DSRC: The Privacy and Security of Vehicle-to-Vehicle Communication

In 1999, the Federal Communications Commission authorized an allocation of 75MHz of the 5.9GHz spectrum band for “Dedicated Short-Range Communication” (DSRC).

The auto industry and the Department of Transportation urged the FCC to adopt rules for DSRC that enabled both non-commercial life and safety applications, and commercial applications, such as mobile payments at gas stations. At that time, the Commission did not consider the privacy and cybersecurity implications of this decision.

Seventeen years later, the National Highway Traffic and Safety Administration (NHTSA), the branch of the DoT that regulates the safety portion of the 75MHz, intends to require all new model cars have “DSRC units” installed, which will enable vehicle-to-vehicle communication. Of course, unlike other technologies we use today, a DSRC unit is useless in preventing a collision unless the other vehicle involved in the collision is also equipped with a DSRC unit.

The auto industry intends to deploy DSRC not only for collision avoidance, but also in order to offer commercial services such as mobile payments, in-car advertising, and infotainment systems such as video streaming.

The ability of DSRC units to monitor and report detailed personal information about driving habits of individuals raises major concerns for personal privacy. When coupled with storage of financial information and purchasing information through future mobile payment applications, or the use of DSRC streaming capability for delivering advertising or entertainment, the substantial risk DSRC creates to personal privacy grows exponentially.

Even more troubling is the way in which the failure to impose adequate cybersecurity obligations on DSRC licensees and operators threatens the safety of our nation’s roadways. This is particularly concerning in light of the fact that hackers have demonstrated the ability to seize control of braking, steering, and acceleration functions, which would allow a hacker to remotely crash vehicles.

Based on the way they communicate, DSRC units provide an access route for malware to spread directly from car to car, enabling hackers to steal the personal information of drivers and leaving cars open to “ransomware” and coordinated terrorist attacks. When combined with the impending NHTSA mandate to require all new model cars to have DSRC units installed, the number of cars capable of spreading malware will grow exponentially over time.

We ask the FCC to adopt the following safety measures before permitting the auto industry to deploy DSRC for American vehicles:

1)   Limit DSRC to life and safety uses only. The auto industry plans to take spectrum allocated for safety of life and monetize it with advertising and mobile payments. This compromises cybersecurity and potentially violates the privacy of every driver and passenger. No other live-and-safety band permits commercial use.

2)   Require automakers to file a cybersecurity plan before activating DSRC systems. This plan should not only show that auto manufacturers have taken the appropriate precautions today, but explain how they will update security over the life of the vehicle.

3)   Data transparency and breach notification. Auto manufacturers must inform purchasers of DSRC-equipped cars what personal information they collect and how they will use that information. In the event of a data breach, the manufacturer collecting the information must notify the customer.

The FCC needs to act quickly. GM intends to deploy DSRC-equipped cars within the next few months, leaving drivers vulnerable to cyber-attacks and privacy violations without any NHTSA protection. Although NHTSA has jurisdiction over the life and safety portion of the 75MHz, only the FCC can properly secure the full 75 MHz of spectrum allocated to DSRC.

Furthermore, the auto industry claims that it cannot share any portion of this spectrum for unlicensed uses such as WiFi because it would cause harmful interference, placing the lives of drivers at risk. But there is no evidence that the auto industry needs the full 75MHz of spectrum for the life and safety applications of DSRC. The FCC needs to test this to determine exactly how much spectrum is needed for life and safety and what level of interference there might be. This is a significant amount of spectrum that is not being fully utilized by the auto industry. The FCC should allow devices to share any portion of the 75MHz of much-needed spectrum, not used for safety, on an non-interfering basis. Check out our video and podcast episode below to learn more.