Who’s Spying on You? — Your Car!

I recently purchased a 2012 Toyota Prius C hybrid, great car.  I really love the gas millage and the fact it’s easy on the environment is an added bonus.  Returning to the house with my new car, I cracked open the owners manual[1] for the first time.  On pages 18 and 19 I noticed a section, “Vehicle control and operational data recording”, hum this is interesting.  The manual goes on to say the vehicle is equipped with sophisticated computers recording vehicle operation.  My first thought was — black box — like type found on modern aircraft, only in my car.  Toyota calls the black box the Event Data Recorder (EDR).

The Prius manual describes the following operational parameters subject to recording.

  • engine speed
  • electric motor speed
  • accelerator status
  • brake status
  • vehicle speed
  • shift position

While it’s clear these settings are recorded, it’s not clear what else may be recorded.  For instance, Prius purchased with navigation system options also have GPS coordinates and time/date information.  Knowing where and when events occur makes them much more valuable.  The manual specifically notes no conversations are recorded, sound, or pictures.  Oh, what a relief.  Toyota notes the data is used for research development and to improve quality.

Finally, the Prius manual goes on to say Toyota will not disclose EDR data to third parties except…

  • Upon consent of owner/lessee
  • Official request by police, court, or government agency
  • Research not specific to owner or vehicle

The first bullet is Me, the Prius owner.  I can approve the distribution of my EDR data to a 3rd party.  Ok, makes sense.  The second bullet, police, court, or government agencies — this concerns me.  The effect of this is that if your involved in a crash, local, state, or federal officials can collect your EDR data without your knowledge or consent.  Similarly, EDR data could be gathered during a surveillance operation when you take your car to the dealers for an oil change.  Not likely, I admin, but if it’s possible then it’s safe to assume such surveillance will occur at some point.  The concern is that EDR data can be used against owners in a court of law or for surveillance purposes.  While you may be able to exercise your 5th Amendment Rights in court, it’s likely your car is not subject to such laws.  One trip the Electronic Frontier Foundation[2] will convince you our laws have not caught up to our technology capabilities — to the detriment of our privacy.

In my opinion, until privacy laws improve, I wish manufactures would not provide features with no immediate consumer benefit that may potentially be used to violate privacy.  I’m not talking out doing away with the Internet or light bulbs — these have huge consumer benefits.  I considered writing Toyota and asking how to deactivate the EDR, after all it’s for research and quality control according to them.  It should not be important to the operation of the vehicle — right?  Perhaps there is some Prius hack info on the net.

[1] “Toyota Prius C Owners Manual.” Toyota. Web.<>.
[2] Electronic Frontier Foundation, <>

Security Awareness Lifecycle

Security professionals address phases of security awareness in different ways.  I’m definitely not the first but I can’t resist attempting a definition myself.  Here goes, the phases of security awareness…

Security Awareness Lifecycle
Ignorance –> Epiphany –>  Paranoia –> Depression –> Call to Action

Security problems solved, you hired a security guy.  Your not concerned about security.  All firewalls are in place, virus scanners scanning, data stored safely in the cloud and backed up daily.

You discovered your cloud provider hosts its servers overseas.  This means your applications and data are entirely offshore.  You comfort yourself by saying everyone else is doing the same thing.  Each application security assessment you execute turns out fresh vulnerabilities.

Self-comforting really is not working well.  You don’t sleep well at night.  You try and consider the legal implementations of a successful exploitation that hits the popular press(but your not a lawyer). Where’s the chair you think your getting dizzy.

Moving applications and data back onshore is not an option — the genie likes to be free.  You explain your concerns over and over again but your boss, Mr. Krabs, is focused on more tangible crises at the Krusty Krab.  You realize your leadership is still in phase 1 — Ignorance.  Security is an intractable problem and you’ve got an ice cream headache that just wont quit.

Call to Action
You take a cold shower and slap yourself back to reality.  You realize the only way your going to win this war is education and raising the security awareness of others.

Am I missing anything?  I know there should be a phase on the end to wrap everything up like Nirvana but since I have never hit that step I’m not sure it exists.  Cheers!