Preserving Your CEO’s Vehicle Infotainment System Data

William Kellermann 
William Kellermann
August 7, 2015

Like the technology ecosystem it feeds from, electronic discovery is rife with acronyms, for good or ill.  One of the more recent is COPE – “Company Owned, Personally Enabled.”  The target of COPE is mobile devices – tablets, phablets, smartphones – whatever your preferred nom du jour.  It is the counterpoint to BYOD (“Bring Your Own Device”) the alternative way that mobile devices significantly impact enterprise security, privacy and electronic discovery efforts.  Which begs the question, does your Enterprise Mobile Management (EMM) system consider the ultimate corporate mobile device, the company car?

In the latest episode of vehicle hack-a-mania, Wired reports the successful hack of a Tesla Model S.  Researchers Hacked a Model S, But Tesla’s Already Released a Patch.  This report is just the latest news about a series of similar exploits, starting with the Jeep Cherokee hack reported two weeks ago.  Hackers Remotely Kill a Jeep On The Highway – With Me In It.  The motivation for the Tesla hack was to demonstrate a way to virtually “hot wire” and steal a Tesla, otherwise thought to be impervious to traditional methods of auto theft.  But what both these hacks reveal is a more insidious threat vector.

In each of the hacks demonstrated thus far, access to the command and control system was accomplished via a breach of the car’s infotainment system – the Bluetooth smartphone-enabled navigation and entertainment computer installed in many new vehicles.  Therein lies the rub.  In addition to being a method to steal or wreak havoc with vehicle operation, these systems are a virtual gold mine of hacker information or electronic discovery data, depending on where you sit.

I recently discussed new technology to forensically collect vehicle infotainment system data, such as iVE by Berla, with a close friend in the computer forensics business.  He related how in a test, a forensic analyst was able to extract the user and vehicle event data from over 30 prior users of a rental car.  User data includes call logs, contacts, text messages, navigation data and the names and MAC addresses of connected devices.  Examples of vehicle event data include doors opening, closing and locking, light activation, device connections, system resets and transmission shifter activation, such as a sequence from “park” to “reverse” to “drive.” Each event is accompanied by a time and date stamp, as well as geolocation data if the vehicle has a navigation system.  In all there are over 250 data attributes forensically available in the modern computerized vehicle system.  Much of this data is captured in addition to better known vehicle “black box” data found in all late-model cars and trucks and targeted for auto accident reconstruction.

Have your executives ever synchronized their Smartphone with the system in a rental car?  What about the systems in a company car or their personal vehicles?  Much of the above-mentioned information will have leaked onto those various systems.  For every hacker who ever rented a car, all this information is low hanging fruit for easy pickings.  It is also sitting out there unprotected in every vehicle traded-in or sold, as most vehicles have no technical mechanism to wipe this data. If nothing else, contact lists are extremely valuable to initiate spear-phishing attacks: spoofing an executive’s email or text-messaging address to send virus laden payloads to trusted advisors such as lawyers, doctors, accountants and financial services professionals.

Moreover, to the extent the company is obligated to preserve and collect this data for electronic discovery, is that data source contemplated by your internal electronic discovery protocols?  As with anything else, such devices may be the bane or panacea, depending on your particular circumstances.  Text messages deleted from a device may be recovered from the car to save the company from a spoliation sanction.  On the flip side, a savvy opposing counsel may make a credible argument the data should have been collected for preservation before the executive traded-in the car.

As with everything else with technology, these concepts may take some time to seep into the consciousness of the legal profession.  Nevertheless, forward thinking lawyers and technologists have another dimension to track when mapping out data sources for investigations and discovery.  Similarly, Information Governance professionals must consider the retention, disposition, security and privacy impacts presented by vehicle infotainment systems bridged to corporate information systems via mobile devices.