Are Automotive 'Black Boxes' Secure?

Charles Murray

December 21, 2012

4 Min Read
Are Automotive 'Black Boxes' Secure?

The National Highway Traffic Safety Administration (NHTSA) proposed a rule this month ordering automakers to put so-called "black boxes" in all new vehicles by late 2014, but some experts are concerned that the new rule won't protect the security of the data stored inside.

A member of a working group at the Institute of Electrical and Electronics Engineers (IEEE) has cited problems with the new rule because electronic data recorders (EDRs, also known as "black boxes") could reportedly be accessed by anyone who wants to tamper with data after an accident. "We're all for event data recorders," Tom Kowalick, chairman of the IEEE Global Standards for Motor Vehicle EDRs and an author of seven books on EDRs, told Design News. "But we're also for some kind of basic consumer protection."

Kowalick contends that numerous companies already make software-based solutions for downloading and altering data after a crash. "Last time I looked, there were 23 companies making products that allow someone to erase your crash data," Kowalick told us.


Today, data can be easily collected with legitimate data retrieval systems that link up to a vehicle's onboard diagnostics (OBD-II) connector. Devices such as Bosch Diagnostics' Crash Data Retrieval systems make data accessible to professionals -- automakers, insurance investigators, accident reconstruction experts, and law enforcement agencies -- using the right software tools.

But Kowalick worries that the methodology leaves an opening for aftermarket products specifically targeted at tampering with the data. A simple search on YouTube using the terms "erase crash data" reveals numerous software products aimed at erasing or changing EDR data, he said. Some of those YouTube videos show tens of thousands of hits. Those systems, he said, enable others to change such data as wheel speed, engine speed, throttle position, steering wheel angle, airbag deployment, or other parameters after an accident has occurred. "Why would 100,000 people be looking at this?" Kowalick asked us. "Don't you think it's possible that someone is buying this software and using it?"

NHTSA's proposed mandate calls for all light passenger vehicles to install EDRs, beginning Sept. 1, 2014. A press release on the agency's website explains that the installed devices would only monitor such parameters as vehicle speed, brake usage, crash forces, throttle position, seat belt usage, and air bag deployment, among others. It added that the devices, which are now installed in as many as 96 percent of new cars, would not monitor personal identifying information. NHTSA did not respond to calls from Design News regarding data security issues, however.

Kowalick told us that he wants NHTSA to incorporate a set of IEEE standards (IEEE1616 and IEEE1616a) into its EDR description. The standards call for EDRs to use 86 additional data elements that reportedly aren't called out in NHTSA's description.

Kowalick also proposes addition of a mechanical lockout device that would help prevent data tampering. He is founder of a company called AirMika Inc. that makes an automotive cybersecurity lock.

Kowalick emphasized that the IEEE is not against the proposed NHTSA mandate. "There's no going back now -- the toothpaste is out of the tube," he said. "We're just saying that the data should be secure at the time of the crash, so it will still have scientific value."

Related posts:

About the Author(s)

Charles Murray

Charles Murray is a former Design News editor and author of the book, Long Hard Road: The Lithium-Ion Battery and the Electric Car, published by Purdue University Press. He previously served as a DN editor from 1987 to 2000, then returned to the magazine as a senior editor in 2005. A former editor with Semiconductor International and later with EE Times, he has followed the auto industry’s adoption of electric vehicle technology since 1988 and has written extensively about embedded processing and medical electronics. He was a winner of the Jesse H. Neal Award for his story, “The Making of a Medical Miracle,” about implantable defibrillators. He is also the author of the book, The Supermen: The Story of Seymour Cray and the Technical Wizards Behind the Supercomputer, published by John Wiley & Sons in 1997. Murray’s electronics coverage has frequently appeared in the Chicago Tribune and in Popular Science. He holds a BS in engineering from the University of Illinois at Chicago.

Sign up for the Design News Daily newsletter.

You May Also Like