Privacy Protection A Must For Driver Monitoring

Driver monitoring systems are so tied into a vehicle’s architecture that soon the driver will not be able to opt out because the vehicle will only operate if the driver is detected and monitored. This is raising privacy concerns about whether enough security is in place for the data to remain private.

At the very least, laws and regulations in every geography where the vehicle will operate are necessary alongside security features and technologies. A recognized approach to addressing vehicle security challenges is to apply defense in depth, meaning implementing different layers of security in the system, from system monitoring on chip, secure access to the device via a root of trust (RoT), all the way up to security on the servers hosting the OTA software, and many layers in-between including vehicle-to-infrastructure.

A number of automotive OEMs — BMW, Ford, General Motors, Subaru and Tesla, among others — already implemented some form of driver monitoring system (DMS) in certain vehicles using near infrared sensors as well as in-cabin cameras. Some manufacturers claim the data operates in a closed-loop system, but Tesla has stated publicly it will not comment on what happens with the video it collects from its vehicles.

As vehicles increasingly include advanced driver assistance systems, such as distraction mitigation systems, new scrutiny is being placed on privacy of the driver data collected from within the vehicle, and how it should be secured. Many argue privacy enters the realm of philosophy and ethics, but increasing evidence supports inclusion of privacy as part of automotive security systems.

“We’re going to see more and more driver monitoring systems deployed because they are necessary to provide more protection,” said Dana Neustadter, senior product marketing manager for security IP at Synopsys. “There is good intention behind driver monitoring systems, but they also come with questions around privacy because they provide value for checking that the driver is not distracted with special cameras or sensors in the steering wheel. As these technologies proliferate in the name of safety, they can also be used or misused to invade privacy.”

And today, privacy for these DMSes are not truly addressed, Neustadter said. “More needs to be addressed, such as laws and regulations. Some carmakers today are basically using and sharing video footage or data from the car, from the driver, from their in-car cameras. They are using that data, and they can claim they are using this data just for research purposes. But what prevents them from using that data for other purposes, maybe to prove a point that it was the driver’s fault [that an accident occurred] rather than the car’s fault?”

Balancing act
This needs to be balanced with privacy. “With connected cars, we’re talking about complex systems that need to do more central processing,” she said. “They need to deal with data coming from more cameras, and that means a lot of processing for different things. On top of that, security and safety in automotive systems are critical, regardless of the DMS. DMSes just add to that technology. Without security there is no safety or reliability, so automakers really need a holistic approach to safety and security. Privacy can be addressed from a technology standpoint, but it also needs to be addressed from the higher level, like laws and regulations, because there are questions around what you are allowed to do and what not to do. Letting the manufacturers or users make that decision is not the right thing to do as far as privacy concerns.”

Indeed, as we extend connectivity of our lives to the vehicles we operate, we expose more and more personal data into the processing systems of the vehicle itself, said John Hallman, product manager for trust and security at OneSpin Solutions. “We connect devices such as cell phones, tablets and others that contain this personal information, and expect to maintain confidentiality and privacy of this information. This balance between convenience of having the data available and accessible, versus protecting this information from those who should not be granted access, is the constant security challenge we fight.”

A commonly accepted approach to address this challenge is providing layers of security. The objective of this approach is to address different components of the system at different levels of abstraction, such as at the interfaces, or in the hardware or software. Recent attacks such as the SolarWinds exploit, or the intrusion into the water plant facility, demonstrate the need for protections against controlling the system and also from extracting information. Protections such as firewalls and the interface, and the encryption of data are very important and necessary, and we also must go further and deeper to addressing the foundational hardware in the IC upon which many of these processing systems are built.

Andrew Dauman, vice president of engineering at Tortuga Logic, said privacy and security must be addressed holistically, from the perspective of the overall vehicle. “Driver monitoring is one element of the privacy concerns around security in automotive systems. It started years ago with the ability to connect a smartphone to the automotive system, download contacts, and store phone calls. Then suddenly, the automobile’s system is holding a lot of information about you, as well as where you’ve been. In many ways, driver monitoring is an extension of that. One question that comes up is, ‘How is that information used in intentional ways and unintentional ways?’ The intentional ways may be for the good — helping to keep the driver awake, helping to keep the driver focused. On the other side, it can be used in nefarious ways, such that your behavior is being monitored. The problem is that whenever the system security is at risk, that information could be used in a poor way.”

This speaks to the security of the overall automobile, he said. “We used to have very discrete systems on automobiles. Nothing was connected together. Now everything’s somewhat integrated, if not completely integrated. Because of this, we have to really start thinking about the overall architecture, and verification of that automobile in terms of security, as one big integrated system.”

Years ago, the braking system was nothing but a hydraulic and mechanical system. “The very first step towards integration was anti-lock brakes, and suddenly the car had an electronic component,” Dauman noted. “Snap forward to today. On that same menu I also have controls that affect the braking system in my vehicle called auto vehicle hold, which keeps the brakes applied even when I forget to. Other things related to ADAS are all on that same menu, so that same system is also going to be dealing with driver monitoring. It’s all centralized now at a software layer and at a hardware layer. We can’t separate those anymore. And if we can’t separate them, what are we going to do about them?”

Steve Harris, director of automotive solutions architecture at ON Semiconductor noted when the company built cybersecurity into its sensors, the first goal was more than just the privacy of the people driving; it was about the safety.

“If somebody is able to tap in and actually view your video stream, what becomes even more scary is the fact that not only are they able to view it, but they may be able to modify it. When we first looked at cybersecurity, it was from a safety perspective, that if somebody could hack into our sensor, and change the data that’s coming from our sensor, and drive that to an SoC that thinks it’s actually talking to our sensor, but you’re getting wrong data, then you cause an accident. Related to this, driver monitoring is an interesting situation, because right now a lot of the driver monitoring systems are based on Euro NCAP regulations, so it’s more of a checkbox: Do you have it? Do you not have it? While we’re probably a couple years away from it, they’re not really tied into the other machine vision systems so I don’t know if any vehicle right now at least, based on a driver’s head pose or gaze detection, actually does anything more than a warning. I am not aware of any cars that will brake automatically or move into a different lane. We’re in an interesting window where the safety element of the driver monitoring isn’t so critical. Having said that, some features in our image sensor that work for actual safety functions could in turn be used for privacy functions, as well, in the in-cabin space. Inevitably as these items — driver monitoring and occupant monitoring — start to get tied into the ADAS systems, cybersecurity blocks will be built in for a safety perspective. There’s that window until that happens, let’s say two or three years down the road, where the driver monitoring camera now has more privacy issues, but work is being done on the cybersecurity front to cover that,” he explained.

Another approach could be a safety island concept to monitor the quality, integrity, and speed of the data being passed from the sensor to compute complex.

“This performance data can be transmitted to the cloud via a telematics unit in the car for pseudo real-time monitoring or analysis, or stored on vehicle and then downloaded and analyzed when the vehicle is in its home state,” said Robert Day, director of automotive partnerships, for the Automotive & IoT Line of Business at Arm. “Any degradation of performance can be analyzed to see if it is still within the bands of acceptable behavior. And if not, some action should be taken, which could include temporary off-line for ADAS functions followed by dealer replacement of faulty components, or for autonomous, move to a fail operational mode that might involve using another sensor or potentially having a remote pilot guide the vehicle to a safe state.”

Still, even though many security and safety systems are tied together, there is a difference. “Security is unlike safety, which has a static landscape,” said Lee Harrison, automotive test solutions manager at Siemens EDA. “With the exception of the odd corner case, which could be an extreme environment or traffic situation, the risks for drivers and vehicles can be identified, modelled, and protected against. With security, the landscape is very dynamic. Cyber attacks today look significantly different from those in the past, and we assume that they will continue to evolve over the lifetime of the vehicle. Attackers will find different and more advanced ways to attack a vehicle’s system, whether it’s taking control or simply just to steal data. One good example of this is that before vehicles were connected, any form of attack would have to be a physical attack to the vehicle, in which case guarding against these attacks was mostly physical. However now with most vehicles being connected, attackers can connect and attack a vehicle completely remotely. So more than just physical security is needed.”

The ISO 21434 standard is an emerging standard that tries to address security in the same manner as safety, analyzing the threats and making sure that mechanisms are in place to protect against them. “This standard is a great start, but again whereas safety mechanisms in a design are typically fixed in operation, we are seeing the equipment for security monitors within designs being dynamic and updatable for the lifecycle of the vehicle,” said Harrison. “Think of this in the same way as the virus protection updates on your PC. We will need to be able to do this for the lifecycle of the vehicle to make sure the security protection is current and evolves with the threats.”

This means developers need to be aware there are a mass of different standards that define the automotive ecosystem, including the supply chain, Harrison said. “It is important to understand which standards impact your product and which certifications need to be acquired to which levels to enable your product to be fit for purpose. Also, a number of these standards will dictate technology solutions that are not required in a typical commercial-grade SoC. These could include enhanced test requirements, functional safety, and security. It is important to understand the threat landscape for the device application, and the context that it will be used in. Similar to safety, those functions that introduce a larger risk will require a more stringent solution to mitigate against such security issues. Developers need to be aware of what technologies are available to them that can help them solve these complex problems.”

Chip-level privacy
At the IC level, the device itself contains a lot of personal data that needs to be protected.

OneSpin’s Hallman said we must analyze and understand the ICs further, then verify that proper protections are in place at all levels. “We also must verify there are not unintended channels to private information, such as through hidden back doors, unchecked test ports left open, or other side channels available for unauthorized attackers to exploit. Physical access may need to be considered, but often deficiencies in the interface protections are enough to exfiltrate the desired data. Many of these checks are available today to extend functional verification to include more security verification. It will be through this awareness to consumers and their demand to product suppliers that more is done to protect the privacy of the consumer personal data.”

It’s one thing to look at the ICs within a vehicle. It’s going to take a much more expanded view on the matter when vehicles start interacting with each other and their environments in a smart city infrastructure.

Willard Tu, director of automotive at Xilinx, expects that privacy and security requirements will more resemble those found in the military. “Based on our work with the military, and within our aerospace and defense business, we’re almost talking about electronic warfare and countermeasures,” he said. “We’ve been working with the top military companies, so our technology and our devices are suited for those applications. You want to make sure people aren’t spoofing your lidar data or your radar data, sending you misinformation. That’s what happens in the real battle zone, and none of us want to think about it, but that’s what electronic countermeasures are trying to do — confuse your sensor array and take it over if possible.”

Thus far in vehicles, the emphasis has been on safety and security, but privacy is coming, mainly on the V2X (vehicle to everything) aspect of things, said Thierry Kouthon, technical product manager at Rambus Security. “The idea is that if all vehicles start exchanging information with one another, someone spying could identify vehicles, and they’d know that Senator X is always driving from A to B at this point in time, or his vehicle is having this kind of behavior. There is also an identification system that a vehicle uses to announce itself, and this should be devoid from specific numbers that pinpoint the owner or the vehicle itself. However, it is true that it is not a perfect system. Hackers use AI or patterns to track who it is.”

Technologies from Rambus and others can be used to change IDs that are specific to a vehicle, or to create sessions that change over time, so the identification changes over time. This is usually covered at the PKI (public key interface) level, whereby it’s possible to imagine that the pinpointing information is anonymized and rendered trustworthy because of information that is related to the manufacturer. In the future, manufacturers may be able to establish protocols and data that allow their vehicles to safely communicate without identifying the vehicle itself. “Maybe you could get to the point where you know it’s a Chevy or a Mercedes, but not further than that,” Kouthon said.

Again, this means security and privacy would need to happen at all levels in the vehicle.

“If you really want to avoid hackers, you have to think about it in terms of the holistic system, because what we use as a paradigm is defense in depth,” said Kouthon. “We put barriers at each level in the vehicle. If someone wants to pervert the system, they’d have to jump many hurdles, not just one.”

Where to start?
“The first thing to do is segregate the vehicle networks with a gateway,” he explained. “There are high-speed networks. There are critical networks between the transmission engine and control brake control. There are telematics networks that have to do with outside communication. There are networks for autonomous driving, and specific networks due to the high volume of data coming from the cameras, the lidar, and the high data-volume sensors. All of those can be segregated so that they don’t interfere with one another. For instance, the engine control needs very little information to know what to do. The decision is made by someone else, but at the end of the day, the actuation that the engine control needs is not that important — it’s all the processing that goes into making sure what to tell him that is important. And that can be completely isolated. All of this is done via gateways, and the vehicle is usually built with gateways that maintain the segregation and gather information between all these different networks inside.”

Privacy and security has to be addressed at every layer, by all parties, said Kurt Shuler, vice president of marketing at Arteris IP. “We’re getting questions from customers asking, ‘You’ve got this interconnect, it’s a network, you have these firewalls, how do I integrate this into my overall security system for my chip?’ They also want to know how to integrate that in the overall security system of that vehicle subsystem, and how to integrate that into the overall security system for the car, and then the network of cars. If I’m GM, I’ve got a whole network of GM cars running around. Where there’s OnStar, I have to protect that data too, and that’s sitting on servers. The OEM is cognizant of this because they know from market forces that if they screw it up, then people aren’t going to trust them. And even though there are IEEE, ISO, and SAE standards, selling security is like selling insurance. Nobody thinks they need it until after the incident happened. The risk is huge here if you don’t do it right, so you should do everything state of the art. However, there’s nothing currently legally forcing that.”

For these reasons, the industry needs to work together, Shuler said, with competitors working together to come up with the standards. “The thought process is that industry cooperation will result in more sane requirements than if a governmental body (that maybe knows less about the technology and less about the business) gets involved. It’s the same reason why we have ISO 26262 and functional safety. It’s the same kind of concept.”

Trust at the foundation
As with so many other application areas today, the big question becomes who owns the data. “Can the data be hacked into? And then, what can you actually do with the data? Trust is a big issue here, and the car is no different than other elements in the real world,” said Frank Schirrmeister, senior group director for solutions marketing at Cadence. “In the case of cars, because of the impact on mobility, this is a notch more difficult to manage. In the vehicle-to-vehicle infrastructure, there are pilot projects where companies are tracking cars in terms of vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2X) communication. This is advanced research on how traffic jams actually get created, and how speed impacts all of this. Related to this is the driver data, and how private it is. Can you collect the data in a way that the individual person is not identifiable, so the individual car was not identifiable? If that’s the case, you may have to analyze data in batches of 50, or whatever the number was, because for privacy reasons it was not allowed to be linked back to the driver? You cannot pick out the person and call them up. You only know somebody in that queue of cars was involved in that vehicle-to-vehicle communication.”

Still, Schirrmeister believes the automotive ecosystem is in the process of building in the capabilities in cars to maintain that level of safety and privacy. “Hardware security modules and the like, where there is key storage, is happening,” he said.

Until privacy protections are in place, he expects consumers will grapple with risk vs. reward questions.

“Humans are funny animals. It comes down to risk/reward, and everything is convenience related. People seem to be much more open to give up data for things that might have consequences,” he said. “For example, sharing your data with the government, you will get a lot of pushback. Sharing your data with a brand, which can optimize the experience, perhaps scary to some, not to others. For example, my auto shop calling me to say something’s going on in my car, that’s convenient. And if they could fix it remotely? Yes, upload something, fix it remotely. I don’t even need to go to the shop.”

Safety and security are factors that come into making a decision around the cost of the vehicle, and what consumers are interested in paying, noted Chris Clark, senior manager in Synopsys’ Automotive Group. “When we look at privacy, this is where we start dealing with the amenities within the vehicle. When we start looking at what the ADAS components in the vehicle do for the driver, what are the extra capabilities from infotainment? And how you distribute media within the vehicle or connectivity within the vehicle for internet access? When these things start to touch on what the consumer wants, part of that is going to be a driver in this overall privacy discussion. It remains to be seen what comes out of that, and keep in mind that the consumer will drive some of this.”

Related
How Will Future Cars Interact With Humans?
Adapting technology to the driver can have very different results than training the driver to use technology.
Bridging The Gap Between Smart Cities And Autonomous Vehicles
Communication, security, and power issues still need to be solved, but there is progress.
Using 5nm Chips And Advanced Packages In Cars
Experts at the Table: Challenges and some potential solutions in ADAS and autonomous vehicle electronics.
Sensor Fusion Challenges In Cars
As more pieces of the autonomous vehicle puzzle come into view, the enormity of the challenge grows.