Activation protocol for tracking devices

David Wagner daw at cs.berkeley.edu
Tue Mar 3 22:49:15 EST 2009 

Santiago Aguiar  wrote:
> As I wrote in my last email, in Brazil they are devising a protocol to 
> activate tracking/blocking devices to be installed from factory in 
> *every* vehicle, starting progressively from august 2009. The idea is 
> that a service operator (SO) can activate a device to work with it, by 
> first asking a centralized agency, the DENATRAN (department of transit), 
> that must authorize the activation request. Once activated, the device 
> keeps in that state until the SO deactivates it or until DENATRAN 
> reconfigures the device SIM card remotely to change it IMSI to a special 
> network operated by DENATRAN.

This does sound like it introduces novel risks.  I would suggest that
rather than spending too much energy on the cryptomath, it would make
sense to focus energy on the systems issues and the security requirements.

1) Is the system really intended to allow a single government agency
to deactivate a car, without permission from the owner of that car?
If so, that creates systematic risks that should be examined carefully.
Is there any chance of revising the security requirements, so that consent
of the owner is required?  Good requirements engineering may be able to
make as big a difference as any amount of crypto.

2) Strong audit logs would appear to be important.  In particular, here
are a few ideas.  One might require that anytime a car is deactivated,
a postcard is sent to the owner of that car letting them know of the
deactivation and who authorized it.  One could also require that an audit
log be kept of every deactivation event and who precisely authorized it,
and mandate that the owner of a car has the right to a copy of the audit
log for their own car at any point, without delay.

3) You might consider advocating an opt-out policy, where car owners
can turn off the functionality that allows deactivation of their car
without their permission, and/or turn off the tracking functionality.

4) You might want to ask about what protects the location privacy of
car operators.  Does this system provide a third party with the power
to track the movements of cars around the country?  That sounds like a
serious privacy risk to me.  What controls are there to protect privacy,
surveillance, or government abuse of power?

5) I would think that another possible security concern may be social
engineering: if DENATRAN has the power and is authorized to deactivate
cars, one tempting method to maliciously deactivate someone's car might
be to convince DENATRAN to deactivate it.  How will that be prevented?
What are the procedures that DENATRAN will follow before deactivating
a car?  Are these required by law or regulation?

6) Are there penalties for inadvertent, incorrect, or unauthorized
deactivation of a car?  One possibility might be to require that the
agency or the business pay a fee to the owner of the car if the owner's
car is improperly deactivated.  That might then put the onus of securing
the infrastructure on the folks who can do something about it.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list