Upload
aquilesy
View
243
Download
0
Embed Size (px)
Citation preview
7/27/2019 IEE 111610 Presentation
1/150
MOTOR VEHICLE EDR
GLOBAL STANDARDIZATION
AND RELATED ISSUES
MOTOR VEHICLE EDR
GLOBAL STANDARDIZATION
AND RELATED ISSUES
Thomas M. Kowalick, November 16th 2010Thomas M. Kowalick, November 16th 2010
1616a-2010
1616-2010
Committee for a Study of Electronic Vehicle Controls
and Unintended Acceleration
National Research Council / National Academies
Keck Center, 500 Fifth St., NW, Washington, DC
7/27/2019 IEE 111610 Presentation
2/150
PRESENTATION GOALPRESENTATION GOAL
1) To present timely and important
IEEE Motor Vehicle Event Data
Recorder (MVEDR) standards
initiatives and 2) to focusattention on related issues
regarding the use/misuse of EDRtechnologies.
7/27/2019 IEE 111610 Presentation
3/150
30 MINUTE OUTLINE30 MINUTE OUTLINE
7/27/2019 IEE 111610 Presentation
4/150
IEEE &MVEDR
7/27/2019 IEE 111610 Presentation
5/150
IEEEIEEE
The Institute of Electrical and Electronics Engineers
(IEEE) is the worlds largest professional associationdedicated to advancing technological innovation and
excellence for the benefit of humanity.
IEEE and its 375,000 + members inspire a global
community through IEEE's highly cited publications,
conferences, technology standards, and professional and
educational activities.
7/27/2019 IEE 111610 Presentation
6/150
STANDARDS ASSOCIATION
The IEEE Standards Association (IEEE-SA) promotes the
engineering process by creating, developing, integrating,sharing, and applying knowledge about electro- and
information technologies and sciences.
For over a century, the cornerstone of the IEEE-SA is its
established standards development program - a program
that offers balance, openness, due process, and
consensus. Each year, the IEEE-SA conducts over 200standards ballots, a process by which proposed standards
are voted upon for technical reliability and soundness.
7/27/2019 IEE 111610 Presentation
7/150
In addition to producing the prominent 802 Standards for Local
and Metropolitan Area Network Wireless, IEEE-SA also develops
the standards for:
Intelligent highway systems and vehicular technology
Distributed generation renewable energy
Voting Equipment Electronic Data Interchange Rechargeable Batteries for PCs
Motor Vehicle Event Data Recorder
Public Key Infrastructure
Certificate Issuing and Management Components Architecture for Encrypted Shared Media
Organic Field Effect Technology
IEEE-SA thrives because of the technical diversity of its 20,000 plusparticipants, consisting of technology leaders from around the globe,
including individuals in corporations, organizations, and government
agencies. Through their collective knowledge, members contribute to the
integrity and value of IEEE standards.
7/27/2019 IEE 111610 Presentation
8/150
IEEE MVEDR PROJECT GOALIEEE MVEDR PROJECT GOAL
Create a Voluntary Consensus BasedStandard
By Combining Best Efforts of Industry &
Government Towards Enhanced
Vehicle & Highway Safety
7/27/2019 IEE 111610 Presentation
9/150
IEEE MVEDR REFLECTS A WIDE-RANGE:IEEE MVEDR REFLECTS A WIDE-RANGE:
Insurance
Law Enforcement
Legal
Fleets
Medical Injury
Auto TechniciansAcademia
EMT, EMS, 911
ReconstructionistCrash Data Researchers
Public
Vehicle OEMs
Government
Aftermarket
Suppliers
Telematics
WirelessHuman Factors Research
Component Suppliers
Connector IndustrySurvivability
Safety Advocates
7/27/2019 IEE 111610 Presentation
10/150
IEEE MVEDR STANDARDSIEEE MVEDR STANDARDS
IEEE-1616-2010
Standard for Motor Vehicle Event Data Recorder
(171 pages).
IEEE-1616a-2010 Standard for Motor Vehicle
Event Data Recorders (MVEDRs) Amendment 1:Motor Vehicle Event Data Recorder Connector
Lockout Apparatus (MVEDRCLA) (19 pages).
AVAILABLE at www.ieee.org
http://www.ieee.org/http://www.ieee.org/7/27/2019 IEE 111610 Presentation
11/150
4.2 INTERNATIONAL USE OF EDR DATA4.2 INTERNATIONAL USE OF EDR DATA
Users of MVEDR data include, but are not limited to, the
following:
1) Global development of treaties on roads and transport
2) Reports on international road safety3) Government transport agencies
4) International road safety databases
5) Country specific road safety issues6) Regional road issues
7) International organizations on road safety
8) United Nations road safety initiatives9) European Union road safety initiatives
10) Organization for Economic Co-operation and Development
(OECD)
11) International non-governmental organizations12) World Health Organization (WHO) road safety initiatives
7/27/2019 IEE 111610 Presentation
12/150
8. MVEDR DATA DICTIONARY8. MVEDR DATA DICTIONARY
A data dictionary is a collection of entries specifying the name,
source, usage and format of each data element used in a
system or set of systems.
The MVEDR data dictionary is a collection of 86 data definitions.
Data definition is a description of the format, structure, and
properties of data elements in a data dictionary.
For this standard, data elements are uniquely named as adefined component of data definitiona data cell in which
items (actual values) can be placed.
7/27/2019 IEE 111610 Presentation
13/150
4.7 CRASHWORTHINESS4.7 CRASHWORTHINESS
The MVEDR memory shall be capable of meeting the
crashworthiness requirements outlined in Table 10.
Judicious placement of the MVEDR within the vehicle
may also help to minimize the likelihood of damage as
a result of a crash.
7/27/2019 IEE 111610 Presentation
14/150
CRASHWORTHINESS / SURVIVABILITYCRASHWORTHINESS / SURVIVABILITY
SOURCE: IEEE 1616-2010 page 31
7/27/2019 IEE 111610 Presentation
15/150
CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)
Survivability requirements should be considered
when selecting and installing connectors to the
nonvolatile memory and other MVEDR components.
Although protection of the MVEDR as a whole is
important, the priority for crashworthiness is
protection of the nonvolatile memory.
7/27/2019 IEE 111610 Presentation
16/150
CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)
The manufacturer should document, and makeavailable to whomever requests it, the reliability,
confidence level, and minimum lifetime information for
a particular MVEDR.
The MVEDR processor should continually operate
when subjected to the vehicle environment where it is
located.
During a crash, at a minimum, the processor should
operate long enough to attempt capturing thebuffered memory within the nonvolatile memory. After
an event, the processor should operate for at least
the minimum duration specified by the data elementsbeing recorded.
7/27/2019 IEE 111610 Presentation
17/150
CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)
The manufacturer shall specify what crashworthiness
requirements were used for the following conditions:
impact shock, penetration, static crush, fire, and fluid
immersion.
The requirements may be met by the design of the
storage device within the vehicle body envelope (e.g.,to take advantage of the crashworthiness and fire-
barriers properties of the vehicle body), or by a
combination of these approaches.
7/27/2019 IEE 111610 Presentation
18/150
CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)
MVEDRs shall meet the requirements for applicable
data elements and format in crash tests specified in
FMVSS 208, 214, and 301.
To provide both a check on MVEDR performance and
ensure a basic level of survivability, data shall be
required to be retrievable by the method specified bythe vehicle manufacturer after the crash test.
7/27/2019 IEE 111610 Presentation
19/150
CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)
The MVEDRs of light vehicles are part of the air bag
module that is located in the occupant compartment
of vehicles, providing protection against crush in allbut the most severe cases.
Moreover, because MVEDRs are part of the air bagmodule, their electronics are designed to operate in a
shock environment; however they lack protection
from fire and immersion in water and motor vehicle
fluids.
7/27/2019 IEE 111610 Presentation
20/150
1616a: CONNECTOR LOCKOUT APPARATUS1616a: CONNECTOR LOCKOUT APPARATUS
This protocol is applicable to all types and classes of motor
vehicles that include MVEDRs. An MVEDRCLA ManualLockout Device Protocol is a method of operation for a
device (the MVEDRCLA) that holds the associated device
(the DLC) inoperative to tampering unless a predeterminedmanual function (key or coded signal) is performed to
release the locking feature.
7/27/2019 IEE 111610 Presentation
21/150
DLC
CLA
7/27/2019 IEE 111610 Presentation
22/150
ACCESSIBILITYACCESSIBILITY
MVEDRCLA security connectors designed to prevent
data tampering, odometer fraud, VIN theft, orreengineering of vehicle networks shall be accessible
and controlled by the vehicle owner and shall not
prevent emissions testing, vehicle maintenance, orrepair of in-vehicle electronic systems, subsystems,
computers, sensors, actuators, or control modules,
including the air bag control module.
7/27/2019 IEE 111610 Presentation
23/150
STANDARDS
7/27/2019 IEE 111610 Presentation
24/150
How are Voluntary Standards used in
Regulations?
How are Voluntary Standards used in
Regulations?
Government agencies use externally developed standards in a
wide variety of ways, including the following:
Adoption: An agency may adopt a voluntary standard without
change by incorporating the standard in an agency's regulation
or by listing (or referencing) the standard by title. For example,
the Occupational Safety and Health Administration (OSHA)adopted the National Electrical Code (NEC) by incorporating it
into its regulations by reference.
Strong Deference: An agency may grant strong deference to
standards developed by a particular organization for a specific
purpose. The agency will then use the standards in its regulatoryprogram unless someone demonstrates to the agency why it
should not.
http://www.osha.gov/http://www.osha.gov/7/27/2019 IEE 111610 Presentation
25/150
HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS
Basis for Rulemaking: This is the most common use
of externally developed standards. The agency reviews
a standard, makes appropriate changes, and then
publishes the revision in the Federal Register as aproposed regulation. Comments received from the
public during the rulemaking proceeding may result in
changes to the proposed rule before it is instituted.
Regulatory Guides: An agency may permit adherence
to a specific standard I as an acceptable, though notcompulsory, way of complying with a regulation.
7/27/2019 IEE 111610 Presentation
26/150
HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS
Guidelines: An agency may use standards as
guidelines for complying with general requirements.
The guidelines are advisory only: even if a firmcomplies with the applicable standards, the agency
may conceivably still find that the general regulation
has been violated.
Deference in Lieu of Developing a Mandatory
Standard: An agency may decide that it does not
need to issue a mandatory regulation becausevoluntary compliance with either an existing standard
or one developed for the purpose will suffice for
meeting the needs of the agency.
7/27/2019 IEE 111610 Presentation
27/150
7/27/2019 IEE 111610 Presentation
28/150
RELATED
ISSUES
7/27/2019 IEE 111610 Presentation
29/150
SET- IN - STONE ON THE NAS BUILDINGSET- IN - STONE ON THE NAS BUILDING
THE RIGHT TO SEARCH FOR
TRUTH IMPLIES ALSO A DUTY;ONE MUST NOT CONCEAL ANY
PART OF WHAT ONE HASRECOGNIZED AS TRUTH.
Albert Einstein 1897-1955
7/27/2019 IEE 111610 Presentation
30/150
DISCLAIMERDISCLAIMER
RELATED ISSUES EXPRESSED IN THIS
PRESENTATION ARE SOLELY THOSE OF
THOMAS M. KOWALICK
7/27/2019 IEE 111610 Presentation
31/150
SYMPTOMS OF A PROBLEMSYMPTOMS OF A PROBLEM
Motor vehicle-relatedinjury and death is
the nations largest
public health
problem.
Globally, more than
one million people die
each year.
National Safety Council (NSC)National Safety Council (NSC)
World Health Organization (WHO)World Health Organization (WHO)
33,808 highway deaths/year
16 million crashes/year
Leading cause of death for ages 4 to 34
http://www.who.int/en/7/27/2019 IEE 111610 Presentation
32/150
U.S. MODES OF TRANSPORTATIONU.S. MODES OF TRANSPORTATION
There are five modes of transportation:
AviationRail
Marine
PipelineHighway
All modes utilize Event Data Recorders (EDRs)
to analyze data. In the Highway mode EDRs are
commonly termed Black Boxes.
7/27/2019 IEE 111610 Presentation
33/150
WHAT IS AN EDR?WHAT IS AN EDR?
An event data recorder (EDR) means adevice or function in a vehicle that records
the vehicle's dynamic, time-series data
during the time period just prior to a crash
event (e.g., vehicle speed vs. time) or
during a crash event (e.g., delta-V vs. time),
intended for retrieval after the crash event.
For the purposes of this definition, theevent data do not include audio and video
data.
7/27/2019 IEE 111610 Presentation
34/150
Who?
What?
Where?
When?
Why?
Much of the
information
to be derived
from EDRs
is information
that eyewitnesses
could NOT provide
even if they were
ACCURATE
in all their
observations.
7/27/2019 IEE 111610 Presentation
35/150
EVOLUTION OF EDR SCOPE & PURPOSEEVOLUTION OF EDR SCOPE & PURPOSE
In the beginning EDR technology was built into a
sensing diagnostic module in each vehicle that
controls the air bag deployment.
The initial product liability motivation for the
generation of a retrievable record was to defend
against claims that the air bag system hadmalfunctioned and caused personal injuries and the
safety motivation was to enable improvements to the
deployment system.
7/27/2019 IEE 111610 Presentation
36/150
EVOLUTION OF SCOPE & PURPOSE (Contd)EVOLUTION OF SCOPE & PURPOSE (Contd)
Once the data was compiled for these
purposes, it evolved to re-analyze the data
in broader terms to promote a better
understanding of vehicle and operator
behavior before crashes (CAUSATION)
EDR access has become standard
procedure for crash investigations in bothcriminal and civil areas.
7/27/2019 IEE 111610 Presentation
37/150
DEVICE OR FUNCTIONDEVICE OR FUNCTION
Is the Event Data Recorder (EDR) a "device" or a
"function" and why does this matter? How can it be
both?
Well that's simple, rather than describing a specificdevice or product, "EDR" actually is a catch-all term
defining a means of collecting data distributed along
a vehicle's Controllerarea network (CAN or CAN-bus).
7/27/2019 IEE 111610 Presentation
38/150
CONTROLLED AREA NETWORK (CAN)CONTROLLED AREA NETWORK (CAN)
CAN is a vehicle bus standard designed to allow
microcontrollers and devices to communicate with each other
within a vehicle without a host computer. CAN is also a
message based protocol, designed specifically for automotiveapplications.
7/27/2019 IEE 111610 Presentation
39/150
ELECTRONIC CONTROL UNITS (ECUs)ELECTRONIC CONTROL UNITS (ECUs)
A modern automobile may have as many as 70 electronic
control units (ECU) for various subsystems.
Typically the biggest processor is the engine control unit, which
is also referred to as "ECU" in the context of automobiles;
others are used for transmission, airbags, antilock braking,cruise control, audio systems, windows, doors, mirror
adjustment, etc.
Some of these form independent subsystems, but
communications among others are essential.
7/27/2019 IEE 111610 Presentation
40/150
CAN SYSTEMCAN SYSTEM
A subsystem may need to control actuators or receive
feedback from sensors. The CAN standard was devised to fill
this need. The CAN bus may be used in vehicles to connect
engine control unit and transmission, or (on a different bus) to
connect the door locks, climate control, seat control, etc.
7/27/2019 IEE 111610 Presentation
41/150
1998-2010
7/27/2019 IEE 111610 Presentation
42/150
7/27/2019 IEE 111610 Presentation
43/150
7/27/2019 IEE 111610 Presentation
44/150
NHTHA
REG +
7/27/2019 IEE 111610 Presentation
45/150
NHTSA EDR WEBSITENHTSA EDR WEBSITE
http://www.nhtsa.gov/EDR
http://www.nhtsa.gov/EDRhttp://www.nhtsa.gov/EDR7/27/2019 IEE 111610 Presentation
46/150
49 CFR 563: Event Data Recorders (EDRs)49 CFR 563: Event Data Recorders (EDRs)
Final Regulatory Evaluation
Final rule
Frequently Asked Questions and Additional Information
http://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFRIA.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFinalRule_Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDR_QAs_11Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDR_QAs_11Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFinalRule_Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFRIA.pdf7/27/2019 IEE 111610 Presentation
47/150
NHTSA REG WOEFULLY LACKINGNHTSA REG WOEFULLY LACKING
The National Highway Traffic Safety
Administration (NHTSA) rule 49 CFR 563:
Event Data Recorders does not addressthese issues:
the ownership of EDR data;
the authenticity of EDR data;
the security of EDR data at the time of a
crash; the chain of custody of EDR datafollowing a crash;
7/27/2019 IEE 111610 Presentation
48/150
NHTSA REG WOEFULLY LACKING (Contd)NHTSA REG WOEFULLY LACKING (Contd)
tampering and manipulation of EDR data; how EDR data can be used/discoveredin civil lit igation; how EDR data may be used in criminalproceedings; whether EDR data may be obtained bythe police without a warrant; whether EDR data may be developedinto a driver-monitoring tool;
and the nature and extent that private
parties will have or may contract foraccess to EDR data.
7/27/2019 IEE 111610 Presentation
49/150
PENDING NHTSA ACTIONPENDING NHTSA ACTION
www.regulations.gov
Search: NHTSA-2008-0004
Seven Petitions for Reconsideration
and Letters of Support
http://www.regulations.gov/http://www.regulations.gov/7/27/2019 IEE 111610 Presentation
50/150
NHTSA ESTIMATE: EDRS IN LIGHT VEHICLESNHTSA ESTIMATE: EDRS IN LIGHT VEHICLES
7/27/2019 IEE 111610 Presentation
51/150
NHTSA ESTIMATED EDR COSTSNHTSA ESTIMATED EDR COSTS
7/27/2019 IEE 111610 Presentation
52/150
NHTSA EDR ESTIMATED COSTS (Contd)NHTSA EDR ESTIMATED COSTS (Contd)
7/27/2019 IEE 111610 Presentation
53/150
STATE
STATUES
7/27/2019 IEE 111610 Presentation
54/150
STATE EDR STATUES 2004-10STATE EDR STATUES 2004-10
Arkansas Code 27Arkansas Code 27--3737--103103
California Code 9950California Code 9950--99539953Colorado Statutes 12Colorado Statutes 12--66--44
Connecticut Public Act 07Connecticut Public Act 07--235235
Maine Statutes 29AMaine Statutes 29A--11--1717--33
New Hampshire Statutes 357New Hampshire Statutes 357--GG
New York Laws 4A16 416New York Laws 4A16 416--BB
Nevada Statutes 484.638Nevada Statutes 484.638
North Dakota Code 51North Dakota Code 51--0707--2828
Oregon House Bill 2568 (644)Oregon House Bill 2568 (644)
Texas Statutes 547.615Texas Statutes 547.615Virginia Code 46.2Virginia Code 46.2--1088.61088.6
Washington 46Washington 46--35.01035.010
13 States have EDR legislation and there is case law in 29 states.
7/27/2019 IEE 111610 Presentation
55/150
7/27/2019 IEE 111610 Presentation
56/150
NCHRP
17-24
7/27/2019 IEE 111610 Presentation
57/150
NCHRP RESEARCHNCHRP RESEARCH
Objective Recommend minimum set of
EDR data elements for vehicleand roadside safety analysis
Sponsor Transportation Research Board
NCHRP 17-24
NCHRP 17-24
Use of EDR TechnologyFor Roadside
Crash Data Analysis
7/27/2019 IEE 111610 Presentation
58/150
EC
VERONICAII
7/27/2019 IEE 111610 Presentation
59/150
EUROPEAN COUNCIL VERONICA PROJECTEUROPEAN COUNCIL VERONICA PROJECT
VERONICA II
Vehicle Event Recording based on Intelligent Crash
Assessment
Passive Safety
Duration from 1/05/2007 until 30/04/2009
http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf
VERONICA II is to specify the technical and legal requirements for a
possible implementation of Event or Accident Data Recorders in vehicles in
Europe. Of major importance is the definition of the trigger sensitivity in order
to capture not only hard crash data but also data from collisions with 'soft
objects', i.e. vulnerable road users which represent a relevant part of road
users and victims in accidents.
http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf7/27/2019 IEE 111610 Presentation
60/150
J-EDR
7/27/2019 IEE 111610 Presentation
61/150
JAPANESE-EDR (J-EDR)JAPANESE-EDR (J-EDR)
http://www.mlit.go.jp/kisha/kisha08/09/090328_.html
http://www.mlit.go.jp/kisha/kisha08/09/090328_.htmlhttp://www.mlit.go.jp/kisha/kisha08/09/090328_.html7/27/2019 IEE 111610 Presentation
62/150
J-EDRJ-EDR
The Japanese Ministry of Land, Infrastructure, Transport and
Tourism (J-MLIT) decided on the technical requirements for
the application of EDRs to light vehicles (3500 kg GVWR orless) in March 2008 [J-MLIT website, 2008]. This
requirementso called J-EDR technical requirementis
comparable to the US Part 563. However, J-EDR is adding
two data elements which are the pre-crash warning andthe pre-crash brake operating status. EDRs are now being
installed in ACMs by several automakers.
SOURCE: Study on Pre-Crash and post-Crash Information Recorded in Electronic Control Units (ECUs) Including Event
Data Recorders, Hirotoshi Ishikawa, Nobuaki Takubo, Ryo Oga, Kenshiro Kato, Takeshi Ikari, Enhanced Safety of
Vehicles (ESV) Conference, Paper Number 09-0375., The 21st International Technical Conference on the Enhanced
Safety of Vehicles Conference (ESV) - International Congress Center Stuttgart, Germany, June 1518, 2009.
7/27/2019 IEE 111610 Presentation
63/150
ESV
EDRPAPER
7/27/2019 IEE 111610 Presentation
64/150
ENHANCED SAFETY OF VEHICLES PAPERENHANCED SAFETY OF VEHICLES PAPER
S C
7/27/2019 IEE 111610 Presentation
65/150
ABSTRACTABSTRACT
http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdf
CO C S O SCONCLUSIONS
http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdfhttp://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdf7/27/2019 IEE 111610 Presentation
66/150
CONCLUSIONSCONCLUSIONS
The conclusions are summarized as follows:The pre-crash velocities recorded by the EDR were highly
accurate and reliable when cars proceeded without braking
prior to the collision. The accuracy and reliability of the EDR
impact velocity could be affected by the braking conditions and
the EDR time zero information.
The accuracy and reliability of the maximum delta-V recordedby the EDR decreased under highly complex or severe crash
conditions, as compared to the results obtained from the
standardized crash tests.
The factors responsible for this result were attributable to the
characteristics of the accelerometers used in EDR, the largedeformation at the location of the airbag control module, vehicle
bod rotation in a collision, etc.
CONCLUSIONS (C d)CONCLUSIONS (C td)
7/27/2019 IEE 111610 Presentation
67/150
CONCLUSIONS (Contd)CONCLUSIONS (Contd)
When one of the ABS sensors installed in an
impacted vehicle was damaged during collision, the
ABS-ECU recorded the vehicle speed and the tirerotational velocity of the four wheels at the event of
an ABS malfunction.
The engine-ECU could record the vehicle speed
information when the engine was damaged during
collision. In order to obtain and understand the
information of the engine-ECU, crash tests arerecommended to be carried out with the engine
running.
ACKNOWLEDGEMENTSACKNOWLEDGEMENTS
7/27/2019 IEE 111610 Presentation
68/150
ACKNOWLEDGEMENTSACKNOWLEDGEMENTS
ESV PAPER ACKNOWLEDGMENTS:
We sincerely thank the Ministry of Land, Infrastructure,Transport and Tourism of Japan for providing the J-NCAP
data and Toyota for their support in retrieving the EDR data.
7/27/2019 IEE 111610 Presentation
69/150
SUA
C h d i h bC h d i th b
7/27/2019 IEE 111610 Presentation
70/150
71
Crash recorders opening up the boxCrash recorders opening up the box
Anders Kullgren
Head of road traffic safety research at Folksam
-10
0
10
20
30
40
50
60
0 50 100 150
acceleration (g)change of velocity (km/h)
time (ms)
Delta-V 52.1 km/h
Mean acc 12.6 g
Peak acc 31.7 g
http://www.etsc.eu/documents/13_Kullgren.ppt
EXAMPLE OF SUA ITEMEXAMPLE OF SUA ITEM
http://www.etsc.eu/documents/13_Kullgren.ppthttp://www.etsc.eu/documents/13_Kullgren.ppthttp://www.etsc.eu/documents/13_Kullgren.ppt7/27/2019 IEE 111610 Presentation
71/150
EXAMPLE OF SUA ITEMEXAMPLE OF SUA ITEM
7/27/2019 IEE 111610 Presentation
72/150
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.16247/27/2019 IEE 111610 Presentation
73/150
7/27/2019 IEE 111610 Presentation
74/150
GAO
NHTSA
GAO REPORTGAO REPORT
7/27/2019 IEE 111610 Presentation
75/150
GAO REPORTGAO REPORT
A United States Government Accountability Office (GAO) Report
to the Chairman, Committee on Commerce, Science, and
Transportation, U.S. Senate (GAO-09-56) titled HIGHWAY
SAFETY: Foresight Issues Challenge DOTs Efforts to Assess
and Respond to New-Technology-Based Trends recommends
that DOT (1) develop an approach to guide decision-making on
new, fast moving trends that can affect highway safety; (2)evaluate whether new data systems and analytic techniques are
needed to provide information on such trends; and (3) employ
specific strategies and schedules in communicating withCongress about these and other trends. DOT disagreed with
the first of these and did not comment on the other two. GAO
continues to recommend all three.
GAO-09-56 at www.gao.gov/new.items.d0956.pdf
GAO REPORTGAO REPORT
http://www.gao.gov/new.items.d0956.pdfhttp://www.gao.gov/new.items.d0956.pdf7/27/2019 IEE 111610 Presentation
76/150
GAO REPORTGAO REPORT
The GAO report concludes that New fast-
moving technology-based trends are
characterized by uncertainties and the maincriteria that DOTs National Highway Safety
Administration (NHTSA) officials use in
determining how to respond quantitativeevidence that a sizeable problem exists and
knowledge of a promising countermeasure do
not address uncertainty.
GAO-09-56: www.gao.gov/new.items.d0956.pdf
http://www.gao.gov/new.items.d0956.pdfhttp://www.gao.gov/new.items.d0956.pdf7/27/2019 IEE 111610 Presentation
77/150
INTELECTUAL
PROPERTY
INTELLECTUAL PROPERTY EXAMPLEINTELLECTUAL PROPERTY EXAMPLE
7/27/2019 IEE 111610 Presentation
78/150
INTELLECTUAL PROPERTY EXAMPLEINTELLECTUAL PROPERTY EXAMPLE
RESEARCH
PATENTS
TO DETERMINETHE STATE OF
THE ART
DETERMINE
WHAT
PUBLIC
PATENT
APPLICATIONS
APPLY
TO SUDDEN
UNINTENED
ACCELERATION
SEEK
RESEARCH
SUPPORT
FROM A
UNIVERSITY
PATENT
DEPOSITORY
ANOTHER PATENT EXAMPLEANOTHER PATENT EXAMPLE
7/27/2019 IEE 111610 Presentation
79/150
ANOTHER PATENT EXAMPLEANOTHER PATENT EXAMPLE
PATENTS OFFER SOLUTIONSPATENTS OFFER SOLUTIONS
7/27/2019 IEE 111610 Presentation
80/150
PATENTS OFFER SOLUTIONSPATENTS OFFER SOLUTIONS
7/27/2019 IEE 111610 Presentation
81/150
TAMPER
NO EDR CONSUMER PROTECTION
7/27/2019 IEE 111610 Presentation
82/150
AUTOMAKERS ADVOCATES GOVERNMENT
EVIDENCE OF TAMPERINGEVIDENCE OF TAMPERING
7/27/2019 IEE 111610 Presentation
83/150
EVIDENCE OF TAMPERINGEVIDENCE OF TAMPERING
http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1
http://www.youtube.com/watch?v=t7La2kkUdQ0
IN JUST A FEW MINUTES (ONLINE)
ONE CAN LOCATE PRODUCTS ANDSERVICES TO ROLL BACK ODOMETERS
AND ERASE ECU CRASH DATA!
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1http://www.youtube.com/watch?v=t7La2kkUdQ0http://www.youtube.com/watch?v=t7La2kkUdQ0http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=17/27/2019 IEE 111610 Presentation
84/150
All light vehicles sold in the United States since 1996All light vehicles sold in the United States since 1996are required to have a Onare required to have a On--Board DiagnosticsBoard Diagnostics
connector, for easy access to the car's Controller Areaconnector, for easy access to the car's Controller Area
Network (CAN) bus.Network (CAN) bus.
The Society of Automotive Engineers (SAE) J1962Diagnostics Connector has been designed the primary
physical interface to access EDR data elements in light
vehicles for post-crash analysis. Data elements are
commonly accessed by connecting an electronic
diagnostic tool to this vehicle port.
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
7/27/2019 IEE 111610 Presentation
85/150
DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
ANYONE WITH AN eTOOL CAN PLUG-INANYONE WITH AN eTOOL CAN PLUG-IN
7/27/2019 IEE 111610 Presentation
86/150
ANYONE WITH AN eTOOL CAN PLUG-INANYONE WITH AN eTOOL CAN PLUG IN
7/27/2019 IEE 111610 Presentation
87/150
ELECTRONIC TOOLSELECTRONIC TOOLS
7/27/2019 IEE 111610 Presentation
88/150
ELECTRONIC TOOLSELECTRONIC TOOLS
A variety of electronic tools are manufacturedand marketed to re-engineer vehicle networks,
reset odometers and tamper or erase vehicle
data via this port which is generally unsecureand prone to misuse of the original safety and
emissions diagnostic related purpose.
Unauthorized access, whether malicious or
inadvertent, must be prevented in order toprotect the integrity of connected devices,
vehicles, and systems.
ONLINE SITES MARKET& SELL eTOOLSONLINE SITES MARKET& SELL eTOOLS
7/27/2019 IEE 111610 Presentation
89/150
ONLINE SITES MARKET& SELL eTOOLSONLINE SITES MARKET& SELL eTOOLS
TIP OF THE ICEBERG!TIP OF THE ICEBERG!
7/27/2019 IEE 111610 Presentation
90/150
TIP OF THE ICEBERG!TIP OF THE ICEBERG!
eTOOLSeTOOLS
7/27/2019 IEE 111610 Presentation
91/150
eTOOLSeTOOLS
ONLINE TOOLS TO TAMPER DATAONLINE TOOLS TO TAMPER DATA
http://tools4pro.co.uk/dealer-car-diagnostic-tools/ford-rotunda-vcm-ids-v69-professional-car-diagnostic-tool-v69.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-and-most-advanced-auto-diagnostic-tool-IMAX-4-AUTO-SCANNER-VCM_IDS-GNA600-HDS-TOYOTA-TIS.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-renault-can-clip-v96-newest.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-omipro-land-rover.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-tool-honda-himhonda-amp-acura-super-gna600.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-icom-for-bmw-isid.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/mitsubishi-mut3.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Star-Scan-for-Chrysler-Dodge.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-vwaudi-vas-5054a.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-toolsbmw-gt1-dis-v57sss-v32.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-diagnostic-tool-BMW-OPS-diagnostic.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-car-diagnostic-tool-Honda-Super-GNA600.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-TOYOTA-LEXUS-car%20dianostic-tooldenso-diagnostic-tester2-dst2.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-tool-bmw-opps.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-equipment-mercedes-benz-star-compact-3.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-bosch-kts-520-porsche-piwis.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/ford-rotunda-vcm-dvd-2-years-of-subscription-software-updates-ids-v68.html7/27/2019 IEE 111610 Presentation
92/150
ONLINE TOOLS TO TAMPER DATAONLINE TOOLS TO TAMPER DATA
Publicly advertised tools that have the ability to clear locked
data from crash records in Event Data Recorders (typically SRS
ECUs):
1. http://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.html
2. http://www.tradekey.com/product_view/id/811757.htm
3. http://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-
needed-for-airbag-repair-and-programming/prod_345.html
4. http://www.adkautoscan.com/Production/R101.htm
5. http://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-
SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.html
6. http://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdf7. http://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-
/prod
8. http://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-
by-obdii/prod_88.html
TAMPERING MOTIVATIONTAMPERING MOTIVATION
http://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.htmlhttp://www.tradekey.com/product_view/id/811757.htmhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.adkautoscan.com/Production/R101.htmhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdfhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdfhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://www.adkautoscan.com/Production/R101.htmhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.tradekey.com/product_view/id/811757.htmhttp://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.html7/27/2019 IEE 111610 Presentation
93/150
TAMPERING MOTIVATIONTAMPERING MOTIVATION
GIVEN SUFFICIENT MOTIVATION,
SOMEONE WILL TRY TO TAMPER
AN EDR.
As a general rule motivation can bedescribed as a possible gain which is
considered more desirable by theundertaker than the possible lossassociated with the risks.
#1 Evasion of Legal Prosecution#2 Financial Gain
#3 Technical Reputation
LEGAL USAGELEGAL USAGE
7/27/2019 IEE 111610 Presentation
94/150
LEGAL USAGELEGAL USAGE
EDR DATA, TOGETHER WITH THE EXPERTSANALYSIS MAY BE USED IN COURT OR BYOTHER PARTIES TO DETERMINE QUESTIONS OFGUILT AND ANY PENALITIES.
GENERIC THREATSGENERIC THREATS
7/27/2019 IEE 111610 Presentation
95/150
GENERIC THREATS
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
AUTHENTICITY
SO O
TURN KEY SOLUTION
7/27/2019 IEE 111610 Presentation
96/150
TURN-KEY SOLUTIONTURN-KEY SOLUTION
SEAL THE DATA!
SAFETY VS. PRIVACYSAFETY VS. PRIVACY
7/27/2019 IEE 111610 Presentation
97/150
The balance between privacy and public safety will
be tested as EDRs become more commonplace.The price of safer roads is thus the risk that private EDR data may be used
by insurance companies, the legal system, or other bodies.
7/27/2019 IEE 111610 Presentation
98/150
RECOMMENDATION
RECOMMENDATION: AMEND 49 CFR 563RECOMMENDATION: AMEND 49 CFR 563
7/27/2019 IEE 111610 Presentation
99/150
ADD this section:
563.13 Motor Vehicle Event Data Recorder Connector
Lockout Apparatus (MVEDRCLA).
Each manufacturer of a motor vehicle equipped with an
EDR shall ensure that a motor vehicle event data recorder
connector lockout apparatus (MVEDRCLA) as standardized
by the Institute of Electrical and Electronics EngineersStandards Association (IEEE 1616a-2010) to protect the
security, integrity, and authenticity of the data that are
required by this part is attached to the vehicles SAE J1962(ISO/DIS 15031-3) vehicle diagnostic link connector (DLC) at
the point of motor vehicle sale, including leased and rented
vehicles.
AUTHOR INFORMATIONAUTHOR INFORMATION
7/27/2019 IEE 111610 Presentation
100/150
Thomas M. Kowalick is widely recognized as a leading researcher on
EDR technologies. He is a member of the Author's Guild, and a
retired professor in Southern Pines, North Carolina. Kowalick serves
as Chair of the Institute of Electrical and Electronics Engineers(IEEE) global project 1616 to create the worlds first automotive
black box standard, contributed to the development of the National
Highway Traffic Safety Administration (NHTSA) web site for EDR
research, and as a panel member on the National Academies ofSciences project studying EDRs. He is the author of FATAL EXIT:
The Automotive Black Box Debate (John Wiley) and six other books
specifically covering EDR history, standardization, legislation,
regulation, legal issues and consumer protection. Kowalick is alsoauthor of the EDR segment in the McGraw Hill 2009 Yearbook of
Science & Technology.
REFERENCESREFERENCES
7/27/2019 IEE 111610 Presentation
101/150
A Review of Jurisprudence Regarding Event Data Recorders: Implications for the Access
and Use of Data for Transport Canada Collision Investigation, Reconstruction, Road Safety
Research, and Regulation, prepared for the Road Safety and Motor Vehicle Regulation,
Transport Canada. http://www.carsp.ca/downloads/edr_jurisprudence.pdf March 31, 2005
U.S. Dept. of Transportation, National Highway Traffic Safety Administration, Final Rule, 49
CFR Part 563, Event Data Recorders, http://www.nhtsa.gov/Laws+&+Regulations/VehiclesAug. 21, 2006.
Use of Event Data Recorder (EDR) Technology for Highway Crash Data Analysis,
Transportation Research Board NCHRP (Project 17-24), Transportation Research Board,
http://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdf
December 2004. Vehicle Data Recorders - FMCSA-PSV-06-001, Federal Motor Carrier Safety Administration,
http://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-
dec05/vehicle-data-recorders-dec05.htm December 2005.
Institute of Electrical and Electronics Engineers (IEEE) global standards for Motor Vehicle
Event Data Recorders (MVEDRS); IEEE 1616-2010 and IEEE 1616a-2010 at
http://grouper.ieee.org/groups/1616a/ May, 2010.
GAO -09-56 Report to the Chairman, Committee on Commerce, Science, and
Transportation, U.S. Senate: HIGHWAY SAFETY Foresight Issues Challenge DOTs Efforts
to Assess and Respond to New Technology-Based Trends.www.gao.gov/new.items/d0956.pdf October 2008.
REFERENCES (Contd)REFERENCES (Contd)
http://www.carsp.ca/downloads/edr_jurisprudence.pdfhttp://www.nhtsa.gov/Laws+&+Regulations/Vehicleshttp://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdfhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://grouper.ieee.org/groups/1616a/http://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://grouper.ieee.org/groups/1616a/http://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdfhttp://www.nhtsa.gov/Laws+&+Regulations/Vehicleshttp://www.carsp.ca/downloads/edr_jurisprudence.pdf7/27/2019 IEE 111610 Presentation
102/150
( )( )
Analysis of Event Data Recorder Data for Vehicle Safety Improvement,
USDOT/NHTSA DOT HS 810 935 at
www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdf
Vehicle Event Recording based on Intelligent Crash Assessment
(VERONICA-II) European Commission / Directorate-General for Energy and
Transport, athttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf June
2009.
USDOT/NHTSA Docket No. NHTSA-2004-18029 comments from Public
Citizen, Consumer Union, Advocates for Vehicle and Highway Safety and
Electronic Privacy Information Center (EPIC), see www.regulations.gov
THANKS FOR YOUR ATTENTIONTHANKS FOR YOUR ATTENTION
http://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://www.regulations.gov/http://www.regulations.gov/http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdf7/27/2019 IEE 111610 Presentation
103/150
CONTACT INFOCONTACT INFO
7/27/2019 IEE 111610 Presentation
104/150
THOMAS M. KOWALICK305 SOUTH GLENWOOD TRAIL
SOUTHERN PINESNORTH CAROLINA
28387910-692-5209
mailto:[email protected]:[email protected]7/27/2019 IEE 111610 Presentation
105/150
TAMPER
ADDENDUM
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
106/150
CONFIDENTIALITY is defined as theproperty of data that indicates the extent to
which these data have not been made
available or disclosed to unauthorized
individuals, processes, or other entities
([ISO/IEC 2382-8: 1998], 08.01.09).
The assumption that EDRs only providedata linked to a specific vehicle, but not a
specific driver, ignores the data privacy
issues outside the vehicle.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
107/150
Although it may seem feasible to avoid privacy
issues by restricting the recorded data to a
minimal set of sensor and status data and toonly record a time span of about one minute
around the crash event it is highly
probable that next generation memory
module technologies will increase the
recording time, therefore making privacyissues unavoidable.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
108/150
Increasing numbers of people will obtain
access to EDR data.
The minimum requirement to access EDR
data is physical access to the vehiclesinterior and the SAE J1962 connector.
Therefore, access to EDR data will always
be possible unless a technical
countermeasure is utilized.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
109/150
The DRIVER and OWNER will always have
physical access to the EDR device (via the
SAE J1962 Diagnostic Link Connector(DLC) common on all light vehicles.
This is a problem if the owner can access
data that would indicate a crash in which the
vehicle was involved and where a driverother than the owner was involved in the
crash.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
110/150
For example, a car rental company ortransport fleet could regularly access data to
find out about the crashes by drivers.
Even if the rental company does not sue the
driver immediately, the company (or even agroup of cooperating rental companies)
could use the data to keep a black list of
drivers involved in crashes.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
111/150
Since the USDOT/NHTSA is seriouslyconsidering mandating EDRs in light
vehicles it is highly likely that lease, fleet
and rental vehicles will have EDRs.
Therefore, since DRIVERS are supposed tonotify the company about any crash,
accessing the EDR data would only change
the situation for those drivers who had notinformed the company about the crash.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
112/150
Although this might be an issue in the case of
low-priority (unreported to law enforcement)
crashes, access to the data by the OWNER inthis scenario, especially the COMBINATION
OF EDR DATA AND PERSONAL DATA
requires the consent of the DRIVER and
would need to be explicitly agreed in the rental
contract.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
113/150
The combination of EDR data with drivingrecords creates data records that require
consumer data protection to avoid creating
black lists.
The potential to misuse EDR data will greatlyincrease.
Following a crash, many vehicles are taken toa workshop where access to the EDR data is
possible.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
114/150
Workshops can sell data to car or insurance
companies for statistical purposes, or sell
data for marketing purposes.
A rare/extreme motivation for workshops todownload EDR data is blackmailing of
drivers or owners which is more likely to
occur with high-profile crashes.
CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES
7/27/2019 IEE 111610 Presentation
115/150
After a crash, it may be possible that neitherDRIVER or OWNER is capable of controlling
physical access to the vehicle.
Therefore, an opportunity does exist for third
parties to access EDR data from the vehicle,
although they may have no rights to access
them.
It is technically possible to gather EDR
evidence since the port is unprotected.
INTEGRITYINTEGRITY
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
116/150
INTEGRITY is defined as the property of datawhose accuracy and consistency are
preserved regardless of changes made
(data integrity, [ISO/IEC 2382-8:1998],08.01.07). For systems (like the EDR itself),
integrity means the quality of a data
processing system fulfilling its operationalpurpose while both preventing unauthorized
users from making modifications to or use of
resources and preventing authorized users
from making improper modifications to or
improper use of resources (systemintegrity, [ISO/IEC 2382-8: 1998], 08.01.17).
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
117/150
The most obvious threat to an EDR is themanipulation of the data.
After a crash, a DRIVER or OWNER of a
vehicle may be interested to tamper EDR data
in order to avoid prosecution.
Manipulation / Tampering may take several
forms, like replacing all data with a forged setof records, changing only selected records, or
even changing only selected entries within a
record.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
118/150
From an IT security point of view, all
manipulations / tampering of data is
considered as unauthoritized however,it still happens.
An attacker may delete data from the EDRs
event storage creating the impression
that the crash did not happen at all.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
119/150
An attacker may overwrite incriminatingdata in a way that suggests that the EDR or
its attached sensors did not function
correctly, thus making the EDR datauseless for prosecution.
An attacker may consistently change EDR
records in a way that suggests that the
accident did happen, but the driver did notviolate any driving regulations.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
120/150
For example, an attacker can change thevehicle speed prior to a crash to a lower
value, indicating that the vehicle was being
driven within the permitted speed limit.
NOTE. Such manipulations are the mostcomplex ones, because not only the speed
needs to be changed, but also the
acceleration/deceleration values, timevalues, and other data need to be changed
consistently.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
121/150
Forging / Tampering / Manipulation is mostlikely following a crash, unless an attacker
has exact knowledge of a pending crash
and seeks to influence the post-crashanalysis of that crash data.
Therefore, most manipulation of data will
occur following a crash before it has been
downloaded (and secured as evidence) byan authorized party.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
122/150
Once the EDR data has been secured asevidence by time stamping and digitally
signing the downloaded records,
manipulation will be useless, since anyrecord presented in court would have to
compete with credibility with the original
record already downloaded and introducedinto the legal process by the appointed
trustworthy expert.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
123/150
Therefore, we can assume thatmanipulation of EDR data is only a threat
during the window of opportunity between
the crash itself and the point in time wherethe EDR is secured as evidence.
In Hit & Run cases the window of
opportunity is larger.
There is also a threat of manipulating data
prior to selling the vehicle.
INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
124/150
With a USDOT/NHTSA EDR mandate alarge base of installed EDRS (80+ million)
will trigger development of sophisticated
manipulation tools, especially if such amanipulation can be programmed in
software.
Electronic tools exist to manipulate EDRs
and to alter digital odometers.
AVAILABILITYAVAILABILITY
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw7/27/2019 IEE 111610 Presentation
125/150
AVAILABILITY is defined as the property
of data or of resources being accessible
and usable on demand by an authorized
entity
([ISO/IEC 2382-8:1998], 08.01.17).
AVAILABILITY ISSUESAVAILABILITY ISSUES
7/27/2019 IEE 111610 Presentation
126/150
Threats to EDR data are similar to theINTEGRITY threats because they have
similar affects, although they can have
different causes.
The EDR or some of its sensors couldmalfunction, be severely damaged in the
crash or the power supply to the EDR
could be cut.
AUTHENTICITYAUTHENTICITY
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
127/150
AUTHENTICITY deals with the origin and
genuineness of data. In EDR issues
AUTHENTICITY has its own set of threatsrelative to EDR security architecture.
EDR data is used as evidence in disputes,
and therefore its authenticity must be
guaranteed to a degree acceptable by
courts.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
128/150
EDRs raise critical issues including:
who should have access to the data
stored;
under what circumstances access
should be granted; whether EDRs are tamper-proof; and
whether they are resistant to accidental
spoliation.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
129/150
Access to EDR data is possible by anyone
having physical access to the vehicle
interior and plugging an electronic toolinto the SAE J1962 connector.
The Court, or any higher authority must be
convinced that the data presented to it
can be linked unambiguously to an eventand a certain vehicle.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBwhttp://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
130/150
AUTHENTICITY needs to be protectedduring the data transition from the EDR to
the court.
The current design of EDR architecture and
data model provides a link between theEDR and the vehicle.
However, the EDR itself would not providea digital signature of any kind to prove that
the data originates from the EDR.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBwhttp://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
131/150
As the records are not signed by the EDR,everybody in the chain could modify it.
Such modifications would be hard to spot
if the original record is not integrity-
protected.
EDR data needs to be sealed at the time of
the crash.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
132/150
If not sealed at crash time, it is crucial to
keep the time window between crash and
download of the EDR data as small aspossible.
Signing the records by the EDR itself
cannot be implemented without a
significant overhead for a securityinfrastructure.
AUTHENTICITY ISSUESAUTHENTICITY ISSUES
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBwhttp://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
133/150
However, sealing the EDR data at the time
of crash via a CLA is both technically
feasible and economically sound.
SIMPLE: Amend 49 CFR 563 NOW !
Reliable proof of AUTHENTICITY of EDR
data is achieved via an IEEE 1616a CLA.
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw7/27/2019 IEE 111610 Presentation
134/150
NCHRP
ADDENDUM
NCHRP RESEARCHNCHRP RESEARCH
7/27/2019 IEE 111610 Presentation
135/150
Objective
Recommend minimum set ofEDR data elements for vehicleand roadside safety analysis
Sponsor Transportation Research Board
NCHRP 17-24
NCHRP 17-24
Use of EDR TechnologyFor Roadside
Crash Data Analysis
NCHRP 17-24 LEGAL QUESTIONSNCHRP 17-24 LEGAL QUESTIONS
7/27/2019 IEE 111610 Presentation
136/150
Does the Federal government have theregulatory authority to mandate the useand collection of EDR data?
May the Federal government requiremanufacturers to install EDRs?
What authority permits NHTSA and thevarious State DOTs to include
information in their own Statedatabases?
NCHRP 17-24 LEGAL QUESTIONS (Contd)NCHRP 17-24 LEGAL QUESTIONS (Contd)
7/27/2019 IEE 111610 Presentation
137/150
What limitations do private parties face whenattempting to use the information contained inEDRs?
May private parties obtain the data contained inEDRs without the consent of the vehicle owneras part of the discovery in preparation for trial?
May private parties, such as insurance adjusters,private attorneys, and researchers, obtain thedata contained in the EDR at the scene of thecrash or through pre-trial discovery without theconsent of the vehicle owner?
NCHRP 17-24 LEGAL QUESTIONS (Contd)NCHRP 17-24 LEGAL QUESTIONS (Contd)
7/27/2019 IEE 111610 Presentation
138/150
May private parties obtain and use EDRdata when unrelated to trial discovery?
Does the search of an automobile to obtain
information contained in an EDR raise a
Fourth Amendment question?
May police officers seize EDR data during
post-crash investigations without awarrant?
NCHRP 17-24 PRIVACY QUESTIONSNCHRP 17-24 PRIVACY QUESTIONS
7/27/2019 IEE 111610 Presentation
139/150
Do car owners have reasonableexpectation of privacy in EDR devices asa component of the automobile?
Does a car owner have a reasonableexpectation of privacy in the telemetrydata provided by EDR devices?
May police officers obtain the data withoutthe owners consent after obtaining a
warrant for both criminal and non-criminal investigations?
NCHRP 17-24 RIVACY QUESTIONS (Contd)NCHRP 17-24 RIVACY QUESTIONS (Contd)
7/27/2019 IEE 111610 Presentation
140/150
What other privacy and legal issues areimportant in considering the use of EDRdata?
What are the implications of the FifthAmendment and EDRs?
What are the Federal Rules of Evidenceand the use of EDR at trial?
NCHRP 17-24 FINDINGSNCHRP 17-24 FINDINGS
7/27/2019 IEE 111610 Presentation
141/150
USDOT/NHTSA may require theinstallation of devices that demonstrably
improve highway safety or advance
some other significant policy interest.
There is public policy interest ininstalling EDRs.
PUBLIC QUESTIONSPUBLIC QUESTIONS
7/27/2019 IEE 111610 Presentation
142/150
How do professionals analyze EDR data -- what special equipment do they use?
How do EDRs function during pre-crash,
crash and post-crash mode? Under what circumstances can third
parties, such as law enforcement or
insurance companies, download datafrom the EDR?
How do third parties, such as insurance
companies, collect and manageelectronically recorded event data?
NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)
7/27/2019 IEE 111610 Presentation
143/150
With respect to Fourth Amendmentconcerns, the police (or other
government accident investigators) may
properly seize such devices (orotherwise collect the data therefrom)
without a warrant during post-accident
investigations.
NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)
7/27/2019 IEE 111610 Presentation
144/150
Authority is premised on two legalissues:
Seizure of a required safety device does notconstitute a search implicating the Fourth
Amendment.
Seizure of a safety device qualifies under the
exemptions for conducting a warrantless
search.
NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)
7/27/2019 IEE 111610 Presentation
145/150
Law Enforcement authority to conductwarrantless searches may be affected by
how soon after the crash the search
occurs.
The more immediate the search occurs
following the crash, the greater the officers
authority to conduct a warrantless search.
NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)
7/27/2019 IEE 111610 Presentation
146/150
Absent a crash, law enforcement may notseize such data without a warrant orexpress legislative action.
Although the data and the recorder itselfmay be owned by the vehicle owner or
lessee, that data may be used asevidence against the owner (or otherdriver) in either a civil or a criminal case.
NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)
7/27/2019 IEE 111610 Presentation
147/150
Nothing within the Federal Rules ofEvidence ( FRE ) or the FifthAmendments protection against
compelled self-incrimination wouldexclude the use of data recorded byEDRs.
Owners might be prohibited fromtampering with the data if lit igation is
pending.
MYTHS, MYSTERY, MISSINFORMATIONMYTHS, MYSTERY, MISSINFORMATION
7/27/2019 IEE 111610 Presentation
148/150
What is the difference between an EDRand a "black box" common to airplanes?
Why are automakers installing EDRs inmodern vehicles?
Why do safety advocates believe we
need these emerging technologies? What do privacy advocates fear about
them?
PUBLIC QUESTIONSPUBLIC QUESTIONS
7/27/2019 IEE 111610 Presentation
149/150
What are the positive and negativeperceptions of EDRs to the public?
What types of crash data do EDRs record
and for what duration? Can the EDR record where a vehicle
traveled -- or how fast it was going at any
given time? Under what circumstances will people
have access to EDR data?
PUBLIC QUESTIONSPUBLIC QUESTIONS
7/27/2019 IEE 111610 Presentation
150/150
Who has access to crash data? What is the U.S. government proposal for
EDRs?
What's in your vehicle? What recording capability will be in the
next new vehicle that you drive -- maybe
a rental car? How is it possible to balance safety and
privacy?