Wednesday, 31 December 2008

Tampering with Speed Limiters

Some researchers up in Leeds have published a study of GPS-speed limiting cars.

The central cycling groups are in favour of it -because the idea of cars not speeding appeals- and the "unionists" -the Association of British Drivers and their anti-speed-camera allies are against it.

Bristol Traffic leaves it up to individual contributors to have their own opinions. But this one, the Computer Scientist in the group, is against it on software engineering grounds:
It is one thing to have SatNav give you hints as to where to drive -hints you should consider but not follow blindly, another to be relying on GPS and accurate mapping data to control your vehicle
The Leeds study took volunteers and explored how voluntary and mandatory speed limiting worked, then interviewed various people to see what they felt of the idea. What they did not attempt to do was impose speed limiting systems on unwilling participants, people who wanted to drive fast. Doing so would not only show how acceptable the idea was to the country at large, it would show how willing people were to subvert the system. A realistic study would therefore instrument a city's taxi/minicab fleet (I can think of a city), or all drivers convicted of speeding coming off a driving ban.

As it is, the closest we have to speed limiting infrastructure we have today are the tachographs in lorries, that monitor speed and working hours. Which is why Ross Anderson's wonderful book Security Engineering has a section on subverting tachographs, right between Banking and ATM security and locking down Nuclear Command and Control Systems so that high-energy physics events only take place with senior management approval.

Trying to limit vehicle speeds from an bit of in-car electronics and GPS is as workable as the film companies trying to restrict DVD players to specific regions so they can charge price differentials on different continents (result: multiregion players cost a 10 pound premium). It's as workable as the games console companies trying to stop you hacking into the controller so you can play downloaded games burned onto your own disks. Results: modified firmware chips are widely available. These consoles are not easy to hack, either; it took someone at MIT three weeks to 0wn the Xbox. If there is money to be made from subverting something in your possession, be it a games console, a DVD player or a tachograph, then someone will do it. And if the hack is a software one, then it usually scales well. Only one person will need access to the Scanning/Tunelling Electron Microscope, the rest just pay for the results and some modified firmware.

Imagine that three years from now, every car comes fitted with mandatory speed-limiters driven by GPS. How would you attack it?

Attack one: lie about your location. Civilian GPS isn't secure; it isn't signed and anyone could generate spoof satellites. An in -car pocket GPS Jammer would generate signals telling the satnav unit that you were in France or Germany and could drive as fast as you like. This is a good attack as when the jammer is off: it doesn't show. When the speed limiter is checked in the MOT, all would appear well.

Attack two: firmware hacking. All embedded computers with upgradeable software can be subverted with new firmware. There may be some checks on the firmware -that it is digitally signed by someone trusted-; these need to be subverted first. If you can roll back to the legit firmware during the MOT tests, nobody will know.

Attack three: hardware patching. The common games console attack. Shows up in a physical audit.

Attack four: don't update the maps. Assume that every year, speed limits come down. There is no benefit, then, in updating your maps. Snap the link to the GSM modem, or refuse to pay the 10 pounds/year for updates. If the MOT checks that you are up to date, someone needs to record the previous year's update, and after the MOT, you replay the older map into the SatNav.

Attack five, and this is the fun one: generate fake maps. Create one that says the max speed for the country is 120 mph. Install it in your own machine, sell it to others. At this point the security experts are going to say "ah but our system will only download signed maps from a trusted provider". Which may be true, but rests on certain assumptions about the security of things like HTTPS, those web sites with the green bar in the browser window, which tell you that that bank site really is who they say they are, and not some russian Phishing site. On the same day that the UK government published their paper on SatNav-based speed control, a group of Dutch hackers published a lovely paper on how to subvert HTTPS by creating a fake certification authority. It's a fairly complex paper and hard to understand, the good news being none of us need to know the details. What is important is that people like Ben Laurie, key developer of the OpenSSL stack and Apache SSL module is scared. Because right now, this week, we can't trust HTTPS sites to be who they say they are. There are very serious implications for the web for this, but they would also impact things like satnav based GPS. If I could make a fake map that removed all speed limits from cars sold after 2012, how much would it be worth?

If SatNav-based-speed limiting is flawed, what to do? Well, why not charge a bit of road tax based on peak vehicle speed? Or just speed limit all cars to 100 miles an hour, more than enough for UK overtakes and driving -and to get you to the French Alps when needed- but removing demand for big-engined cars that waste petrol at normal speeds. Or rely on the ANPR-instrumented motorways to catch speeding cars, and similar infrastructure in-city. Because you are going to need such cameras up to keep an eye on the older cars, the cars from the rest of europe, and to detect people who have just paid for my high-speed map of the country. There are lots of options that don't rely on tamper-proof hardware being embedded in cars with tamper-proof maps and reliable GPS constellation data received in real-time. It would be one of those things like biometric ID cards: a expensive way to not solve the underlying problems.


bikerchick said...

Yet another attempt to resolve a social problem using a technological solution! fail.

SteveL said...

Exactly. And as it is doomed, the cycling organisations should consider how the money should be better spent.

W said...

SteveL said...

That's an interesting article, even if written in the usual optimistic world view of the Economist.

The comments are worth a read too, especially the one that argues that lack of awareness of other road users and their intent causes a lot of problems. It would seem to me that being on the phone is one cause, yet all the high-end cars have hands-free phone systems, despite studies showing it is the conversation with someone remote that is the danger, not the holding up of a phone to your ear.

W said...

And here is the research for those that missed it.

I can't see a GPS type system ever working. People were so anti road pricing that a blackbox type system was scraped before it ever got going.
Speed limit cars? Well humans like going fast and I would love to see the day a government suggests that.
I thought most accidents are caused by a number of factors, including speed.
A 100mph limit would not work and would be flawed much like the GPS software. And it would not have any effect on slow moving traffic (where I believe most accidents occur).

SteveL said...

My current car is limited to about 80mph as it starts to get rattly after that. I had a car (in the US) that VW did limit to 120mph by electronics, but as that was 2x the speed limit that was moot. The only time I got stopped by the police for speeding on it I was doing 73mph on a motorway; a speed that in this country would be slow lane.

The original study shows that the best environmental benefits come from speed limiting cars on the motorway; that can be done with elapsed-speed cameras and ANPR; no need to retrofit every car.

W said...

Lorries are restricted to 56mph. So 73mph in a slow lane near on impossible to maintain.

SteveL said...

Once you tamper with the tachographs the lorries get to go faster.

I agree though, you can't sustain 73 in the slow lane. But if you do it on a lorry-free stretch of the M5, most cars will be going past you.