Car forensic experts: How is data from cars actually analyzed?

Immo Bornhagen is an expert in data forensics. In the c’t conversation he provides information on how data from vehicles is analyzed and why the handling of data in the manufacturer cloud should be regulated.

c’t: Who are your typical clients?

Immo Bornhagen: Essentially, these are public prosecutors and courts. Occasionally also appraisers or motor vehicle experts who are tasked with reconstructing accidents.

c’t: What exactly are the tools that you use to analyze the vehicles?

Bornhagen: It depends. When we read out multimedia information, for example, we use hardware and software from Berla in the USA. The CDR kit from Bosch (Crash Data Retrieval) is mainly used for accident research. Neither of these are “secret” tools. They are sold publicly, but you have to prove to Berla and Bosch that you work in the field of car forensics.

c’t: Is it necessary in individual cases to expand control units in order to extract data?

Bornhagen: As far as the crash memory is concerned, the official interfaces are sufficient. With the data from the MMI (multimedia interface, d. Red.) You usually have to remove the head unit of the vehicle.

c’t: So it is relatively easy to read out the vehicles?

Bornhagen: No, it’s not that simple. Imagine being called to a vehicle. You get detailed information about the car in advance: which devices are installed, which MMI is in the vehicle. You come there, remove the MMI and realize: This is a completely different model. This is how we recently experienced it with a Mini Cooper: On site it turned out that an inferior multimedia interface was installed. This means that the previously selected interfaces do not fit and there is no way to read the device without completely dismantling it.

Some of these limitations can be circumvented with a few tricks. The question always arises for us as to whether this would be legally permissible or whether the knowledge gained in this way could even be used in court proceedings, for example.

c’t: Are there vehicle types, manufacturers, years or classes that can be read out more easily than others?

Bornhagen: Ultimately, that goes across the board. One must certainly also note that Berla, as the manufacturer of the analysis tool, basically has to do reverse engineering. The programmers roll up the field from behind and try to get the information via the known access routes and to constantly adapt the analysis software. The manufacturers of the various control units and MMIs do not reveal anything of their own accord.

The age of the vehicle does not allow any direct conclusions to be drawn either. But when you can get access to data, there are usually a lot of them. Younger vehicles have hard drives with a capacity of up to 1 TB.

Without the MMI, however, the hard drive is of little use because the data is encrypted. The other way round applies: If you have access to the MMI, you will sooner or later also have access to the data. In general, the subject of encryption is getting worse and worse for us – from the point of view of the consumer in terms of data protection, it is getting better and better.

c’t: Which bus systems do you use when you extract data?

Bornhagen: Standard access is still the OBD interface, behind which nowadays there is usually a CAN bus. We sometimes read accident data directly from the control unit. The CDR kit from Bosch can be wired directly to the Event Data Recorder (EDR) so that the accident data stored there can be accessed. With the MMIs, it differs from manufacturer to manufacturer. Sometimes a USB connection is sufficient, sometimes you have to use a serial connection.

c’t: How secure are such data from manipulation? What if someone deliberately stored the data beforehand?

Bornhagen: A good question. Let me put it this way: Even the well-versed layman is not able to easily store data from outside in the vehicle. With the tools we use, it is not possible to import data into the vehicle electronics.

In theory, data could perhaps be transferred from one system to another. This would then have to be absolutely identical in all details. Sensor information from a wide variety of areas converges in the vehicle. The resulting data structure cannot be easily reproduced.

“I haven’t shaken my head at people’s passion for data collection for a long time. «

c’t: Imagine you have a vehicle built in 2030 in your workshop. Will you still be able to read something?

Bornhagen: Why not? There must also be some kind of interface in 2030. What else would manufacturers want to do with all the collected data if they couldn’t be read out?

c’t: Transferred to the manufacturer cloud?

Bornhagen: Yes, perhaps. Tesla is apparently already doing this today. Even driving data is probably migrating to the cloud. When all vehicles are networked to this extent, regulatory changes will still have to be made to clarify who is ultimately allowed to do what. This applies to both storage and access to the data.

c’t: When we look at the user data collected by smartphone apps at c’t, we are often amazed at what is collected there. Do you feel the same way with cars?

Bornhagen: Almost a philosophical question. The data is initially generated and collected by countless sensors and feelers in the vehicle. The vehicle then starts something with the data in order to implement a specific function. The question is how long the data must be kept and to what extent the manufacturer has access to it. More data economy would be appropriate.

The post-mortem analysis of computers is part of our day-to-day business – I haven’t shook my head at people’s passion for data collection for a long time. It’s similar with cars. Such a large data pool is certainly interesting for scientists or researchers in order to draw any conclusions. For run-of-the-mill users like you and me, that’s definitely way too much because we can’t do anything with it.

(sha)