IEE 111610 Presentation

7/27/2019 IEE 111610 Presentation

1/150

MOTOR VEHICLE EDR

GLOBAL STANDARDIZATION

AND RELATED ISSUES

MOTOR VEHICLE EDR

GLOBAL STANDARDIZATION

AND RELATED ISSUES

Thomas M. Kowalick, November 16th 2010Thomas M. Kowalick, November 16th 2010

1616a-2010

1616-2010

Committee for a Study of Electronic Vehicle Controls

and Unintended Acceleration

National Research Council / National Academies

Keck Center, 500 Fifth St., NW, Washington, DC


2/150

PRESENTATION GOALPRESENTATION GOAL

1) To present timely and important

IEEE Motor Vehicle Event Data

Recorder (MVEDR) standards

initiatives and 2) to focusattention on related issues

regarding the use/misuse of EDRtechnologies.


3/150

30 MINUTE OUTLINE30 MINUTE OUTLINE


4/150

IEEE &MVEDR


5/150

IEEEIEEE

The Institute of Electrical and Electronics Engineers

(IEEE) is the worlds largest professional associationdedicated to advancing technological innovation and

excellence for the benefit of humanity.

IEEE and its 375,000 + members inspire a global

community through IEEE's highly cited publications,

conferences, technology standards, and professional and

educational activities.


6/150

STANDARDS ASSOCIATION

The IEEE Standards Association (IEEE-SA) promotes the

engineering process by creating, developing, integrating,sharing, and applying knowledge about electro- and

information technologies and sciences.

For over a century, the cornerstone of the IEEE-SA is its

established standards development program - a program

that offers balance, openness, due process, and

consensus. Each year, the IEEE-SA conducts over 200standards ballots, a process by which proposed standards

are voted upon for technical reliability and soundness.


7/150

In addition to producing the prominent 802 Standards for Local

and Metropolitan Area Network Wireless, IEEE-SA also develops

the standards for:

Intelligent highway systems and vehicular technology

Distributed generation renewable energy

Voting Equipment Electronic Data Interchange Rechargeable Batteries for PCs

Motor Vehicle Event Data Recorder

Public Key Infrastructure

Certificate Issuing and Management Components Architecture for Encrypted Shared Media

Organic Field Effect Technology

IEEE-SA thrives because of the technical diversity of its 20,000 plusparticipants, consisting of technology leaders from around the globe,

including individuals in corporations, organizations, and government

agencies. Through their collective knowledge, members contribute to the

integrity and value of IEEE standards.


8/150

IEEE MVEDR PROJECT GOALIEEE MVEDR PROJECT GOAL

Create a Voluntary Consensus BasedStandard

By Combining Best Efforts of Industry &

Government Towards Enhanced

Vehicle & Highway Safety


9/150

IEEE MVEDR REFLECTS A WIDE-RANGE:IEEE MVEDR REFLECTS A WIDE-RANGE:

Insurance

Law Enforcement

Legal

Fleets

Medical Injury

Auto TechniciansAcademia

EMT, EMS, 911

ReconstructionistCrash Data Researchers

Public

Vehicle OEMs

Government

Aftermarket

Suppliers

Telematics

WirelessHuman Factors Research

Component Suppliers

Connector IndustrySurvivability

Safety Advocates


10/150

IEEE MVEDR STANDARDSIEEE MVEDR STANDARDS

IEEE-1616-2010

Standard for Motor Vehicle Event Data Recorder

(171 pages).

IEEE-1616a-2010 Standard for Motor Vehicle

Event Data Recorders (MVEDRs) Amendment 1:Motor Vehicle Event Data Recorder Connector

Lockout Apparatus (MVEDRCLA) (19 pages).

AVAILABLE at www.ieee.org
http://www.ieee.org/http://www.ieee.org/


11/150

4.2 INTERNATIONAL USE OF EDR DATA4.2 INTERNATIONAL USE OF EDR DATA

Users of MVEDR data include, but are not limited to, the

following:

1) Global development of treaties on roads and transport

2) Reports on international road safety3) Government transport agencies

4) International road safety databases

5) Country specific road safety issues6) Regional road issues

7) International organizations on road safety

8) United Nations road safety initiatives9) European Union road safety initiatives

10) Organization for Economic Co-operation and Development

(OECD)

11) International non-governmental organizations12) World Health Organization (WHO) road safety initiatives


12/150

8. MVEDR DATA DICTIONARY8. MVEDR DATA DICTIONARY

A data dictionary is a collection of entries specifying the name,

source, usage and format of each data element used in a

system or set of systems.

The MVEDR data dictionary is a collection of 86 data definitions.

Data definition is a description of the format, structure, and

properties of data elements in a data dictionary.

For this standard, data elements are uniquely named as adefined component of data definitiona data cell in which

items (actual values) can be placed.


13/150

4.7 CRASHWORTHINESS4.7 CRASHWORTHINESS

The MVEDR memory shall be capable of meeting the

crashworthiness requirements outlined in Table 10.

Judicious placement of the MVEDR within the vehicle

may also help to minimize the likelihood of damage as

a result of a crash.


14/150

CRASHWORTHINESS / SURVIVABILITYCRASHWORTHINESS / SURVIVABILITY

SOURCE: IEEE 1616-2010 page 31


15/150

CRASHWORTHINESS / SURVIVABILITY (Contd)CRASHWORTHINESS / SURVIVABILITY (Contd)

Survivability requirements should be considered

when selecting and installing connectors to the

nonvolatile memory and other MVEDR components.

Although protection of the MVEDR as a whole is

important, the priority for crashworthiness is

protection of the nonvolatile memory.


16/150


The manufacturer should document, and makeavailable to whomever requests it, the reliability,

confidence level, and minimum lifetime information for

a particular MVEDR.

The MVEDR processor should continually operate

when subjected to the vehicle environment where it is

located.

During a crash, at a minimum, the processor should

operate long enough to attempt capturing thebuffered memory within the nonvolatile memory. After

an event, the processor should operate for at least

the minimum duration specified by the data elementsbeing recorded.


17/150


The manufacturer shall specify what crashworthiness

requirements were used for the following conditions:

impact shock, penetration, static crush, fire, and fluid

immersion.

The requirements may be met by the design of the

storage device within the vehicle body envelope (e.g.,to take advantage of the crashworthiness and fire-

barriers properties of the vehicle body), or by a

combination of these approaches.


18/150


MVEDRs shall meet the requirements for applicable

data elements and format in crash tests specified in

FMVSS 208, 214, and 301.

To provide both a check on MVEDR performance and

ensure a basic level of survivability, data shall be

required to be retrievable by the method specified bythe vehicle manufacturer after the crash test.


19/150


The MVEDRs of light vehicles are part of the air bag

module that is located in the occupant compartment

of vehicles, providing protection against crush in allbut the most severe cases.

Moreover, because MVEDRs are part of the air bagmodule, their electronics are designed to operate in a

shock environment; however they lack protection

from fire and immersion in water and motor vehicle

fluids.


20/150

1616a: CONNECTOR LOCKOUT APPARATUS1616a: CONNECTOR LOCKOUT APPARATUS

This protocol is applicable to all types and classes of motor

vehicles that include MVEDRs. An MVEDRCLA ManualLockout Device Protocol is a method of operation for a

device (the MVEDRCLA) that holds the associated device

(the DLC) inoperative to tampering unless a predeterminedmanual function (key or coded signal) is performed to

release the locking feature.


21/150

DLC

CLA


22/150

ACCESSIBILITYACCESSIBILITY

MVEDRCLA security connectors designed to prevent

data tampering, odometer fraud, VIN theft, orreengineering of vehicle networks shall be accessible

and controlled by the vehicle owner and shall not

prevent emissions testing, vehicle maintenance, orrepair of in-vehicle electronic systems, subsystems,

computers, sensors, actuators, or control modules,

including the air bag control module.


23/150

STANDARDS


24/150

How are Voluntary Standards used in

Regulations?

How are Voluntary Standards used in

Regulations?

Government agencies use externally developed standards in a

wide variety of ways, including the following:

Adoption: An agency may adopt a voluntary standard without

change by incorporating the standard in an agency's regulation

or by listing (or referencing) the standard by title. For example,

the Occupational Safety and Health Administration (OSHA)adopted the National Electrical Code (NEC) by incorporating it

into its regulations by reference.

Strong Deference: An agency may grant strong deference to

standards developed by a particular organization for a specific

purpose. The agency will then use the standards in its regulatoryprogram unless someone demonstrates to the agency why it

should not.
http://www.osha.gov/http://www.osha.gov/


25/150

HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS

Basis for Rulemaking: This is the most common use

of externally developed standards. The agency reviews

a standard, makes appropriate changes, and then

publishes the revision in the Federal Register as aproposed regulation. Comments received from the

public during the rulemaking proceeding may result in

changes to the proposed rule before it is instituted.

Regulatory Guides: An agency may permit adherence

to a specific standard I as an acceptable, though notcompulsory, way of complying with a regulation.


26/150

HOW AGENCIES USE STANDARDSHOW AGENCIES USE STANDARDS

Guidelines: An agency may use standards as

guidelines for complying with general requirements.

The guidelines are advisory only: even if a firmcomplies with the applicable standards, the agency

may conceivably still find that the general regulation

has been violated.

Deference in Lieu of Developing a Mandatory

Standard: An agency may decide that it does not

need to issue a mandatory regulation becausevoluntary compliance with either an existing standard

or one developed for the purpose will suffice for

meeting the needs of the agency.


27/150


28/150

RELATED

ISSUES


29/150

SET- IN - STONE ON THE NAS BUILDINGSET- IN - STONE ON THE NAS BUILDING

THE RIGHT TO SEARCH FOR

TRUTH IMPLIES ALSO A DUTY;ONE MUST NOT CONCEAL ANY

PART OF WHAT ONE HASRECOGNIZED AS TRUTH.

Albert Einstein 1897-1955


30/150

DISCLAIMERDISCLAIMER

RELATED ISSUES EXPRESSED IN THIS

PRESENTATION ARE SOLELY THOSE OF

THOMAS M. KOWALICK


31/150

SYMPTOMS OF A PROBLEMSYMPTOMS OF A PROBLEM

Motor vehicle-relatedinjury and death is

the nations largest

public health

problem.

Globally, more than

one million people die

each year.

National Safety Council (NSC)National Safety Council (NSC)

World Health Organization (WHO)World Health Organization (WHO)

33,808 highway deaths/year

16 million crashes/year

Leading cause of death for ages 4 to 34
http://www.who.int/en/


32/150

U.S. MODES OF TRANSPORTATIONU.S. MODES OF TRANSPORTATION

There are five modes of transportation:

AviationRail

Marine

PipelineHighway

All modes utilize Event Data Recorders (EDRs)

to analyze data. In the Highway mode EDRs are

commonly termed Black Boxes.


33/150

WHAT IS AN EDR?WHAT IS AN EDR?

An event data recorder (EDR) means adevice or function in a vehicle that records

the vehicle's dynamic, time-series data

during the time period just prior to a crash

event (e.g., vehicle speed vs. time) or

during a crash event (e.g., delta-V vs. time),

intended for retrieval after the crash event.

For the purposes of this definition, theevent data do not include audio and video

data.


34/150

Who?

What?

Where?

When?

Why?

Much of the

information

to be derived

from EDRs

is information

that eyewitnesses

could NOT provide

even if they were

ACCURATE

in all their

observations.


35/150

EVOLUTION OF EDR SCOPE & PURPOSEEVOLUTION OF EDR SCOPE & PURPOSE

In the beginning EDR technology was built into a

sensing diagnostic module in each vehicle that

controls the air bag deployment.

The initial product liability motivation for the

generation of a retrievable record was to defend

against claims that the air bag system hadmalfunctioned and caused personal injuries and the

safety motivation was to enable improvements to the

deployment system.


36/150

EVOLUTION OF SCOPE & PURPOSE (Contd)EVOLUTION OF SCOPE & PURPOSE (Contd)

Once the data was compiled for these

purposes, it evolved to re-analyze the data

in broader terms to promote a better

understanding of vehicle and operator

behavior before crashes (CAUSATION)

EDR access has become standard

procedure for crash investigations in bothcriminal and civil areas.


37/150

DEVICE OR FUNCTIONDEVICE OR FUNCTION

Is the Event Data Recorder (EDR) a "device" or a

"function" and why does this matter? How can it be

both?

Well that's simple, rather than describing a specificdevice or product, "EDR" actually is a catch-all term

defining a means of collecting data distributed along

a vehicle's Controllerarea network (CAN or CAN-bus).


38/150

CONTROLLED AREA NETWORK (CAN)CONTROLLED AREA NETWORK (CAN)

CAN is a vehicle bus standard designed to allow

microcontrollers and devices to communicate with each other

within a vehicle without a host computer. CAN is also a

message based protocol, designed specifically for automotiveapplications.


39/150

ELECTRONIC CONTROL UNITS (ECUs)ELECTRONIC CONTROL UNITS (ECUs)

A modern automobile may have as many as 70 electronic

control units (ECU) for various subsystems.

Typically the biggest processor is the engine control unit, which

is also referred to as "ECU" in the context of automobiles;

others are used for transmission, airbags, antilock braking,cruise control, audio systems, windows, doors, mirror

adjustment, etc.

Some of these form independent subsystems, but

communications among others are essential.


40/150

CAN SYSTEMCAN SYSTEM

A subsystem may need to control actuators or receive

feedback from sensors. The CAN standard was devised to fill

this need. The CAN bus may be used in vehicles to connect

engine control unit and transmission, or (on a different bus) to

connect the door locks, climate control, seat control, etc.


41/150

1998-2010


42/150


43/150


44/150

NHTHA

REG +


45/150

NHTSA EDR WEBSITENHTSA EDR WEBSITE

http://www.nhtsa.gov/EDR
http://www.nhtsa.gov/EDRhttp://www.nhtsa.gov/EDR


46/150

49 CFR 563: Event Data Recorders (EDRs)49 CFR 563: Event Data Recorders (EDRs)

Final Regulatory Evaluation

Final rule

Frequently Asked Questions and Additional Information
http://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFRIA.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFinalRule_Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDR_QAs_11Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDR_QAs_11Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFinalRule_Aug2006.pdfhttp://www.nhtsa.gov/DOT/NHTSA/Rulemaking/Rules/Associated%20Files/EDRFRIA.pdf


47/150

NHTSA REG WOEFULLY LACKINGNHTSA REG WOEFULLY LACKING

The National Highway Traffic Safety

Administration (NHTSA) rule 49 CFR 563:

Event Data Recorders does not addressthese issues:

the ownership of EDR data;

the authenticity of EDR data;

the security of EDR data at the time of a

crash; the chain of custody of EDR datafollowing a crash;


48/150

NHTSA REG WOEFULLY LACKING (Contd)NHTSA REG WOEFULLY LACKING (Contd)

tampering and manipulation of EDR data; how EDR data can be used/discoveredin civil lit igation; how EDR data may be used in criminalproceedings; whether EDR data may be obtained bythe police without a warrant; whether EDR data may be developedinto a driver-monitoring tool;

and the nature and extent that private

parties will have or may contract foraccess to EDR data.


49/150

PENDING NHTSA ACTIONPENDING NHTSA ACTION

www.regulations.gov

Search: NHTSA-2008-0004

Seven Petitions for Reconsideration

and Letters of Support
http://www.regulations.gov/http://www.regulations.gov/


50/150

NHTSA ESTIMATE: EDRS IN LIGHT VEHICLESNHTSA ESTIMATE: EDRS IN LIGHT VEHICLES


51/150

NHTSA ESTIMATED EDR COSTSNHTSA ESTIMATED EDR COSTS


52/150

NHTSA EDR ESTIMATED COSTS (Contd)NHTSA EDR ESTIMATED COSTS (Contd)


53/150

STATE

STATUES


54/150

STATE EDR STATUES 2004-10STATE EDR STATUES 2004-10

Arkansas Code 27Arkansas Code 27--3737--103103

California Code 9950California Code 9950--99539953Colorado Statutes 12Colorado Statutes 12--66--44

Connecticut Public Act 07Connecticut Public Act 07--235235

Maine Statutes 29AMaine Statutes 29A--11--1717--33

New Hampshire Statutes 357New Hampshire Statutes 357--GG

New York Laws 4A16 416New York Laws 4A16 416--BB

Nevada Statutes 484.638Nevada Statutes 484.638

North Dakota Code 51North Dakota Code 51--0707--2828

Oregon House Bill 2568 (644)Oregon House Bill 2568 (644)

Texas Statutes 547.615Texas Statutes 547.615Virginia Code 46.2Virginia Code 46.2--1088.61088.6

Washington 46Washington 46--35.01035.010

13 States have EDR legislation and there is case law in 29 states.


55/150


56/150

NCHRP

17-24


57/150

NCHRP RESEARCHNCHRP RESEARCH

Objective Recommend minimum set of

EDR data elements for vehicleand roadside safety analysis

Sponsor Transportation Research Board

NCHRP 17-24

NCHRP 17-24

Use of EDR TechnologyFor Roadside

Crash Data Analysis


58/150

EC

VERONICAII


59/150

EUROPEAN COUNCIL VERONICA PROJECTEUROPEAN COUNCIL VERONICA PROJECT

VERONICA II

Vehicle Event Recording based on Intelligent Crash

Assessment

Passive Safety

Duration from 1/05/2007 until 30/04/2009

http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf

VERONICA II is to specify the technical and legal requirements for a

possible implementation of Event or Accident Data Recorders in vehicles in

Europe. Of major importance is the definition of the trigger sensitivity in order

to capture not only hard crash data but also data from collisions with 'soft

objects', i.e. vulnerable road users which represent a relevant part of road

users and victims in accidents.
http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf


60/150

J-EDR


61/150

JAPANESE-EDR (J-EDR)JAPANESE-EDR (J-EDR)

http://www.mlit.go.jp/kisha/kisha08/09/090328_.html
http://www.mlit.go.jp/kisha/kisha08/09/090328_.htmlhttp://www.mlit.go.jp/kisha/kisha08/09/090328_.html


62/150

J-EDRJ-EDR

The Japanese Ministry of Land, Infrastructure, Transport and

Tourism (J-MLIT) decided on the technical requirements for

the application of EDRs to light vehicles (3500 kg GVWR orless) in March 2008 [J-MLIT website, 2008]. This

requirementso called J-EDR technical requirementis

comparable to the US Part 563. However, J-EDR is adding

two data elements which are the pre-crash warning andthe pre-crash brake operating status. EDRs are now being

installed in ACMs by several automakers.

SOURCE: Study on Pre-Crash and post-Crash Information Recorded in Electronic Control Units (ECUs) Including Event

Data Recorders, Hirotoshi Ishikawa, Nobuaki Takubo, Ryo Oga, Kenshiro Kato, Takeshi Ikari, Enhanced Safety of

Vehicles (ESV) Conference, Paper Number 09-0375., The 21st International Technical Conference on the Enhanced

Safety of Vehicles Conference (ESV) - International Congress Center Stuttgart, Germany, June 1518, 2009.


63/150

ESV

EDRPAPER


64/150

ENHANCED SAFETY OF VEHICLES PAPERENHANCED SAFETY OF VEHICLES PAPER

S C


65/150

ABSTRACTABSTRACT

http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdf

CO C S O SCONCLUSIONS
http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdfhttp://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0375.pdf


66/150

CONCLUSIONSCONCLUSIONS

The conclusions are summarized as follows:The pre-crash velocities recorded by the EDR were highly

accurate and reliable when cars proceeded without braking

prior to the collision. The accuracy and reliability of the EDR

impact velocity could be affected by the braking conditions and

the EDR time zero information.

The accuracy and reliability of the maximum delta-V recordedby the EDR decreased under highly complex or severe crash

conditions, as compared to the results obtained from the

standardized crash tests.

The factors responsible for this result were attributable to the

characteristics of the accelerometers used in EDR, the largedeformation at the location of the airbag control module, vehicle

bod rotation in a collision, etc.

CONCLUSIONS (C d)CONCLUSIONS (C td)


67/150

CONCLUSIONS (Contd)CONCLUSIONS (Contd)

When one of the ABS sensors installed in an

impacted vehicle was damaged during collision, the

ABS-ECU recorded the vehicle speed and the tirerotational velocity of the four wheels at the event of

an ABS malfunction.

The engine-ECU could record the vehicle speed

information when the engine was damaged during

collision. In order to obtain and understand the

information of the engine-ECU, crash tests arerecommended to be carried out with the engine

running.

ACKNOWLEDGEMENTSACKNOWLEDGEMENTS


68/150

ACKNOWLEDGEMENTSACKNOWLEDGEMENTS

ESV PAPER ACKNOWLEDGMENTS:

We sincerely thank the Ministry of Land, Infrastructure,Transport and Tourism of Japan for providing the J-NCAP

data and Toyota for their support in retrieving the EDR data.


69/150

SUA

C h d i h bC h d i th b


70/150

71

Crash recorders opening up the boxCrash recorders opening up the box

Anders Kullgren

Head of road traffic safety research at Folksam

-10

0

10

20

30

40

50

60

0 50 100 150

acceleration (g)change of velocity (km/h)

time (ms)

Delta-V 52.1 km/h

Mean acc 12.6 g

Peak acc 31.7 g

http://www.etsc.eu/documents/13_Kullgren.ppt

EXAMPLE OF SUA ITEMEXAMPLE OF SUA ITEM
http://www.etsc.eu/documents/13_Kullgren.ppthttp://www.etsc.eu/documents/13_Kullgren.ppthttp://www.etsc.eu/documents/13_Kullgren.ppt


71/150

EXAMPLE OF SUA ITEMEXAMPLE OF SUA ITEM


72/150

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.1624


73/150


74/150

GAO

NHTSA

GAO REPORTGAO REPORT


75/150


A United States Government Accountability Office (GAO) Report

to the Chairman, Committee on Commerce, Science, and

Transportation, U.S. Senate (GAO-09-56) titled HIGHWAY

SAFETY: Foresight Issues Challenge DOTs Efforts to Assess

and Respond to New-Technology-Based Trends recommends

that DOT (1) develop an approach to guide decision-making on

new, fast moving trends that can affect highway safety; (2)evaluate whether new data systems and analytic techniques are

needed to provide information on such trends; and (3) employ

specific strategies and schedules in communicating withCongress about these and other trends. DOT disagreed with

the first of these and did not comment on the other two. GAO

continues to recommend all three.

GAO-09-56 at www.gao.gov/new.items.d0956.pdf

http://www.gao.gov/new.items.d0956.pdfhttp://www.gao.gov/new.items.d0956.pdf


76/150


The GAO report concludes that New fast-

moving technology-based trends are

characterized by uncertainties and the maincriteria that DOTs National Highway Safety

Administration (NHTSA) officials use in

determining how to respond quantitativeevidence that a sizeable problem exists and

knowledge of a promising countermeasure do

not address uncertainty.

GAO-09-56: www.gao.gov/new.items.d0956.pdf
http://www.gao.gov/new.items.d0956.pdfhttp://www.gao.gov/new.items.d0956.pdf


77/150

INTELECTUAL

PROPERTY

INTELLECTUAL PROPERTY EXAMPLEINTELLECTUAL PROPERTY EXAMPLE


78/150

INTELLECTUAL PROPERTY EXAMPLEINTELLECTUAL PROPERTY EXAMPLE

RESEARCH

PATENTS

TO DETERMINETHE STATE OF

THE ART

DETERMINE

WHAT

PUBLIC

PATENT

APPLICATIONS

APPLY

TO SUDDEN

UNINTENED

ACCELERATION

SEEK

RESEARCH

SUPPORT

FROM A

UNIVERSITY

PATENT

DEPOSITORY

ANOTHER PATENT EXAMPLEANOTHER PATENT EXAMPLE


79/150

ANOTHER PATENT EXAMPLEANOTHER PATENT EXAMPLE

PATENTS OFFER SOLUTIONSPATENTS OFFER SOLUTIONS


80/150

PATENTS OFFER SOLUTIONSPATENTS OFFER SOLUTIONS


81/150

TAMPER

NO EDR CONSUMER PROTECTION


82/150

AUTOMAKERS ADVOCATES GOVERNMENT

EVIDENCE OF TAMPERINGEVIDENCE OF TAMPERING


83/150

EVIDENCE OF TAMPERINGEVIDENCE OF TAMPERING

http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1

http://www.youtube.com/watch?v=t7La2kkUdQ0

IN JUST A FEW MINUTES (ONLINE)

ONE CAN LOCATE PRODUCTS ANDSERVICES TO ROLL BACK ODOMETERS

AND ERASE ECU CRASH DATA!

DIAGNOSTIC LINK CONNECTOR (DLC)DIAGNOSTIC LINK CONNECTOR (DLC)
http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1http://www.youtube.com/watch?v=t7La2kkUdQ0http://www.youtube.com/watch?v=t7La2kkUdQ0http://www.youtube.com/watch?v=q4vr1LIOhuI&NR=1


84/150

All light vehicles sold in the United States since 1996All light vehicles sold in the United States since 1996are required to have a Onare required to have a On--Board DiagnosticsBoard Diagnostics

connector, for easy access to the car's Controller Areaconnector, for easy access to the car's Controller Area

Network (CAN) bus.Network (CAN) bus.

The Society of Automotive Engineers (SAE) J1962Diagnostics Connector has been designed the primary

physical interface to access EDR data elements in light

vehicles for post-crash analysis. Data elements are

commonly accessed by connecting an electronic

diagnostic tool to this vehicle port.




85/150


ANYONE WITH AN eTOOL CAN PLUG-INANYONE WITH AN eTOOL CAN PLUG-IN


86/150

ANYONE WITH AN eTOOL CAN PLUG-INANYONE WITH AN eTOOL CAN PLUG IN


87/150

ELECTRONIC TOOLSELECTRONIC TOOLS


88/150

ELECTRONIC TOOLSELECTRONIC TOOLS

A variety of electronic tools are manufacturedand marketed to re-engineer vehicle networks,

reset odometers and tamper or erase vehicle

data via this port which is generally unsecureand prone to misuse of the original safety and

emissions diagnostic related purpose.

Unauthorized access, whether malicious or

inadvertent, must be prevented in order toprotect the integrity of connected devices,

vehicles, and systems.

ONLINE SITES MARKET& SELL eTOOLSONLINE SITES MARKET& SELL eTOOLS


89/150

ONLINE SITES MARKET& SELL eTOOLSONLINE SITES MARKET& SELL eTOOLS

TIP OF THE ICEBERG!TIP OF THE ICEBERG!


90/150

TIP OF THE ICEBERG!TIP OF THE ICEBERG!

eTOOLSeTOOLS


91/150

eTOOLSeTOOLS

ONLINE TOOLS TO TAMPER DATAONLINE TOOLS TO TAMPER DATA
http://tools4pro.co.uk/dealer-car-diagnostic-tools/ford-rotunda-vcm-ids-v69-professional-car-diagnostic-tool-v69.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-and-most-advanced-auto-diagnostic-tool-IMAX-4-AUTO-SCANNER-VCM_IDS-GNA600-HDS-TOYOTA-TIS.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-renault-can-clip-v96-newest.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-omipro-land-rover.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-tool-honda-himhonda-amp-acura-super-gna600.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-icom-for-bmw-isid.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/mitsubishi-mut3.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Star-Scan-for-Chrysler-Dodge.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-vwaudi-vas-5054a.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-toolsbmw-gt1-dis-v57sss-v32.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-diagnostic-tool-BMW-OPS-diagnostic.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-car-diagnostic-tool-Honda-Super-GNA600.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/Professional-TOYOTA-LEXUS-car%20dianostic-tooldenso-diagnostic-tester2-dst2.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-car-diagnostic-tool-bmw-opps.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-equipment-mercedes-benz-star-compact-3.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/professional-diagnostic-tool-bosch-kts-520-porsche-piwis.htmlhttp://tools4pro.co.uk/dealer-car-diagnostic-tools/ford-rotunda-vcm-dvd-2-years-of-subscription-software-updates-ids-v68.html


92/150

ONLINE TOOLS TO TAMPER DATAONLINE TOOLS TO TAMPER DATA

Publicly advertised tools that have the ability to clear locked

data from crash records in Event Data Recorders (typically SRS

ECUs):

1. http://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.html

2. http://www.tradekey.com/product_view/id/811757.htm

3. http://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-

needed-for-airbag-repair-and-programming/prod_345.html

4. http://www.adkautoscan.com/Production/R101.htm

5. http://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-

SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.html

6. http://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdf7. http://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-

/prod

8. http://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-

by-obdii/prod_88.html

TAMPERING MOTIVATIONTAMPERING MOTIVATION
http://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.htmlhttp://www.tradekey.com/product_view/id/811757.htmhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.adkautoscan.com/Production/R101.htmhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdfhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/carprog/software/carprog-airbag/s5-5-gm-airbag-reset-tool-by-obdii/prod_88.htmlhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.codecard.lt/ford-airbag-reset-tool-please-find-it-as-carprog-software-/prodhttp://www.mtaplus.cz/navody/vwgroup_airbagreseter.pdfhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://autocheery.en.made-in-china.com/product/reOQqGocbJiB/China-Honda-SRS-OBD2-Airbag-Resetter-for-Honda-with-TMS320-.htmlhttp://www.adkautoscan.com/Production/R101.htmhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.codecard.lt/carprog/carprog-airbag-with-all-software-39-s-and-adapters-needed-for-airbag-repair-and-programming/prod_345.htmlhttp://www.tradekey.com/product_view/id/811757.htmhttp://www.uuctech.com/Products/VW-AUDI-Airbag-Reset.html


93/150

TAMPERING MOTIVATIONTAMPERING MOTIVATION

GIVEN SUFFICIENT MOTIVATION,

SOMEONE WILL TRY TO TAMPER

AN EDR.

As a general rule motivation can bedescribed as a possible gain which is

considered more desirable by theundertaker than the possible lossassociated with the risks.

#1 Evasion of Legal Prosecution#2 Financial Gain

#3 Technical Reputation

LEGAL USAGELEGAL USAGE


94/150

LEGAL USAGELEGAL USAGE

EDR DATA, TOGETHER WITH THE EXPERTSANALYSIS MAY BE USED IN COURT OR BYOTHER PARTIES TO DETERMINE QUESTIONS OFGUILT AND ANY PENALITIES.

GENERIC THREATSGENERIC THREATS


95/150

GENERIC THREATS

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

AUTHENTICITY

SO O

TURN KEY SOLUTION


96/150

TURN-KEY SOLUTIONTURN-KEY SOLUTION

SEAL THE DATA!

SAFETY VS. PRIVACYSAFETY VS. PRIVACY


97/150

The balance between privacy and public safety will

be tested as EDRs become more commonplace.The price of safer roads is thus the risk that private EDR data may be used

by insurance companies, the legal system, or other bodies.


98/150

RECOMMENDATION

RECOMMENDATION: AMEND 49 CFR 563RECOMMENDATION: AMEND 49 CFR 563


99/150

ADD this section:

563.13 Motor Vehicle Event Data Recorder Connector

Lockout Apparatus (MVEDRCLA).

Each manufacturer of a motor vehicle equipped with an

EDR shall ensure that a motor vehicle event data recorder

connector lockout apparatus (MVEDRCLA) as standardized

by the Institute of Electrical and Electronics EngineersStandards Association (IEEE 1616a-2010) to protect the

security, integrity, and authenticity of the data that are

required by this part is attached to the vehicles SAE J1962(ISO/DIS 15031-3) vehicle diagnostic link connector (DLC) at

the point of motor vehicle sale, including leased and rented

vehicles.

AUTHOR INFORMATIONAUTHOR INFORMATION


100/150

Thomas M. Kowalick is widely recognized as a leading researcher on

EDR technologies. He is a member of the Author's Guild, and a

retired professor in Southern Pines, North Carolina. Kowalick serves

as Chair of the Institute of Electrical and Electronics Engineers(IEEE) global project 1616 to create the worlds first automotive

black box standard, contributed to the development of the National

Highway Traffic Safety Administration (NHTSA) web site for EDR

research, and as a panel member on the National Academies ofSciences project studying EDRs. He is the author of FATAL EXIT:

The Automotive Black Box Debate (John Wiley) and six other books

specifically covering EDR history, standardization, legislation,

regulation, legal issues and consumer protection. Kowalick is alsoauthor of the EDR segment in the McGraw Hill 2009 Yearbook of

Science & Technology.

REFERENCESREFERENCES


101/150

A Review of Jurisprudence Regarding Event Data Recorders: Implications for the Access

and Use of Data for Transport Canada Collision Investigation, Reconstruction, Road Safety

Research, and Regulation, prepared for the Road Safety and Motor Vehicle Regulation,

Transport Canada. http://www.carsp.ca/downloads/edr_jurisprudence.pdf March 31, 2005

U.S. Dept. of Transportation, National Highway Traffic Safety Administration, Final Rule, 49

CFR Part 563, Event Data Recorders, http://www.nhtsa.gov/Laws+&+Regulations/VehiclesAug. 21, 2006.

Use of Event Data Recorder (EDR) Technology for Highway Crash Data Analysis,

Transportation Research Board NCHRP (Project 17-24), Transportation Research Board,

http://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdf

December 2004. Vehicle Data Recorders - FMCSA-PSV-06-001, Federal Motor Carrier Safety Administration,

http://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-

dec05/vehicle-data-recorders-dec05.htm December 2005.

Institute of Electrical and Electronics Engineers (IEEE) global standards for Motor Vehicle

Event Data Recorders (MVEDRS); IEEE 1616-2010 and IEEE 1616a-2010 at

http://grouper.ieee.org/groups/1616a/ May, 2010.

GAO -09-56 Report to the Chairman, Committee on Commerce, Science, and

Transportation, U.S. Senate: HIGHWAY SAFETY Foresight Issues Challenge DOTs Efforts

to Assess and Respond to New Technology-Based Trends.www.gao.gov/new.items/d0956.pdf October 2008.

REFERENCES (Contd)REFERENCES (Contd)
http://www.carsp.ca/downloads/edr_jurisprudence.pdfhttp://www.nhtsa.gov/Laws+&+Regulations/Vehicleshttp://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdfhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://grouper.ieee.org/groups/1616a/http://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://www.gao.gov/new.items/d0956.pdfhttp://grouper.ieee.org/groups/1616a/http://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.fmcsa.dot.gov/facts-research/research-technology/report/vehicle-data-recorders-dec05/vehicle-data-recorders-dec05.htmhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Articles/EDR/PDF/Research/EDR_Technology.pdfhttp://www.nhtsa.gov/Laws+&+Regulations/Vehicleshttp://www.carsp.ca/downloads/edr_jurisprudence.pdf


102/150

( )( )

Analysis of Event Data Recorder Data for Vehicle Safety Improvement,

USDOT/NHTSA DOT HS 810 935 at

www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdf

Vehicle Event Recording based on Intelligent Crash Assessment

(VERONICA-II) European Commission / Directorate-General for Energy and

Transport, athttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdf June

2009.

USDOT/NHTSA Docket No. NHTSA-2004-18029 comments from Public

Citizen, Consumer Union, Advocates for Vehicle and Highway Safety and

Electronic Privacy Information Center (EPIC), see www.regulations.gov

THANKS FOR YOUR ATTENTIONTHANKS FOR YOUR ATTENTION
http://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://www.regulations.gov/http://www.regulations.gov/http://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://ec.europa.eu/transport/road_safety/pdf/projects/veronicaii.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdfhttp://www.nhtsa.gov/DOT/NHTSA/NRD/Multimedia/PDFs/EDR/.../810935.pdf


103/150

CONTACT INFOCONTACT INFO


104/150

THOMAS M. KOWALICK305 SOUTH GLENWOOD TRAIL

SOUTHERN PINESNORTH CAROLINA

28387910-692-5209

[email protected]
mailto:[email protected]:[email protected]


105/150

TAMPER

ADDENDUM

CONFIDENTIALITY ISSUESCONFIDENTIALITY ISSUES


106/150

CONFIDENTIALITY is defined as theproperty of data that indicates the extent to

which these data have not been made

available or disclosed to unauthorized

individuals, processes, or other entities

([ISO/IEC 2382-8: 1998], 08.01.09).

The assumption that EDRs only providedata linked to a specific vehicle, but not a

specific driver, ignores the data privacy

issues outside the vehicle.



107/150

Although it may seem feasible to avoid privacy

issues by restricting the recorded data to a

minimal set of sensor and status data and toonly record a time span of about one minute

around the crash event it is highly

probable that next generation memory

module technologies will increase the

recording time, therefore making privacyissues unavoidable.



108/150

Increasing numbers of people will obtain

access to EDR data.

The minimum requirement to access EDR

data is physical access to the vehiclesinterior and the SAE J1962 connector.

Therefore, access to EDR data will always

be possible unless a technical

countermeasure is utilized.



109/150

The DRIVER and OWNER will always have

physical access to the EDR device (via the

SAE J1962 Diagnostic Link Connector(DLC) common on all light vehicles.

This is a problem if the owner can access

data that would indicate a crash in which the

vehicle was involved and where a driverother than the owner was involved in the

crash.



110/150

For example, a car rental company ortransport fleet could regularly access data to

find out about the crashes by drivers.

Even if the rental company does not sue the

driver immediately, the company (or even agroup of cooperating rental companies)

could use the data to keep a black list of

drivers involved in crashes.



111/150

Since the USDOT/NHTSA is seriouslyconsidering mandating EDRs in light

vehicles it is highly likely that lease, fleet

and rental vehicles will have EDRs.

Therefore, since DRIVERS are supposed tonotify the company about any crash,

accessing the EDR data would only change

the situation for those drivers who had notinformed the company about the crash.



112/150

Although this might be an issue in the case of

low-priority (unreported to law enforcement)

crashes, access to the data by the OWNER inthis scenario, especially the COMBINATION

OF EDR DATA AND PERSONAL DATA

requires the consent of the DRIVER and

would need to be explicitly agreed in the rental

contract.



113/150

The combination of EDR data with drivingrecords creates data records that require

consumer data protection to avoid creating

black lists.

The potential to misuse EDR data will greatlyincrease.

Following a crash, many vehicles are taken toa workshop where access to the EDR data is

possible.



114/150

Workshops can sell data to car or insurance

companies for statistical purposes, or sell

data for marketing purposes.

A rare/extreme motivation for workshops todownload EDR data is blackmailing of

drivers or owners which is more likely to

occur with high-profile crashes.



115/150

After a crash, it may be possible that neitherDRIVER or OWNER is capable of controlling

physical access to the vehicle.

Therefore, an opportunity does exist for third

parties to access EDR data from the vehicle,

although they may have no rights to access

them.

It is technically possible to gather EDR

evidence since the port is unprotected.

INTEGRITYINTEGRITY
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw


116/150

INTEGRITY is defined as the property of datawhose accuracy and consistency are

preserved regardless of changes made

(data integrity, [ISO/IEC 2382-8:1998],08.01.07). For systems (like the EDR itself),

integrity means the quality of a data

processing system fulfilling its operationalpurpose while both preventing unauthorized

users from making modifications to or use of

resources and preventing authorized users

from making improper modifications to or

improper use of resources (systemintegrity, [ISO/IEC 2382-8: 1998], 08.01.17).

INTEGRITY ISSUESINTEGRITY ISSUES
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBwhttp://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw


117/150

The most obvious threat to an EDR is themanipulation of the data.

After a crash, a DRIVER or OWNER of a

vehicle may be interested to tamper EDR data

in order to avoid prosecution.

Manipulation / Tampering may take several

forms, like replacing all data with a forged setof records, changing only selected records, or

even changing only selected entries within a

record.



118/150

From an IT security point of view, all

manipulations / tampering of data is

considered as unauthoritized however,it still happens.

An attacker may delete data from the EDRs

event storage creating the impression

that the crash did not happen at all.



119/150

An attacker may overwrite incriminatingdata in a way that suggests that the EDR or

its attached sensors did not function

correctly, thus making the EDR datauseless for prosecution.

An attacker may consistently change EDR

records in a way that suggests that the

accident did happen, but the driver did notviolate any driving regulations.



120/150

For example, an attacker can change thevehicle speed prior to a crash to a lower

value, indicating that the vehicle was being

driven within the permitted speed limit.

NOTE. Such manipulations are the mostcomplex ones, because not only the speed

needs to be changed, but also the

acceleration/deceleration values, timevalues, and other data need to be changed

consistently.



121/150

Forging / Tampering / Manipulation is mostlikely following a crash, unless an attacker

has exact knowledge of a pending crash

and seeks to influence the post-crashanalysis of that crash data.

Therefore, most manipulation of data will

occur following a crash before it has been

downloaded (and secured as evidence) byan authorized party.



122/150

Once the EDR data has been secured asevidence by time stamping and digitally

signing the downloaded records,

manipulation will be useless, since anyrecord presented in court would have to

compete with credibility with the original

record already downloaded and introducedinto the legal process by the appointed

trustworthy expert.



123/150

Therefore, we can assume thatmanipulation of EDR data is only a threat

during the window of opportunity between

the crash itself and the point in time wherethe EDR is secured as evidence.

In Hit & Run cases the window of

opportunity is larger.

There is also a threat of manipulating data

prior to selling the vehicle.



124/150

With a USDOT/NHTSA EDR mandate alarge base of installed EDRS (80+ million)

will trigger development of sophisticated

manipulation tools, especially if such amanipulation can be programmed in

software.

Electronic tools exist to manipulate EDRs

and to alter digital odometers.

AVAILABILITYAVAILABILITY
http://images.google.com/imgres?imgurl=http://www.elilopian.com/wp-content/uploads/2009/02/image5.png&imgrefurl=http://www.elilopian.com/2009/02/26/management-for-geeks-secret-ingredients/&usg=__iqka_2o-rwF4FMkZxkeS2d9Thwg=&h=336&w=446&sz=218&hl=en&start=43&sig2=droJEyU6ZTxIGs3lQGOKTA&um=1&itbs=1&tbnid=VdC2xAr54ZwJcM:&tbnh=96&tbnw=127&prev=/images?q=Integrity&start=42&um=1&hl=en&sa=N&rlz=1W1SNYR_en&ndsp=21&tbs=isch:1&ei=QY7dS5bABpCa9gSe452YBw


125/150

AVAILABILITY is defined as the property

of data or of resources being accessible

and usable on demand by an authorized

entity

([ISO/IEC 2382-8:1998], 08.01.17).

AVAILABILITY ISSUESAVAILABILITY ISSUES


126/150

Threats to EDR data are similar to theINTEGRITY threats because they have

similar affects, although they can have

different causes.

The EDR or some of its sensors couldmalfunction, be severely damaged in the

crash or the power supply to the EDR

could be cut.

AUTHENTICITYAUTHENTICITY
http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw


127/150

AUTHENTICITY deals with the origin and

genuineness of data. In EDR issues

AUTHENTICITY has its own set of threatsrelative to EDR security architecture.

EDR data is used as evidence in disputes,

and therefore its authenticity must be

guaranteed to a degree acceptable by

courts.

AUTHENTICITY ISSUESAUTHENTICITY ISSUES


128/150

EDRs raise critical issues including:

who should have access to the data

stored;

under what circumstances access

should be granted; whether EDRs are tamper-proof; and

whether they are resistant to accidental

spoliation.



129/150

Access to EDR data is possible by anyone

having physical access to the vehicle

interior and plugging an electronic toolinto the SAE J1962 connector.

The Court, or any higher authority must be

convinced that the data presented to it

can be linked unambiguously to an eventand a certain vehicle.

http://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBwhttp://images.google.com/imgres?imgurl=http://careersuccess.typepad.com/.a/6a0105360968fe970b01310ffab93e970c-500pi&imgrefurl=http://careersuccess.typepad.com/my_weblog/worklife-integration/&usg=__0elpFDdf38jjMjTSglO9OP40LCw=&h=300&w=300&sz=13&hl=en&start=17&sig2=ipL_bOqOhXqWLJRQCq0QVQ&um=1&itbs=1&tbnid=eWJfCXGUPkpotM:&tbnh=116&tbnw=116&prev=/images?q=authenticity&um=1&hl=en&sa=N&rlz=1W1SNYR_en&tbs=isch:1&ei=l6DdS5m8KsH68AajzvXmBw


130/150

AUTHENTICITY needs to be protectedduring the data transition from the EDR to

the court.

The current design of EDR architecture and

data model provides a link between theEDR and the vehicle.

However, the EDR itself would not providea digital signature of any kind to prove that

the data originates from the EDR.



131/150

As the records are not signed by the EDR,everybody in the chain could modify it.

Such modifications would be hard to spot

if the original record is not integrity-

protected.

EDR data needs to be sealed at the time of

the crash.



132/150

If not sealed at crash time, it is crucial to

keep the time window between crash and

download of the EDR data as small aspossible.

Signing the records by the EDR itself

cannot be implemented without a

significant overhead for a securityinfrastructure.



133/150

However, sealing the EDR data at the time

of crash via a CLA is both technically

feasible and economically sound.

SIMPLE: Amend 49 CFR 563 NOW !

Reliable proof of AUTHENTICITY of EDR

data is achieved via an IEEE 1616a CLA.


134/150

NCHRP

ADDENDUM

NCHRP RESEARCHNCHRP RESEARCH


135/150

Objective

Recommend minimum set ofEDR data elements for vehicleand roadside safety analysis

Sponsor Transportation Research Board

NCHRP 17-24

NCHRP 17-24

Use of EDR TechnologyFor Roadside

Crash Data Analysis

NCHRP 17-24 LEGAL QUESTIONSNCHRP 17-24 LEGAL QUESTIONS


136/150

Does the Federal government have theregulatory authority to mandate the useand collection of EDR data?

May the Federal government requiremanufacturers to install EDRs?

What authority permits NHTSA and thevarious State DOTs to include

information in their own Statedatabases?

NCHRP 17-24 LEGAL QUESTIONS (Contd)NCHRP 17-24 LEGAL QUESTIONS (Contd)


137/150

What limitations do private parties face whenattempting to use the information contained inEDRs?

May private parties obtain the data contained inEDRs without the consent of the vehicle owneras part of the discovery in preparation for trial?

May private parties, such as insurance adjusters,private attorneys, and researchers, obtain thedata contained in the EDR at the scene of thecrash or through pre-trial discovery without theconsent of the vehicle owner?

NCHRP 17-24 LEGAL QUESTIONS (Contd)NCHRP 17-24 LEGAL QUESTIONS (Contd)


138/150

May private parties obtain and use EDRdata when unrelated to trial discovery?

Does the search of an automobile to obtain

information contained in an EDR raise a

Fourth Amendment question?

May police officers seize EDR data during

post-crash investigations without awarrant?

NCHRP 17-24 PRIVACY QUESTIONSNCHRP 17-24 PRIVACY QUESTIONS


139/150

Do car owners have reasonableexpectation of privacy in EDR devices asa component of the automobile?

Does a car owner have a reasonableexpectation of privacy in the telemetrydata provided by EDR devices?

May police officers obtain the data withoutthe owners consent after obtaining a

warrant for both criminal and non-criminal investigations?

NCHRP 17-24 RIVACY QUESTIONS (Contd)NCHRP 17-24 RIVACY QUESTIONS (Contd)


140/150

What other privacy and legal issues areimportant in considering the use of EDRdata?

What are the implications of the FifthAmendment and EDRs?

What are the Federal Rules of Evidenceand the use of EDR at trial?

NCHRP 17-24 FINDINGSNCHRP 17-24 FINDINGS


141/150

USDOT/NHTSA may require theinstallation of devices that demonstrably

improve highway safety or advance

some other significant policy interest.

There is public policy interest ininstalling EDRs.

PUBLIC QUESTIONSPUBLIC QUESTIONS


142/150

How do professionals analyze EDR data -- what special equipment do they use?

How do EDRs function during pre-crash,

crash and post-crash mode? Under what circumstances can third

parties, such as law enforcement or

insurance companies, download datafrom the EDR?

How do third parties, such as insurance

companies, collect and manageelectronically recorded event data?

NCHRP 17-24 FINDINGS (Contd)NCHRP 17-24 FINDINGS (Contd)


143/150

With respect to Fourth Amendmentconcerns, the police (or other

government accident investigators) may

properly seize such devices (orotherwise collect the data therefrom)

without a warrant during post-accident

investigations.



144/150

Authority is premised on two legalissues:

Seizure of a required safety device does notconstitute a search implicating the Fourth

Amendment.

Seizure of a safety device qualifies under the

exemptions for conducting a warrantless

search.



145/150

Law Enforcement authority to conductwarrantless searches may be affected by

how soon after the crash the search

occurs.

The more immediate the search occurs

following the crash, the greater the officers

authority to conduct a warrantless search.



146/150

Absent a crash, law enforcement may notseize such data without a warrant orexpress legislative action.

Although the data and the recorder itselfmay be owned by the vehicle owner or

lessee, that data may be used asevidence against the owner (or otherdriver) in either a civil or a criminal case.



147/150

Nothing within the Federal Rules ofEvidence ( FRE ) or the FifthAmendments protection against

compelled self-incrimination wouldexclude the use of data recorded byEDRs.

Owners might be prohibited fromtampering with the data if lit igation is

pending.

MYTHS, MYSTERY, MISSINFORMATIONMYTHS, MYSTERY, MISSINFORMATION


148/150

What is the difference between an EDRand a "black box" common to airplanes?

Why are automakers installing EDRs inmodern vehicles?

Why do safety advocates believe we

need these emerging technologies? What do privacy advocates fear about

them?



149/150

What are the positive and negativeperceptions of EDRs to the public?

What types of crash data do EDRs record

and for what duration? Can the EDR record where a vehicle

traveled -- or how fast it was going at any

given time? Under what circumstances will people

have access to EDR data?



150/150

Who has access to crash data? What is the U.S. government proposal for

EDRs?

What's in your vehicle? What recording capability will be in the

next new vehicle that you drive -- maybe

a rental car? How is it possible to balance safety and

privacy?

Documents

IEE 111610 Presentation