Episode 72

It's Time To Bust the Ghosts in Our Cars with Eric Monterastelli Halloween Series Part III

In the final, crossover episode of our three-part Halloween series, Eric Monterastelli, Public Sector SE at Delinea, Founder, Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast, joins Carolyn Ford and Tracy Bannon to discuss the scary reality of car security. Is your car spying on you? Can a nefarious actor take over your car? Does your car know your deep personal data like your immigration status, race and more? Hint: It can and it does.

Key Topics

  • 00:02:05 Technology advances put vehicles at risk.
  • 00:06:25 Hijacked Jeep's wireless signal, turning it off.
  • 00:07:35 Chrysler systems hacked due to digital admission.
  • 00:10:47 New EV platforms streamline technology for efficiency.
  • 00:15:13 Disconnect, purge and be careful: data can be accessed.
  • 00:18:58 Using TrueCar, author obtained personal information illegally.
  • 00:21:54 Pre-OBD2 Mercedes is OBD1.
  • 00:25:12 Mozilla uncovers alarming auto data collection.
  • 00:28:29 Future vehicles will have integrated alcohol-detection systems.
  • 00:32:48 Routers, cars can be hacked, collect data.
  • 00:35:42 Read your vehicle's owner's manual for instructions.
  • 00:36:55 Speak to rental clerk about removing data.

The Intersection of Cybersecurity, Car Security and the Ghostbusters Mission

Ghostbusters Mission: Car Security & Car Hacking

Eric Monterastelli talks about how cars have evolved to include more computing technology, which opens them up to potential attacks. He gives the example of a Jeep that was hacked to shut off while driving, demonstrating the real dangers.

Tracy Bannon contrasts U.S. car manufacturers that use many third-party components versus Tesla's more integrated system. She argues Tesla's approach may lend itself to more car security. The hosts explore different potential attack vectors into vehicles, like Bluetooth connections.

Mozilla Participants Share Automotive InfoSec Insights

Eric Monterastelli shares findings from a Mozilla report about the wide range of deep personal data that can be collected from cars. Including things like facial expressions, weight, health information and more. The hosts are alarmed by the privacy implications.

Tracy Bannon advocates that car manufacturers need to make cybersecurity a priority alongside traditional safety. She indicates cars are data centers on wheels, collecting information that gets sent back to big cloud data centers. They emphasize the need for vigilance from car owners about what information they allow their vehicles to collect.

Concerns About Data Collection in Modern Vehicles

Modern Car Security: Braking, Speed and Steering Patterns

Eric discusses the extensive data that is now collected by modern vehicles, especially EVs. He notes that information is gathered on things like stopping distances, brake pressure applied, vehicle speed and overall driving habits. This data is no different than the type of driver performance analysis done in race cars. Automakers are collecting real-world usage data from customer vehicles to analyze driving patterns and vehicle responses. Tracy adds that the average new vehicle contains over 100 different computers and millions of lines of code that are all networked together. This networked data covers areas like powertrain functions, safety features and infotainment systems. All of this interconnected data presents opportunities for tracking very detailed driving behaviors.

Privacy Risks in Driving: Collecting Personal Data and Concerns

Eric cites a concerning report that modern vehicles can potentially collect extremely sensitive personal data simply through normal driving. Including information on immigration status, race, facial expressions, weight, health conditions and even genetic data. He explains that optical facial recognition software could be applied to cameras already present in many vehicles. Other data like weight and health metrics can be gathered from sensors in seats or wearable devices synced to the vehicle. The interconnected nature of modern vehicle computers and far-reaching data collection enables mining of very private user information that goes well beyond basic driving statistics. Carolyn reacts with disbelief at the potential extent of personal data gathering described.

Car Security Comparisons Between Traditional Manufacturers and Tesla

Challenges in U.S. Car Manufacturing Component Compatibility

Tracy explained that traditional U.S. car manufacturers have said they use components from hundreds of different distributors and providers. These components were not necessarily created to work together, unlike the approach taken by Tesla. Since traditional manufacturers are buying piece A and knitting it together with piece B, piece C and piece D, there can be integration challenges. The components may not align well since they were not designed under the same umbrella with a holistic approach.

Comparing Tesla's Integrated Approach to Enhance Car Security

Tracy contrasted the traditional manufacturers' approach with Tesla, which has created everything under one umbrella. Tesla told any component providers what the requirements were and how the components needed to align to what Tesla needed. This holistic approach within Tesla results in more seamlessly integrated and likely more secure vehicles compared to cobbling together components from many different organizations.

Tesla's Privacy Concerns: "But Tesla, there's been reports and there's been investigations showing that they can turn on the cameras inside the car and see what you're doing. They've been spying on people. There's been all sorts of allegations that have been thrown out there." — Eric Monterastelli

Combining Car Parts from Various Sources Raises Security Risks

Eric and Tracy discussed how having disparate systems talking over a common bus and language can introduce vulnerabilities. While a proprietary closed system like Tesla's may have risks if it is fully hacked. Assembling many components from different providers can also have downsides. There are more potential holes or vulnerabilities when piecing together parts from various organizations. Compared to having everything designed and built under one umbrella.

Integration of Systems in Modern Cars

Unified Mainframe Powers Modern Electric Vehicles, Replacing Separate Components

Eric discusses how newer electric vehicles like Teslas, Ford Mach-Es, and Porsches have a single mainframe that controls and interacts with all the components of the vehicle. In contrast, older cars had separate systems for the engine/drivetrain and infotainment that did not necessarily communicate with each other. For example, in a 2000s Chrysler, the infotainment system running the radio was separate from the encrypted Bosch system controlling the engine. Integrating all these components into one mainframe makes the new electric vehicles more convenient but also introduces potential vulnerabilities.

Single Computer Control and Car Security Vulnerabilities Explored

Tracy elaborates that the average new car today has over 100 different embedded computers. plus modules networked together and communicating via a CAN bus system. So there is one central computer that can interact with the engine, transmission, safety systems and infotainment features. While this integration is designed for efficiency and effectiveness of the software systems, it also means one access point can potentially control multiple components of the car. This is different from older cars where systems were more isolated from each other. The interconnectedness makes modern vehicles potentially more susceptible to cyber attacks.

The Vulnerabilities of Modern Vehicles: "For me, that's a scary reality. And it actually has shied me away from buying the newest of the new cars even though there are some really exciting things out there because what am I opening myself up to, if I buy a Ford Mach-E or a Tesla Model 3 or something else." — Eric Monterastelli

Vulnerabilities and Risks in Modern Cars

Integrating ML and AI into Cars through Computing Advancements

Eric discussed how cars have evolved significantly in engineering since the early 1900s. He highlighted that around 2000, more powerful computing technology like ML and AI computers were integrated into vehicles to make decisions about engine performance and interact with various systems. This advancement allowed for additional "creature comforts" in cars. But also opened them up to potential attacks and vulnerabilities that older cars did not face.

Future of DUI Prevention: "It's gonna become standard issue like power windows and remote locks and things like that where you're not even gonna be able to drive and operate a vehicle if it senses that you're in any way inebriated or under the influence." — Eric Monterastelli

Modern Vehicles' Complexity Heightens Vulnerabilities and Security Risks

Eric further acknowledged that consolidating disparate systems into one mega computer, while making things more convenient, also introduced vulnerabilities. With everything controlled by one mainframe, the attack surface is larger. He contrasted modern vehicles to cars from the mid-2000s, where engines were still separate from entertainment systems. Now they are fully integrated, which provides more connectivity but less isolation among components.

The Electric Vehicle Boom and Its Impact on Digital Systems

According to Eric, the rise of electric vehicles has led to even more potential issues, as they rely even more heavily on electrical systems and digital connectivity like over-the-air updates. Features that make EVs exciting also make them more susceptible to cyber threats compared to traditional internal combustion cars. The reality that EVs open owners up to unknown risks has made Eric shy away from the newest vehicles.

Differences in Car Security Among Manufacturers

Contrasting Tesla and Porsche Systems: Unified Communication vs. Proprietary Approach

Eric compared Tesla's interconnected systems to Porsche's components from various suppliers like Bosch. He said Tesla has full access to proprietary systems through the air, while Porsche uses a CAN bus for disparate systems to communicate. The closed nature of Tesla's system makes it completely open to them.

Tracy added more context, mentioning Porsche is connected to VW and Audi, who work with Bosch for many electromechanical parts like sensors and multifunction interfaces. She reiterated that these disparate systems in Porsche communicate via a CAN bus system.

Eric acknowledged Tracy's point that both brands use a CAN bus for the back-end electrical system. However, he still sees more risks with Tesla having full access to a closed proprietary system through the air versus Porsche's various supplier components that don't directly communicate beyond the CAN bus.

Risks of Personal Data Storage in Cars

Storing Personal Data in Car Infotainment Beyond Phone Disconnect

Tracy explained that even after disconnecting your phone from a car's infotainment system, personal data like contacts and GPS history can remain cached in the system. She warned that simply pressing "disconnect" does not purge the infotainment system of your data. Eric added that unless you fully wipe the system, your data remains stored even after trading in or selling your car. He gave the example of someone pulling a used head unit from a junkyard car, and upon powering it up having full access to the previous owner's contacts and address history.

Cyber Security Perspective on Data Collection in Cars: "They can collect deep personal data such as sexual activity, immigration status, race, facial expressions, weight, health, and genetic information while you're driving." — Eric Monterastelli

Car Disposal Doesn't Ensure Personal Data Erasure from Head Unit

Tracy shared that her husband takes extensive precautions to prevent others from accessing personal data, such as degaussing old hard drives before disposal. She explained these same precautions should be applied to cars, since simply trading in or scrapping a car does not mean personal data is removed from components like the infotainment system. Eric affirmed this concern, stating that short of an EMP blast, data remains recoverable from the car's memory chips even after the car changes owners. He advised thoroughly wiping car systems before sale to prevent exposing personal information.

About Our Guest

Eric Monterastelli is the Public Sector SE at Delinea, Founder and Crew Chief of Gran Touring Motorsports and Host of the Break/Fix Podcast. He has more than 18 years of experience in information technology, specializing in systems engineering, virtualization and software development. His previous stops include Dynatrace, BAE Systems, Raytheon, the Department of Defense, LogRhythm and Symantec, among others.

Episode Links

Transcript
Carolyn Ford [:

Welcome to Tech Transforms sponsored by Dynatrace. I'm Carolyn Ford. Each week, Mark Senell and I talk with top influencers to explore how the U.S. government is harnessing the power of technology to solve complex challenges and improve our lives. Welcome listeners to a spine-chilling episode of the Tech Transforms and Break/Fix podcast, So What? Crossover. This is the third and final episode in our 3 part series where we're exploring some of the spookier, creepier and crazier sides of technology. If you missed our previous episodes, we have linked to them in the show notes, so be sure to check them out. Today, we have a hauntingly important topic to discuss, the intersection of cybersecurity, car hacking and the Ghostbusters mission. I'm Carolyn Ford, your host.

Carolyn Ford [:

And with me are the spook-busting co-host, Tracy Bannon. Hi, Trace. And we've got the one and only crew chief, Eric.

Eric Monterastelli [:

Hi, Carolyn. It's good to be back on Tech Transforms. Last time we saw you, we were talking EVs. This is a great opportunity to continue that conversation.

Carolyn Ford [:

So that's what we're gonna chat about on this special crossover episode. So let's get going. Eric, I'm gonna kick off with the first question to you. Sure. Let's talk about ghosts in our cars. What, if any, are the cybersecurity challenges in today's cars? Are there any that you find particularly frightening?

Eric Monterastelli [:

n engineering since the early:

Eric Monterastelli [:

And up until the:

Tracy Bannon [:

Well, it depends. If you are buying a U.S. made car from a traditional manufacturer, they have come out and said I think it was about 6 weeks ago, they came out with a report that said, we're not Tesla. We have components from hundreds of different distributors, from hundreds of different providers, and they were not created to go with one another. Or if they were, they were not created under one umbrella. So you're buying piece a, knitting together with piece b, piece c, piece e. The problem with that and the differentiation from Tesla is that Tesla has created everything under an umbrella and told anybody who's providing any part for them what are the requirements, and how are you going to align to exactly what we need so there's a holistic aspect to a Tesla that I would assert would make it more secure as opposed to less secure. If I'm cobbling together or piecing together lots of pieces from different organizations. I'm gonna be able to get after many more holes.

Eric Monterastelli [:

That's a fair point, but disparate systems talking over a common bus, over a common language sharing information is a little bit different than a proprietary system that someone has full access to over the air. So when you compare a Tesla to a Porsche, yes. Porsche is in bed through Volkswagen, Audi Group with Bosch, and Bosch supplies a lot of the, let's say, electromechanical parts that run the system in general from engine sensors to the MFI, the multifunction interface that's running your radio and all those kinds of things. They talk over what's known as a CAN bus. It's a back end electrical system that lets those disparate systems talk to one another. But Tesla, there's been reports and there's been investigations showing that they can turn on the cameras inside the car and see what you're doing. They've been spying on people. There's been all sorts of allegations that have been thrown out there.

Eric Monterastelli [:

So it's a closed system that's completely open because I can touch every sensor, every camera, every piece of it versus in a Marc It's harder to attack the motor than it is to hack the radio, right, because they aren't necessarily talking to one another. So there's good and bad on both sides.

Tracy Bannon [:

There are almost different attack issues or different threat models that we're talking about. If you have a holistic system and a nefarious actor gain access to that. Do they suddenly get access to everything? Versus, I believe, what is a much more difficult to detect vector that comes in through one of those components. Yes. We're talking about there's the over the air aspect to it. Although, other cars now, it's not just Tesla that has updates over the air. There are other cars that are making updates over the air. I would ask about whether you're serious, OnStar, all of the other areas where they can gain access to your car.

Tracy Bannon [:

We have to think about many, many, many different attack vectors. So I don't know if we can say that one is better than the other. I think that the attack surfaces, the attack vectors are very, very different. And so we have to start to think about As the end user, how do I protect the owner of the car? How do I protect them first and foremost

Eric Monterastelli [:

Mhmm.

Tracy Bannon [:

From privacy invasions and from nefarious actions? So I wanna protect them first and then figure out is over the air a good thing, a bad thing? Do I always need to go into a mechanic? Are they gonna send me now a module that I plug in myself? Like, what are those other alternatives if we were to isolate them from over the air updates.

Carolyn Ford [:

I wanna jump in our DeLorean and go back in time about 8 years ago, it was at either Black Hat or DEFCON. They hacked the Jeep. Yep. So you remember this. Can one of you, like, talk us through threw exactly what happened. Because this is where I was like, oh, this isn't just abstract. Oh, we might be able to do this. We might maybe this or that.

Carolyn Ford [:

Like, they hacked the Jeep. They took it over. So, Eric, you wanna walk us through exactly what happened?

Eric Monterastelli [:

I can speak intimately to this because I own one of these vehicles. In today's day and age, you're talking 8 years ago, that was 3G wireless technology or cellular technology. Now it's secured by obscurity, so you don't have to worry about it as much, but, yes, they were able to hijack the cellular signal coming out of the Jeep, which was used for over the air updates in a primitive system that Chrysler had put together, and they were able to basically turn the car off. It couldn't do too much as you weren't going in there and reprogramming or remapping the engine or any of its fuel parameters or anything like that. Those systems are protected. That's a Bosch system in the Jeep, so they weren't able to hack that. But because you've got the remote key fobs and the remote start and the, you know, this and that and all these wonderful creature comforts that we've become used to, those things are susceptible. So over the air, got in, and we're able to turned the Jeep off while it was running.

Eric Monterastelli [:

It's like, holy cow. You know? The the equivalent of me hitting the ignition button while going down the road.

Carolyn Ford [:

The well, they're driving down the road. The Jeep just got shut off, just dead in the water.

Eric Monterastelli [:

Correct. Which has its own ramifications. Right?

Carolyn Ford [:

Yeah. So let's get back in the DeLorean, come back to the future. They were able to just turn it off. You said they couldn't do too much. Theoretically, what can they do now?

Eric Monterastelli [:

Not too much. And part of that is because especially in the case of Chrysler, which at that time was owned by Fiat, now part of the Stellantis Group, a mega merger that's occurred heard over the last couple of years. Luckily, unlike a Volkswagen system where the ECU that runs the engine is unencrypted, the Chrysler systems are fully disk encrypted, so you can't actually hack into the transmission module, powertrain module, or the ECU that controls the engine. And that's why the hackers could only get so far, but that admission button being digital, not a physical key, they were able to circumvent that and turn the system off. Yeah. You could go in and mess with other settings Through the Uconnect, which is the MFI or multifunction interface that runs a radio, things like that, because that's basically, let's call it, an Android based system that's running in the vehicle. So there's ways to get into that. You have to remember platforms like that were designed not 8 years ago, 3 years prior to that because it takes to 4 years to get a car to market.

Eric Monterastelli [:

ology were they leveraging in:

Tracy Bannon [:

Looking at some information, just throwing some data points out. Right now, the average new car has over a 100 computers, a 100 little modules embedded pieces in it. A hundred of those things, millions of line of software code. And they're all networked together, but it falls into a couple of different categories. So just putting this out there to help people wrap their brains around it because we are hopping over so many different nefarious areas. You've got the things that you've talked about, the drive train, controlling the fuel, the battery, monitoring emissions, so one group. It's another category which is about providing safety. So this is the thing that's outside the car.

Tracy Bannon [:

Automatic braking can be a part of that, backup monitoring. The third gets into the cool stuff, which is the fun stuff, the infotainment. And I would say that this is probably an area that would be highly hackable because this is getting into cellular services and WIFI connectivity and WIFI hotspots being provided by the car itself. You know? And another is getting after the need to communicate between all of those. So there's kind of that fourth area of having that network inside the mark as a data center, right, with all of the connectivity between it. So there's just so many opportunities to hack into it. Well, it's a nefarious actor's dream world. Right? To your point, even if we think about things that are not related to the car, if we think about simple things like that button remote, whatever that button remote is too.

Tracy Bannon [:

You remember about 8 or 10 years ago, people were driving around, and they were searching out, you know, other people's WIFI so they could to their WIFI or searching out their RFIs, searching out whatever they could, searching out their Bluetooth. That's still happening, but now we're not driving by a house we're going into an apartment building to try and get signal, right, to to hijack somebody's signal and ride piggyback. Now we're thinking about what can we do nefariously with that If you think about the bad actors who want to hack into a car, they're not doing that simply to steal your data. We're talking about life and limb when it comes to hacking into a car.

Eric Monterastelli [:

ld days where, say, circa mid:

Eric Monterastelli [:

We have to stretch people's understanding a little bit here, and it's not something that we're imagining or we're trying to put FUD into the universe. It's real. And I'm so happy that General Motors and Ford through their Lincoln division stopped putting in wireless hubs in their cars because adding Internet access so you can plug in your laptop on the go, and your passengers could do all this kind of stuff. Oh my goodness. Talk about opening the floodgates at that point. I mean, low-e Bluetooth is adding enough, let alone

Tracy Bannon [:

Mhmm. The Wi Fi that they were adding in these cars. So you don't see that feature anymore. No. But it was fun couple couple years ago to be driving down the highway, and it's usually my husband driving and me tapping away at the and connecting. "Wait. Oh, who who oh, can Can I connect? Can I connect?"

Carolyn Ford [:

But wait. I don't know why that's so bad. Sorry. It sounds good to me.

Eric Monterastelli [:

It's sort of like turning up the WIC on your home Internet and then broadcasting to everybody on the planet that your WIFI is wide open with no password.

Tracy Bannon [:

Right. Drive down the highway and I connect to you. And you're in the car beside me, and I'm connecting to your car. I'm not connecting to my car. That's great, but I can get that through my hot spot. So I don't need my car to do it for me.

Carolyn Ford [:

So you're using my Internet. What do I care?

Eric Monterastelli [:

Your home was infiltrated. It's the same way. Your house has just been hacked. Somebody's using your Internet. But think about this. Now if the cars are talking to one another or you've got a nefarious person in the passenger seat of that Uber, he just downloads a virus onto your car, and you're a brick in the middle of the beltway.

Carolyn Ford [:

There we go. Now we're getting spooky. Eric, I read an article that you wrote. To be honest, I didn't follow it entirely, but the gist of it was don't connect your iPhone to rental cars. Tracy's like, yes. Why would you do that?

Tracy Bannon [:

I get a rental car every week. Every week, I get a different rental car because for one day a week, I travel to either to DC or to New York, get a car. When I get in, I can see all of those other passengers who have synced and allowed their contacts to be downloaded. So when you connect to your phone, wonderful to Apple Play, let's say, I'm now opening the door for it to use all, now I love to use Apple Play so I can get a bigger display of what I'm doing. I don't allow it to touch my contacts. I don't allow it to sync any of my prior calls.

Carolyn Ford [:

So can you do that? Like, when you connect, you can say only do my nav system.

Tracy Bannon [:

Well, depending on the version of Apple Play, yes. And I also only use the cable.

Carolyn Ford [:

Most of us aren't that sophisticated. I mean, we need to be able to just say, yep, connect.

Tracy Bannon [:

But we have to be.

Eric Monterastelli [:

So I like what Tracy said that she only uses a cable. I'm old school like that too. Turn off that Bluetooth. You're less even if it's low e Bluetooth, all that kind of stuff, but there's another piece to this. Not only is it contacts, it's your GPS history. And one of the things it will pick up is that simple little word home. Ew. And think about this.

Eric Monterastelli [:

A rental car is not designed differently than your passenger vehicle. It starts life as a passenger vehicle. So the way General Motors or Volkswagen or Toyota is building them is for the convenience of that lone driver or that family to say, Yeah. I'm gonna sync up my phone. I'm gonna use the nav system. I'm gonna use all these creature comforts that are specific to you. But in a rental car, it's public information. So now how many homes are listed in there? And if I was somebody nefarious and go, well, let me go to the last person that's closest to me that's home.

Eric Monterastelli [:

Now I can figure out where you live, case your house. I'm in a rental car, which is nondescript. Doesn't belong to me anyways. If you trace my tag, it goes back to Hertz or Enterprise or whoever. Like, you can really snowball this off if you're not careful

Carolyn Ford [:

What if I delete my phone when I turn the car back in? Like, I say disconnect. It still has my data?

Eric Monterastelli [:

Disconnect is one thing, but you have to purge the system. And so that data is cached there from the last time it synced with your phones. You have to be very careful of that, but there's another piece that people forget. Oh, I got rid of my car, traded it at the dealership, or I gave it to, you know, Salvation Army and it went to the junkyard one's a good one. The junkyard. Well, guess what? People that are pulling head units, whether it's me that I need a spare one for my Jeep because I gotta replace it or if it's the junkyard that wants to resell it, the data is still written on the device if it hasn't been purged. So the minute that simple system fires up, I now have access to all your contacts and where you live and everything else that was added to the vehicle.

Tracy Bannon [:

This is the reason that my husband has opsed to my dev. This is why he doesn't throw away hard drives after they're meant to magnetize and degausses them. Then there are some things that he does to take pieces apart so that people cannot capitalize on it. Because if you even think that you have erased your hard drive and throw a hard drive out, you put it out in the curb for the trash man to take away, if your district does that, or if you take it to the local collection, people can get after the data that is there, the things that have been saved. So it's the same mental model. Don't leave an electronic trace behind. Yep. And if you are going to have anything that is made public, how can you reduce that and anonymize it? Don't click home.

Tracy Bannon [:

You could type in your address, but never in a rental car. Go into your apps. Go into your navigation app and click home because you have now to your point. Just broadcast exactly where you live.

Eric Monterastelli [:

Short of the fact that we don't use hard drives in cars anymore, there are still some disk based systems out there, some legacy stuff floating around. Everything's on chips. Mhmm. We know that forensics has gotten very sophisticated these days, and the data can be reconstructed with careful consideration and tooling. So short of hitting the car with an EMP to basically wipe out every chip that's on it, you have to be very, very careful. I would say this. If I was going to get rid of a car, I would probably have none. I'm not gonna say a burner phone, but a dummy phone that I would resync, purge, resync, try to do a multiple rewrite because I can't zeroize the system.

Eric Monterastelli [:

That's on my personal vehicle. But on a rental car, my recommendation to everybody is do not sync your phone to the car, especially over Bluetooth.

Carolyn Ford [:

But okay to use a cable.

Eric Monterastelli [:

Use a cable. Now here's the other thing. I'm a mark even more old school than Tracy in this case. I travel with a physical GPS. I have my own private Garmin. I have all my stuff saved on there, plug it into a cigarette lighter, the car doesn't know anything about anything. Not only that, I don't wanna pay the money that Hertz charges, you know, the rental fee for a GPS. I like being offline because those systems are designed to work without cellular.

Eric Monterastelli [:

They're designed to communicate one way with the satellites in the sky and say, here's where I am. Here's where you're looking to go. End of story. And they work here. They work in Europe. They work everywhere, and I don't have to be tied to my phone and making all that work. Now I know people are going, oh, well, I wanna get my music, and I wanna get my podcast, and I can't listen to you if I'm not connected to the car within reason. Right?

Tracy Bannon [:

So you can. You just made me think that I need to get down to our basement as full size of our house, and it is filled with way too much hardware, but I know that there's a box that has our Tom Toms and our Garmins. I hadn't thought about that one. I really like that idea of simply taking that because I just need to know where to turn in a city that I haven't been in before. For me, that's all that I need to know. Now I'm not going back to MapQuest and printing it out, though.

Carolyn Ford [:

ent. You guys have heard this:

Eric Monterastelli [:

Okay. I'll give you a prime example here. I wrote another article a couple of years ago, specifically for my mother-in-law who we had this exact argument. And I said, I'm gonna take something as simple as your license plate number and show you I can get all sorts of information about you even though the DMV is supposed to protect us and all this kind of stuff. So I reverse-engineered through an ad I actually saw on TrueCar using their system as an automated evaluator for selling the car and trading in it. What should I get? Like, Kelly Blue Book value for the vehicle. And I work backward from there. And the information it gave me about the vehicle, then I was able to take that and reverse engineered into another public access database and finally end up in places of public record saying, well, this is where you live, and this is that, and this is other information and blah blah blah.

Eric Monterastelli [:

And here you go. Here's full report on you, and it took me maybe an hour to figure all that stuff out. I'm not doing that every day. It's not my job to be that ethical hacker, But there are people out there that are doing this, and it's something as simple as that 6 or 8-digit license plate number can give you access to all sorts of information.

Tracy Bannon [:

Okay. So to Carolyn's point, Because we are doing, like, this wonderful whack-a-mole firing across the universe of all of these nefarious things that can happen with a car, what you're talking about, Eric is another kind of social engineering leveraging license plate to be able to find out more about somebody. But, Carolyn, it depends on what the goal of the nefarious actor is. What if I had a crush on a beautiful woman that I met at the Dubliner in DC? I might wanna find out more about her. I may wanna find out where she lives, where she's been traveling, follow her habits. I probably might do that through a car. It's gonna be less traceable than trying to follow your phone. So what what am I after? Maybe I am after getting into some of your financial information, and I want a social engineer to get there.

Tracy Bannon [:

How much can I get from your contacts? Maybe you have saved your bank information as a phone contact. A lot of people do that. Depends on what that nefarious actor is at. The thing I'm most scared about is actually the bad guys wanna take control of the physical car, you know, accelerate it or stop it, right, as opposed to damaging my privacy. We're not seeing a lot of that yet. We're not seeing a lot of that yet.

Carolyn Ford [:

Are we seeing it at all?

Tracy Bannon [:

I believe we're going to see bits of that on the horizon.

Carolyn Ford [:

Wait. Wait. Wait. Have we actually seen this in real life?

Eric Monterastelli [:

As we go deeper into what's known as fly by wire, where you have electronic throttle control, electronic braking, electronic steering assist, all these kinds of things where you add the word electronic as a convenience rather than mechanical or hydraulic, you suddenly open the world up to more issues. So you know which car isn't hackable? The car with hydraulic power steering, hydraulic brakes, and you run the throttle by a cable. You can't hack that.

Tracy Bannon [:

you've just said is I need a:

Eric Monterastelli [:

Or a:

Tracy Bannon [:

I have to look. I actually have an 88 Mercedes, and that was right at the cusp when they started to add in a lot of electronics. So I had to look and see. I had never bothered to check because it's just a summer ice cream car.

Eric Monterastelli [:

was introduced in:

Eric Monterastelli [:

And I don't wanna into that, but it's a real thing that's happening. But

Tracy Bannon [:

Let's add another tangent on this just to scare the bejesus out of Carolyn. Now there are insurance companies that are offering to you a plug, and you put it in, and it's a way that they're capturing your driving information. Not saying that Waze or Google Maps or other things are not capturing how fast you're going and where you're going to, but it's capturing your driving. And what they're doing is you are actually approving them. You're giving them access to that data so that they will lower your rate because you prove to them that you're driving under a certain, you know, under certain thresholds. I'm always at the speed limit or below. I haven't been in any kind of fender benders. The car hasn't had any jolts.

Tracy Bannon [:

So in those cases, you're actually approving somebody to get into your Wheaties and to know all your business.

Eric Monterastelli [:

Yes. So Allstate and Progressive were doing that for a while. It was a dongle. You actually plugged into the OBD2 and that would then transmit data back. And I was always like, yeah. I'll pass. Thank you very much.

Tracy Bannon [:

Correct. That's where I was, and I didn't even want it for my kids. I'm like, I wanna know how fast they're driving, but I really We don't want anybody in our family's Wheaties, so everybody out of my data pool.

Eric Monterastelli [:

And one of the funniest stories, and this will be included in our show notes, actually comes from a racetrack experience with one of our previous guests, Andy Pilgrim, and it's hilarious. He's test driving for a magazine, one of the brand new Corvettes, and he's on track. OnStar keeps calling him saying, sir, we see that you've been in an accident. He's like, no. I'm fine. I'm, you know, I'm on a racetrack, and you'll hang up on him, and then they'll call back. And they keep calling back, and they're like, sir, it says the car is upside down. He's like, no.

Eric Monterastelli [:

I'm on a racetrack, and you can see all the GoPros that he's out there testing this new Corvette, and he's so funny about it and so nice about it, but they're like, just stop calling me for the next hour because the car is fine. Right? But all the G sensors, all the motions, all the suspension information was being sent to OnStar, and they were getting a false positive that this car had been in a wreck. Think about that, then suddenly the cops show up or they're chasing you or, you know, I again, somebody's being dispatched.

Carolyn Ford [:

What if we get to a place where Big Brother's like, no. You're going too fast. We're gonna shut you down.

Tracy Bannon [:

It's on the horizon.

Eric Monterastelli [:

And think about that. He was on track at a 150 miles an hour testing this Corvette, and they shut him down. And now he loses brakes. He loses everything because the car is off. That's a dangerous situation to be in. But nowadays, to your point, Tracy, they've integrated a lot of that stuff into the cars directly from the factory. There was a report. I mean, it's hot within the last couple of weeks.

Eric Monterastelli [:

They came from all places in Mozilla that I didn't expect from. It's not one of my normal venues to grab automotive information, but they approach it from the cybersecurity perspective to talk about all the data that's being collected in the car that you're unaware of, your breaking points, how long you're breaking, you know, how you're steering, how fast you're going, all those kinds of things are now being recorded in the more modern vehicles, especially these EVs. But the part that got scary, and I'm gonna read this right from the article. It says "they can collect deep personal data such as sexual activity. What? Immigration status, race, facial expressions, weight, health, and genetic information while you're driving."

Carolyn Ford [:

Wait. How? Do you guys believe that?

Tracy Bannon [:

Yeah. How? Really good.

Eric Monterastelli [:

Well, every time you put a camera somewhere, do you have the optical facial recognition in software that can be manipulated even if you're streaming it remotely back to a data center somewhere in the cloud. You know, that data can be processed. The weight and the health and that information is as simple as the digital wristwatches that everybody's wearing. They can put those sensors in the seats. Think about it when you got in a car and if you put a heavy grocery bag on the passenger seat Yeah. And it starts barking at you that you need to plug the seat belt in and all that because of the airbag system. Those sensors are already there.

Tracy Bannon [:

I was driving a car last week, And I thought I was paying pretty good attention, but I had on all of the collision avoidance.

Eric Monterastelli [:

We call those nannies.

Tracy Bannon [:

Yeah. Well, you need to pull over. You need to get a cup of coffee. You need to pull over. Driver alert signal. So that type of thing. How is that being captured? How is that going to be used? Right? There's a lot of information that's being about your behaviors by that car, and we need to understand what the manufacturers are doing with it. Does it stay within the car, or is there a possibility of that data being propagated out?

Eric Monterastelli [:

Is it reporting that data back to Hertz or Enterprise?

Carolyn Ford [:

So why do they want all this data? I have ideas. You tell me, Tracy, why do they want it?

Tracy Bannon [:

Well, the optimist says looking for trends to help keep us healthy. Mhmm. The pessimist says control.

Carolyn Ford [:

Mhmm.

Eric Monterastelli [:

And the engineer in the room wants to collect data to build a better mousetrap. Because if I think about it from a motorsports perspective Control. Well, it's not necessarily control. It's evolution. I don't want to control the vehicle. What I wanna know is stopping distances, for an example. How much pressure is being applied. How fast is the car slowing down? Looking at the driving habits.

Eric Monterastelli [:

This is no different than analyzing a race car's driver's performance. They're getting real-world data from the car.

Carolyn Ford [:

Go to Tracy's point to make things better for us. So where my mind went was data is the new oil. All that data is just building more advanced. It's used to feed the AI engine that we can there's all kind of scary that we can talk about on another episode.

Eric Monterastelli [:

For sure.

Carolyn Ford [:

That's where I think and probably one of the prime reasons that they want this data.

Tracy Bannon [:

And that's where I track it back to I just use the word control.

Eric Monterastelli [:

Mhmm.

Tracy Bannon [:

Eric, yeah. As an engineer, I wanna collect everything that I can at all times. And, somebody who's been around the block for a while, I also know that data privacy is of utmost importance, especially the work that I do with government. So that has allowed me personally to be a little bit more balanced about what I collect. I'm gonna send us down a different avenue for a minute and just get your thoughts on the infrastructure bill that includes a little bit of breathalyzer on the horizon for the U.S. Have you been following this?

Eric Monterastelli [:

Yeah. I've actually met different companies that have engineered those systems, how they're integrated into the computers, how they work. We're actually supposed to have one of them on the show to deeper dive into how that technology really works. And to your point, it's going to be integrated into the HVAC systems almost stealthily on a lot of cars. I know GM is a big proponent in bringing those systems into their vehicles in the future, but it's gonna become standard issue like power windows and remote locks and things like that where you're not even gonna be able to drive and operate a vehicle right. If it senses that you're in any way inebriated or under the influence.

Carolyn Ford [:

I'm kind of okay with that, and it really just works for alcohol.

Eric Monterastelli [:

Until and this is an extreme. It becomes an issue of maybe violence or theft or of desperation where you're like, I have to get home, so now I stole my neighbor's car because it's older. You know? Even the you know, those kinds of things. Like, you could extrapolate all sorts of use cases from this, but immediate reaction is if you can't drive home, you're gonna get angry. And does that become violent? Does it become physical? Does it just become call an Uber?

Carolyn Ford [:

Well, yeah, but you put someone behind the in a car drunk. Now all of a sudden I mean, that car is ultimately a weapon

Eric Monterastelli [:

Oh, 100%. But here's where it ends up going. So it calls an Uber for you, and you have to wait for the Uber to show up. That same technology was proposed by Tesla for automatic maintenance refreshes. So it senses that your tires are getting lower, that you need brakes, and it calls home to the dealership.

Carolyn Ford [:

We're, like, right on the cusp of Fahrenheit 451. I can't do not.

Tracy Bannon [:

Like, that's what we always

Carolyn Ford [:

like to do.

Tracy Bannon [:

Oh my gosh. We are. We are. The pessimist among me says, Yes. We are. The optimist among me says, this is amazing advances for humanity. So..

Eric Monterastelli [:

And don't get me wrong. I love cars. I've been around cars since I was a kid, and their evolution is amazing. They are just pieces of art. They're pieces of complex engineering. There's a lot that goes into a car and a lot of people that make a car successful, whether it's the most fabulous hypercar or the most economical small car on the road. There's a lot of thought, engineering, and time and effort that goes into that. So I don't wanna shun people as like, oh, we should go back to horses and buggies.

Eric Monterastelli [:

That's what you're really saying because that's the safest thing. No. It's not true. The point is, like anything else, whether it's a laptop or a tablet or a smartphone or any other digital device is to just do your due diligence. Be aware. Be vigilant of what you're connecting to, how you're connecting to, and how you're interacting with these platforms. And in the old days, cars were not at the forefront of the attack surface. And now as we become more and more digital, we are introducing them into a very complex and open world.

Carolyn Ford [:

To that point, you guys, with all the data that these cars are collecting, what kind of security is in place in the cars? Like, is it kind of an afterthought? We can do all this advanced stuff with the cars. Why can't we bake some security into to protect people like me.

Eric Monterastelli [:

And, Tracy, correct me if I'm wrong. Cars are not considered right now an endpoint device. It's not like you're gonna throw an antivirus on there or something like that. Some sort of Tenable or even something like Dynatrace. You're not doing application performance monitoring on a vehicle yet. So what we have to do is focus back on the data centers, Making sure that they're secure, making sure that the lines of communication are encrypted from end to end, making sure that good development practices are put in place when a software patch is put out. We don't wanna render a car useless. Obviously, they go through strenuous Q and A on cars compared to a lot of other software.

Eric Monterastelli [:

We voice stuff on people as beta. It's tying up the loose ends at the control center, making sure that Toyota General Motors, and Tesla, they're doing their due diligence to keep not only their customers, but the passengers. The fallout of the customer, whether it's family, friends, the Uber driver, whatever it is, making sure that they are safe. They're doing everything they can to ensure that that endpoint device is secure.

Tracy Bannon [:

They have been hyper-focused on keeping us safe from a physical perspective. Now we're talking about extending that into the cyber realm, And that is a change. Right? They have been creating good software, and they have strong software practices that were not necessarily focused on the cybersecurity of the software. It was the efficiency and effectiveness and reliability of the software. Those are important things, but we have to add in that additional domain now. And so to your point, doesn't matter who it is. They need to be thinking about this. It opens up a world though of older cars.

Tracy Bannon [:

ve stopped being updated, and:

Tracy Bannon [:

And the newer the car, the more you see that. The car is a little data center that is connected to a big data center.

Eric Monterastelli [:

Yeah.

Tracy Bannon [:

And what does that communication look like, and how is that data being leveraged? It almost as though we need a a car data bill of rights.

Eric Monterastelli [:

I like that. That's really good. So, again, we could go down so many different rabbit holes on this. There's more to explore on this particular topic, but I think basically at the end of this is just be careful what you do and what you sync with.

Carolyn Ford [:

Let's leave our listeners with some just basic tips. So number one tip is if you're gonna hook up to a rental car, use a cable, which I always carry a cable with me anyway because I'm too technically inept most of the time to make the connection, so I always know that the cable's gonna work. I'm glad to know I've been doing, like, safe hygiene there. What else? Whether you're synced or not,

Tracy Bannon [:

don't hit the home capability within your phone.

Carolyn Ford [:

I do that almost every day.

Tracy Bannon [:

So don't tell it to take you home. Put in your address, especially if it's your own car. That's one thing. But if it's especially if it's a rental, don't do it there.

Carolyn Ford [:

Google prompted me to do that. Like, they want you to, like what are your favorites, and what do you wanna name them? You know? So it's convenient.

Tracy Bannon [:

It is. It is. As we said before, take just a moment. It doesn't have to be a science fair project. Take a moment to understand your car. What are the capabilities of your car? Do you see an old school CD player? Right? 6 stack CD player? Or do you have a digital display? That's gonna give you a little bit of an of where you are on the automation scale, where you are in the computerization scale. I'm sure that Eric has resources that he can share with us to kinda help us figure out. Yeah.

Tracy Bannon [:

I've got a a:

Eric Monterastelli [:

The best place to start is by reading your vehicle's owner's manual because there are steps in there on how to sync, how to unsync, how to purge, how to clear data, and it's gonna be different for every vehicle. Families of vehicles will share similar setups and configurations because, like Tracy talked about they're getting components from certain manufacturers. All these radios and Toyotas are made by Pioneer. Well, Pioneer is gonna have a certain way to purge the data. Mhmm. Read that owner's manual because we're not gonna be able to answer. Well, I have a 19 whatever Porsche. How do I do it? Read the owner's manual.

Eric Monterastelli [:

That's gonna be your gospel in terms of how to take those steps. You might learn something else along the way, but start with that. And if you are getting a rental a car and you find that I need to connect or it pulled data, pull the owner's manual out of the glove box. It's still there, and learn the quick steps. It should only take about 20 seconds to go in and purge your phone. Don't worry about everybody else's. At least purge yours.

Carolyn Ford [:

I just got a rental car, and there was no owner's manual.

Eric Monterastelli [:

You can look them up online. You can look them up online.

Carolyn Ford [:

That's true. You can if you're in a place where there's connectivity. It just so happens that I was kind of I was in a dead zone. I was in the middle of a national park, and there was no like, I couldn't search engine anything. I couldn't ask some generative AI for help.

Eric Monterastelli [:

If you're in a jam like that when you return it to Hertz or Enterprise or Alamo or wherever you borrowed it from, talk to one of the clerks there before you hand over the keys. Hopefully, you have some extra time. If you're pressed to go to the or something like that, it might be a little challenging, but say, hey. Can you help me remove this data from the car? Can you help me purge it or make sure that they take care of it? Again, we've all picked up rental cars before going, wow. There's a lot of data on this system.

Tracy Bannon [:

We've gotta continue this conversation another day because we're just gonna keep going at it. I hope that we have served our Halloween purpose in scaring the bejesus out of people. Eric, I gotta ask you this question. Wouldn't it be fun to have this conversation and have 2 additional guests if they were still around? Tom and Ray Mariazzi, Dip and Tap, the Tackler Brothers. Can you imagine having this with the car talk guys.

Carolyn Ford [:

I loved that show, you guys. Loved it. They were so funny.

Tracy Bannon [:

And honest an authentic and entertaining.

Eric Monterastelli [:

That's right.

Tracy Bannon [:

Yeah. And, hopefully, we have hit maybe 5 to 10% of their amazingness with today's podcast.

Eric Monterastelli [:

If you want some more of that amazingness, you can always hop over to Break/Fix podcast where our goal is to capture the living history of folks throughout the auto sphere, whether it's engineers, designers, pro drivers, and everything in between, you can learn about deep dives in technology like we're talking about today, or you can get some stories about how you could find a job in the automotive industry as well. So our catalog is huge. It's deep, and you will find something interesting whether you're interested in cars or not.

Carolyn Ford [:

Thank you, Eric, for taking time to share your insights with us to give us a truly scary Halloween episode. You and Tracy both did a great job of just making me tired and scared and just, like, ugh. I just want everything done for me. I need people is what I need. But thank you listeners for joining Tech Transforms Break/Fix crossover today. Happy Halloween, and we will talk to you next week on Tech Transforms. Bye.

Tracy Bannon [:

Thanks, guys.

Carolyn Ford [:

And we're out. Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms. Follow us on LinkedIn, Twitter, and Instagram.

About the Podcast

Show artwork for Tech Transforms
Tech Transforms
Tech Transforms talks to some of the most prominent influencers shaping government technology.

About your hosts

Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is a passionate leader, doer, adventurer, guided by her father's philosophy: "leave everything and everyone better than you found them."
She brings over two decades of marketing experience to the intersection of technology, innovation, humanity, and the public good.
Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is passionate about connecting with people to learn how the power of technology is impacting their lives and how they are using technology to shape the world. She has worked in high tech and federal-focused cybersecurity for more than 15 years. Prior to co-hosting Tech Transforms, Carolyn launched and hosted the award-winning podcast "To The Point Cybersecurity".