Forgot your password?
typodupeerror
Stats Transportation Wireless Networking

Connecting To Unsecured Bluetooth Car Systems To Monitor Traffic Flow 161

Posted by Unknown Lamer
from the drive-slowly-for-maximum-confusion dept.
New submitter TheTerseOne writes "The Columbian, the local newspaper of Vancouver (not BC), Washington (not DC) is reporting that local county traffic officials plan on spending $540k of government money to monitor traffic by connecting to vehicles' Bluetooth systems (whose owners/drivers have left them discoverable). The county claims that, although this sounds 'creepy' and 'like Big Brother,' there is no cause for concern. The specific brand of the system is not mentioned, but similar systems have already been the subject of security alerts." County officials note that they are stripping out part of the MAC, and the system is intentionally designed not to be useful for law enforcement to locate specific devices.
This discussion has been archived. No new comments can be posted.

Connecting To Unsecured Bluetooth Car Systems To Monitor Traffic Flow

Comments Filter:
  • Halifax too! (Score:3, Interesting)

    by Anonymous Coward on Monday October 21, 2013 @01:20PM (#45190639)

    Halifax just did the same thing (though only spent 43k). Only release was the tender process, and no acknowledgement after repeated requests for information.

    • by cayenne8 (626475)
      In other news....

      Smart people start turning off the fscking bluetooth systems in their cars....

      • by rwa2 (4391) *

        Is this a bad thing? I suppose they could just get all their data from the Google:
        http://www.theconnectivist.com/2013/07/how-google-tracks-traffic/ [theconnectivist.com]

        Sounds like the bluetooth-based system is just sniffing bluetooth IDs, not exactly "connecting" any more than when your phone sniffs out discoverable Wi-fi access points but doesn't really try to register with any of them.

        I blame poor article word choice. You can start worrying when they make it illegal to disable your car's bluetooth so they can use the system

    • Calgary (Alberta, not Texas) has been doing this along major routes for a while, and it's fantastic. Road side signs give very accurate updates on the fly as to how long it will take to get to the next major landmark.

      Fantastic.

      • by chinton (151403)
        Does it tell you how long it will take to get out of the cone of snooping?
      • by adolf (21054)

        Around large-ish cities in Ohio, I see similar signage. It is normally spot-on.

        However, in Ohio, these seem to work on data provided by little solar-powered Doppler units mounted on poles and signs along the highway, not Bluetooth. This gives a perfectly reasonable picture of average traffic speed, while remaining completely anonymous and requiring zero end-user hardware except for a large enough vehicle to generate an echo.

        (The results from these Doppler units are available, presumably with additional da

  • Of course (Score:5, Insightful)

    by ArcadeMan (2766669) on Monday October 21, 2013 @01:22PM (#45190665)

    County officials note that they are stripping out part of the MAC (of course they will), and the system is intentionally designed not to be useful for law enforcement to locate specific devices (of course it won't).

    • Until presented with a court order to preserve this information along with a gag order not to mention it. There is no inherent technical or legal protection of this data. The technical side can fix historical data but it trivial to bypass from the point of being served. Legal protection pretty much requires an amendment.

    • by mlts (1038732) *

      Depends what part they strip out. If they drop the manufacturer ID, whoop-de-do, that can be guessed later on.

      Instead of just dropping a chunk that can be possibly rebuilt, how about at the minimum, using a hash of the ID? The ideal would be a salted hash, with the salt a secret (so someone later on can't grab a list of MACs and convert/correlate them with the hashed versions.)

      All that is needed is a unique identifier. The detector for BT devices can just create a salt it stores internally and changes ev

    • by MiniMike (234881)

      They will (initially) remove "about half" of the MAC address. I'm guessing they will be removing the first half, which only identifies the manufacturer. Practically this does almost nothing to reduce the ability to uniquely identify cars. If they remove more bytes it would reduce this ability without much reduction to their ability to monitor traffic flow..

  • CFAA? (Score:5, Interesting)

    by cob666 (656740) on Monday October 21, 2013 @01:31PM (#45190827) Homepage
    Connecting to a computer system without the consent of the owner is still a violation of the Computer Fraud and Abuse Act and a felony the last time I checked.
    • by Mitsoid (837831)

      I don't see a Computer Fraud and Abuse Act for Canada

      Also, it's difficult to charge government organizations for a felony... Its even more so difficult to charge a law enforcement official of doing any wrongdoing unless there's a 100:1 outcry against the officer, and it's on tape, and the officer loses support from his peers.

      • by SirGarlon (845873)

        I don't see a Computer Fraud and Abuse Act for Canada

        The city of Vancouver, Washington is in the state of Washington. TFS gives a strong hint to that effect.

        Also, it's difficult to charge government organizations for a felony...

        That, I think, is GP's point. As a practical matter, the county government doesn't have to worry about complying with the CFAA. We Americans like to think of our country as a nation of laws, but the application of those laws seems increasingly capricious and one-sided.

      • The same kinds of systems are used all over, in many states. Georgia, for example, uses it for vehicle detection in most of the Interstates outside of Metro Atlanta. (In Atlanta they use traditional computer-vision-based detection instead, because it was put in before Bluetooth detection became available and because it gives more detailed data (namely, lane-by-lane vehicle counts).)

        I can only assume the reason the CFAA doesn't apply is that these systems don't "connect" to the vehicles' devices is any meani

    • on the other hand, reading the daily newspapers, maybe it's about time.

    • How are these systems "connecting" to the car's computer system? They are passively monitoring broadcasts from the car.

      • Any different than Google collecting wifi SSID's?

        • The heart of that case involved Google intercepting data sent over an unsecured wi-fi connection, which the sender (stupidly) expected to be private. This traffic system is intercepting data that your phone is intentionally broadcasting publicly.

          Also, the judge in that Google case is a complete moron.

          http://www.dslreports.com/shownews/Court-Declares-Google-Liable-For-WiFi-Snooping-125745

          "So in summation, the court is arguing Wi-Fi isn't radio communications because you can't hear it, and unsecured Wi-Fi ho

    • by houghi (78078)

      And your problem is? Just because something is illegal, unconstitutional, immoral or unwanted does not mean the government can't do it.

    • Really? Merely connecting to a discover-able service is a violation of the CFAA? Could you care to cite the exact part which backs that up?

    • by cgimusic (2788705)
      So, according to you, every time you scan for wireless networks on your computer you are violating the Computer Fraud and Abuse Act?
  • Systems that broadcast to people nearby can be a lot of fun and useful. Game consoles "social" apps, WiFi, safety applications or just allowing passengers to pair to stereo with least amount of effort.

    That is until some asshole tries inevitably tries to collect and aggregate everything. I don't care if it is useful or insecure or you take x measures to prevent y value judgment... you are still an asshole.

  • by Sean (422) on Monday October 21, 2013 @01:38PM (#45190939)

    If you don't want to be discovered with Bluetooth, don't leave your devices in discoverable mode!

    • I've know where you are Mr. "Sync", and I am watching you.
    • That's like saying, "if you don't want to get arrested, don't do anything illegal!" Or am I the only one that got that vibe?

    • by pla (258480)
      If you don't want to be discovered with Bluetooth, don't leave your devices in discoverable mode!

      More to the point - What BT devices actually broadcast their availability continually? Both my cars actually pop up an on-demand 90 or 120 second countdown to show how long you have left to try to pair a device to them; all the devices I've tried pairing to them either do something similar, or even go so far as to do a single active sweep before giving up and going silent again.

      Even as an admitted privacy
      • If you don't want to be discovered with Bluetooth, don't leave your devices in discoverable mode!

        More to the point - What BT devices actually broadcast their availability continually?

        I know the Bluetooth in a VW Jetta will talk to anything within range, until a device actually pairs with it; I also know that when Ford started putting BT capabilities in cars they were notorious for being wide open and beaconing constantly, although I'd wager FoMoCo has done something about it since then (I found out about the issue pre-Sync).

  • by Shoten (260439) on Monday October 21, 2013 @01:41PM (#45190975)

    It should be noted that they are not "connecting" to these devices, just cataloging the ones which announce their own presence. It's pretty fricking passive.

    • Yeah. They are really 'detecting' the BT presence, not connecting. Ignorant reporting is a much bigger problem these days.
    • by omnichad (1198475)

      Didn't stop Google from getting a wiretapping charge when collecting AP data.

      • by adolf (21054)

        That was different: The trouble Google had was that they were recording actual data packets of actual data transmissions, and that this data has no non-nefarious use.

        Had they been merely documenting the broadcast beacon sent by APs, it would not have been an issue. (Just as it has not been an issue for Wigle or Skyhook, both of whom collect geolocation data for APs based on BSSID.)

    • It should be noted that they are not "connecting" to these devices, just cataloging the ones which announce their own presence. It's pretty fricking passive.

      OK, so why not scan my license plate (which belongs to the state anyway), and not my personal property?

      I'll bet the license-plate-scanner equip is probably a lot cheaper to boot.

  • Sampling Bias? (Score:2, Interesting)

    by Anonymous Coward

    Won't this introduce sampling bias, as non-Bluetooth cars are excluded from traffic monitoring? Highways with richer travelers will get more funding than the poor parts of town.

    • by omnichad (1198475)

      It would track those cars' movement through the system - how long to get from position A to position B. I doubt it would be used to monitor traffic quantity - more intelligent people don't have their devices discoverable. So it would disproportionately benefit the stupid. Traffic jams don't usually happen in primarily residential areas. That is, unless your own residential street is being used as a bypass around traffic.

  • while many people will neither know nor care about the effort to smooth out traffic, Vancouver may be mistaken in their zeal. While my old 2001 crown victoria does not include bluetooth, the wireless laptop inside is programmed to dump millions of MAC's per second once a bluetooth connection is solicited, many of them malformed with negative integers, spaces and special characters...

    Sometimes I collect the macs of vehicles in around me, and much like the towers of hanoi spoof them as i pass the readers o
    • Why?

      that seems like an awful lot of effort, for very little gain, other than to show that you can be an ass. What's the point?

      • Why?

        that seems like an awful lot of effort, for very little gain, other than to show that you can be an ass. What's the point?

        His point is that it only takes one asshat to pollute the system, and it's guaranteed that there's more than one. I also remember reading something recently related to this, showing that false info can be fed to google to create non-existant traffic jams in Maps.

        • Why?

          that seems like an awful lot of effort, for very little gain, other than to show that you can be an ass. What's the point?

          His point is that it only takes one asshat to pollute the system, and it's guaranteed that there's more than one. I also remember reading something recently related to this, showing that false info can be fed to google to create non-existant traffic jams in Maps.

          It would be trivial to detect and bitbucket the massive amounts of bad data described, and spamming thresholds low enough to not trigger detection would probably be statistically irrelevant.

          Most major highways and streets rely on hardware sensors embedded into the road anyway. Anything else is supplemental or for less important roads.

  • It seems like the phrase "government money" is dropped in here just to bait arguments. Was there any doubt it was government money? If it were private money, would that be a problem? Wouldn't it be a different problem? Wouldn't "public funds" or "a state/federal grant" have been the same or more accurate?

    From TFA: "The program is being funded primarily through a $540,000 federal grant, with a small match from the local governments." TFA actually has a lot of other good 'geeky' detail, like "3-5% of traffic

  • by psydeshow (154300) on Monday October 21, 2013 @02:28PM (#45191629) Homepage

    This seems really complicated. Why not just track the RFID signature generated by the various parts of the car which are tagged? Tires, replacement parts, items in the trunk, ID badges on the passengers....

  • I mean... legally speaking you can't for example connect to someone's open wi-fi and use it. Look at the shit Google got into with their mapping car...

  • by Opportunist (166417) on Monday October 21, 2013 @02:35PM (#45191749)

    Great. Install it in every politician's car.

    No need for concern, right? Or... got anything to hide?

    Personally, every time someone comes up with some "no need for concern" bull, I say let the politicians in charge be the first to use it. No need to be concerned about the power plant? Great, have the town council move in next to it. No need to be concerned about food? Great, put it on the menu for them. No need to be concerned about surveillance? Great, move politicians to the front row to be under scrutiny.

    If it was required to be used on them first, I'm pretty sure we'd have a lot fewer things not to be concerned about.

  • by Scutter (18425) on Monday October 21, 2013 @03:21PM (#45192435) Journal

    Since it seems to meet the criteria of RCW 9A.52.110, I'd say every attempt to connect is a Class C Felony. However, at the very least, it's a misdemeanor.

    RCW 9A.52.110
    Computer trespass in the first degree.

    (1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another; and

              (a) The access is made with the intent to commit another crime; or

              (b) The violation involves a computer or database maintained by a government agency.

              (2) Computer trespass in the first degree is a class C felony.

    [1984 c 273 1.]

    *****************

    RCW 9A.52.120
    Computer trespass in the second degree.

    (1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another under circumstances not constituting the offense in the first degree.

              (2) Computer trespass in the second degree is a gross misdemeanor.

    [1984 c 273 2.]

    ******************

    RCW 9A.52.120
    Computer trespass in the second degree.

    (1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another under circumstances not constituting the offense in the first degree.

              (2) Computer trespass in the second degree is a gross misdemeanor.

    [1984 c 273 2.]

    • Well, it's definitely not a felony, since there's no intention to commit another crime, and this isn't a gov't database. As for it being a misdemeanor, you'd have to argue that noting down which systems are broadcasting their identification information somehow constitutes "without authorization, intentionally gain[ing] access to a computer system or electronic database of another." If they tried to access the information in your car's system, that would be one thing, but this is no different than just wri
    • They're not connecting or gaining access to anything. They're merely passively recording the information your device is broadcasting.
    • by bws111 (1216812)

      How the hell can you read that and come away with the conclusion that looking at information your device broadcasts is a violation? They're not 'gaining access' to anything, so that automatically rules out all three offenses. Worse yet, you come up with the brilliant conclusion that it is a FELONY. Is your BT a 'computer or database maintained by a goverment agency?' Is there any indication that this supposed 'access' is done with the intent to commit another crime?

      By your brilliant logic, every DHCP, A

  • Your vehicle already had a big bright license plates, in the front and the back, advertising your license plate number to anyone who cares to look. People, cameras etc. etc. And yes we have had automated readers of license plates for quite some time. What sort of *new* privacy concerns does the bluetooth device introduce?

    • This is different from reading license plates in that it's a lot less effective for tracking people (since bluetooth MAC addresses aren't tied to people's identities in a government database from the get-go like license plates are). It's also likely much cheaper.

      • by linuxguy (98493)

        My question was: "What sort of *new* privacy concerns does the bluetooth device introduce?"

        Your answer seems to imply that the older method of reading license plates is a more precise privacy busting tool. If that is correct then we are in agreement. The hoopla over bluetooth scanning of vehicles is unwarranted.

UNIX was half a billion (500000000) seconds old on Tue Nov 5 00:53:20 1985 GMT (measuring since the time(2) epoch). -- Andy Tannenbaum

Working...