A recent report from The Intercept has confirmed some of our biggest fears about connected vehicles. Apparently, U.S. Customs And Border Protection (CBP) has struck a deal with Swedish mobile forensics and data extraction firm MSAB for hardware that allows the government to not only siphon up vehicle data but also use it as a backdoor to access the information on your phone.
While this shouldn’t be all that surprising in an America that’s seen the Patriot Act pave the way for all sorts of government spying, the arrangement represents another item in a toolbox that’s frequently used against regular citizens. CBP is alleged to have spent $456,073 on a series of vehicle forensic kits manufactured inside the United States by Berla. Internal documents suggest that the system was unique and of great interest to the U.S. government, with a multitude of potential applications pertaining to automotive data. But what surprised us was just how much information carmakers thought their products needed to keep tabs on and how that plays into this.
From The Intercept:
According to statements by Berla’s own founder, part of the draw of vacuuming data out of cars is that so many drivers are oblivious to the fact that their cars are generating so much data in the first place, often including extremely sensitive information inadvertently synced from smartphones.
Indeed, MSAB marketing materials promise cops access to a vast array of sensitive personal information quietly stored in the infotainment consoles and various other computers used by modern vehicles — a tapestry of personal details akin to what CBP might get when cracking into one’s personal phone. MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.” MSAB even touts the ability to retrieve deleted data, divine “future plan[s],” and “Identify known associates and establish communication patterns between them.”
As if that’s not enough, the system is also said to be capable of pulling really detailed items, like when and where you turned on your headlamps or opened/closed a door. There are also data logs for vehicle speed, gear selection, steering inputs, ignition cycles, and more — all linked to your positional data and the time. Manufacturers have been cagey about just how much information modern vehicles take in and share but the answer appears to be “literally as much as we can engineer into them.”
And now it’s available to anyone who can afford one of these kits, including government agencies, despite being an absolutely massive volition of the Fourth Amendment to the United States Constitution.
MSAB’s contract with CBP was active from June of last year until the end of February and reportedly worked Customs And Border Protection’s Laboratories and Scientific Services on training. The Swedish firm stated that it has no customer policy or governance on how its products/services are used. Considering that MSAB was previously helping teach people how to crack smartphones, that’s hardly a surprise.
The company has only recently branched out into automotive espionage and previously found itself extremely popular with law enforcement agencies around the world that wanted easy access to the private data contained within mobile devices. But with the automobile gradually metamorphizing into a motorized computer that beams data back to the manufacturer, the new businesses was shaping up to be a lot like the old one — only with fewer privacy protections in place, brand new data points to swipe, and a backdoor into networked devices (e.g. phones, tablets).
“The scale at which CBP can leverage a contract like this one is staggering,” explained Mohammad Tajsar, an attorney with the American Civil Liberties Union of Southern California.”
The Intercept report goes on to reference an NBC article that gives numerous examples of police and government agencies leveraging vehicle data for investigations, often without warrants. That piece also quoted Berla founder Ben LeMere as he outlined the insidiousness of how the data is harvested in the first place on The Forensic Lunch podcast.
“People rent cars and go do things with them and don’t even think about the places they are going and what the car records,” he explained. Your phone died, you’re gonna get in the car, plug it in, and there’s going to be this nice convenient USB port for you. “When you plug it into this USB port, it’s going to charge your phone, absolutely. And as soon as it powers up, it’s going to start sucking all your data down into the car.”
“What they’re really saying is ‘We can exploit people because they’re dumb … We can leverage consumers’ lack of understanding in order to exploit them in ways that they might object to if it was done in the analog world,’” suggested Mr. Tajsar.
Automakers are complicit in this because there’s absolutely no way they were unaware of the type of information that’s being gathered. While many will urge them to deploy better security measures, your author has been averse to data harvesting since day one. It’s predatory and leads to egregious privacy violations like the one you’re reading about now. We’ve covered quite a bit on the topic ourselves, but those interested in learning more will also find a wealth of information in The Intercept’s full report.
[Image: Virrage Images/Shutterstock]