Automotive Forensic Experts: How is car data actually analyzed?

Immo Bornhagen is an expert in data forensics. In the c’t conversation, he provides insight into how vehicle data is analyzed and why data processing in the manufacturer’s cloud should be regulated.

c’t: Who are your typical customers?

Immo Bornhagen: These are mainly prosecutors and courts. Sometimes also appraisers or motor vehicle experts who are responsible for reconstructing accidents.

c’t: What exactly are the tools you use to analyze vehicles?

Bornhague: It depends. When we read multimedia information, for example, we are using hardware and software from Berla in the United States. The Bosch CDR (Crash Data Retrieval) kit is primarily used for crash research. Neither are “secret” tools. They are sold publicly, but you have to prove to Berla and Bosch that you are in the field of automotive forensics.

c’t: Is it necessary in some cases to extend the control units in order to extract data?

Bornhague: As far as crash memory is concerned, official interfaces are sufficient. With the data from the MMI (multimedia interface, d. Red.) Usually you need to remove the main unit from the vehicle.

c’t: So it’s relatively easy to read vehicles?

Bornhague: No, it’s not that simple. Imagine being called to a vehicle. You get detailed information about the car in advance: what devices are installed, what MMI is in the vehicle. You come in, remove the MMI and realize: It’s a completely different model. This is how we recently experienced it with a Mini Cooper: On site, it turned out that a lower quality multimedia interface was installed. This means that the previously selected interfaces do not match and there is no way to read the device without completely disassembling it.

Some of these limitations can be worked around with a few tricks. The question always arises for us whether this would be legally permissible or whether the knowledge thus acquired could even be used in legal proceedings, for example.

c’t: Are there some vehicle types, manufacturers, years or classes that can be read more easily than others?

Bornhague: Ultimately, it goes across the board. It should of course also be noted that Berla, as the manufacturer of the analysis tool, essentially has to reverse-engineer. Programmers roll up the field from behind and try to get information through known routes and constantly adapt the analysis software. The manufacturers of the various control units and HMIs do not reveal anything themselves.

The age of the vehicle also does not allow direct conclusions to be drawn. But when you can access the data, there is usually a lot of it. Younger vehicles have hard drives with a capacity of up to 1TB.

Without the MMI, however, the hard drive is of little use because the data is encrypted. The reverse applies: if you have access to the MMI, sooner or later you will also have access to the data. In general, the subject of encryption is getting worse and worse for us – from a consumer perspective in terms of data protection, it just gets better and better.

c’t: What bus systems do you use when extracting data?

Bornhague: The standard access remains the OBD interface, behind which today is generally a CAN bus. We sometimes read accident data directly from the control unit. The Bosch CDR Kit can be wired directly to the Event Data Recorder (EDR) so that accident data stored there can be accessed. With HMIs, this differs from manufacturer to manufacturer. Sometimes a USB connection is sufficient, sometimes a serial connection has to be used.

c’t: To what extent is this data protected against manipulation? What if someone purposely stores the data beforehand?

Bornhague: A good question. Let me put it this way: even the discerning layman is not able to easily store data from outside in the vehicle. With the tools we use, it is not possible to import data into the vehicle electronics.

In theory, perhaps the data could be transferred from one system to another. It should then be absolutely identical in all details. Sensor information from a wide variety of areas converge in the vehicle. The resulting data structure cannot be easily reproduced.

“It’s been a long time since I’ve shaken my head at people’s passion for data collection. “

c’t: Imagine you have a vehicle built in 2030 in your workshop. Will you still be able to read something?

Bornhague: Why not? There has to be some kind of interface in 2030 as well. What else would they do with all the data collected if it couldn’t be read?

c’t: Uploaded to the manufacturer’s cloud?

Bornhague: Yes maybe. Tesla is apparently already doing this today. Even driving data is likely migrating to the cloud. When all vehicles are networked at this point, regulatory changes will still need to be made to clarify who is ultimately allowed to do what. This applies to both storage and access to data.

c’t: When we look at the user data collected by smartphone apps on c’t, we are often amazed at what is collected there. Do you feel the same with cars?

Bornhague: Almost a philosophical question. Data is initially generated and collected by countless sensors and probes in the vehicle. The vehicle then starts something with the data in order to implement a specific function. The question is how long the data should be kept and to what extent the manufacturer has access to it. More data savings would be appropriate.

Post-mortem analysis of computers is part of our daily activities – I haven’t shaken my head at people’s passion for collecting data for a long time. It’s the same with cars. Such a large pool of data is certainly interesting for scientists or researchers to draw conclusions. For ordinary users like you and me, this is certainly way too much because there is nothing we can do with it.

(cha)