The need for digital forensics in the automotive world

Imagine an illegal hacking incident has taken place in a modern connected vehicle.  We know something has happened, but we don’t know who, exactly what, how or why.  We need to know these things for two reasons; firstly, to catch the bad guy, but secondly to learn how they did it, so we can (hopefully) fix the mistake in other vehicles.

Enter forensics. Digital forensics is the practice of preserving, gathering and presenting evidence from digital devices for the purposes of criminal or civil investigations.  A traditional acquisition involves a suitably qualified person either seizing a computer and performing evidence acquisition in a lab or performing live acquisition on a machine such as a server.  Either way, this person also ensures that their digital footprint is both minimal and fully justified whatever they are doing.

It’s an interesting thought regarding how this might be performed on a vehicle.  Depending on the make and model of the vehicle, there could be any number of places which could store evidence (including the telematics unit, the gateway module and the infotainment system).  Preserving this evidence can be difficult as there is no extra logging hardware (due to potential extra cost or weight), and data that is stored (such as recent locations) can be volatile.  Getting the data off printed circuit boards could be destructive and therefore compromise evidence.

Traditional data recording devices such as the event data recorder is highly limited in storage capacity and could be wiped by an innocuous action such as starting the engine.  All this data might be changed or wiped depending on if the vehicle was stationary, was hurtling down the motorway and whether there was any interaction or connection to an external source (for example, through telematics, GPS navigation or mobile phones). Car components can sometimes be swapped out with other second-hand parts (thereby leaving no evidence within the vehicle itself).  Electronic compromise such as the infamous relay attack (used primarily for theft currently) leaves no clue as to what has happened – except by inference – even if the car is recovered.

Beyond all this however is the larger picture – the only real world evidence that vehicles are being targeted by cyber-criminals is car theft – and this is a clue only because the actual vehicle goes missing.  Other than alerting events where something might be wrong with the vehicle, there are currently little (if any) detection, logging or forensic measures that would enable us to tell whether communications are being jammed, whether the vehicle’s internal network is full of fake messages or whether someone is monitoring or stealing data.

This is a multi-dimensional problem, as added software and hardware could impact performance, safety and efficiency in a vehicle.  But with global cybercrime now worth over $1.5 trillion in revenue, can we afford not to think about it?