immediately prohibit use of DSRC until it adopts service rules protecting the cybersecurity and privacy of DSRC users -- and DSRC operators demonstrate compliance with those rules.”
The cybersecurity and privacy concerns should be looked at separately from opening the bands for shared Wi-Fi use, the groups said. Security vulnerabilities and a need for FCC action “are intrinsic to the existing DSRC service, and magnified by the impending mandate from the National Highway Traffic Safety Administration to require all car manufacturers to include DSRC units in all new cars,” the petition said.
“In March, the FBI and Department of Transportation issued a joint Public Service Announcement warning Americans to be careful against cyberattacks on their cars,” said Harold Feld, PK senior vice president, in a news release. “A hacked car equipped with DSRC will spread the infection to any other car equipped with DSRC like a mosquito spreading Zika.” When the FCC approved the DSRC rules in 2004, it didn’t impose any requirements on cybersecurity or privacy protection, he said: “In light of ... recent reports and warnings, that must change.”
Privacy is achieved "by not including any personally identifiable information in the transmissions, changing certificates frequently, and separating functions" in the security credentials management system, the Alliance of Automobile Manufacturers said in a statement. "DSRC communications are not stored in any location or within the vehicle. Data that is communicated is used for a brief time period by vehicles and infrastructure to provide short term information." Short-term information retained "may include a distance measurement used to determine time to a potential collision with another vehicle," the group said. "The message is synthesized in the vehicle receiving it and a crash avoidance application may, in real time, send a driver a warning. After being sent, the sending vehicle erases that information and sends out new information 1/10th a second later. Similarly, after the information is received and, if needed, acted upon by the receiving vehicle, it too is erased. This information process continues to occur as the vehicle travels from one location to the other."
In a 2014 blog post, cybersecurity firm Symantec raised concerns about vehicle-to-vehicle (V2V) communications systems. “What about security?” the company asked. “Obviously any V2V system will require very robust security to ensure that communications are neither spoofed nor tampered with, since the consequences of any interference could be fatal.”