Security and Privacy Consideration for Vehicle APIs

W3C

This version:
https://www.w3.org/TR/2024/UD-auto-security-20240227/
Latest published version:
https://www.w3.org/TR/auto-security/
Previous version:
https://www.w3.org/TR/2025/***-auto-security-20250502/
Editor:
Junichi Hashimoto (KDDI)

Copyright © 2024 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and permissive document license rules apply.

Abstract

Hit 't' to change languages.

This document describes security and privacy consideration for implementing and utilizing the Vehicle APIs (Vehicle Information Access API, Vehicle Data Specification, and Vehicle Information Service Specification). This document supposes an IVI (In-Vehicle Infotainment system), and presents a typical architecture, recommendation to be referred and privacy protection. It also describes best practices for restricting API use to specific developers or application

This document does not provide a comprehensive risk assessment for IVI with Vehicle APIs. Instead of that, this document discusses points that required special attention.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Automotive Working Group as a .

Comments regarding this document are welcome. Please send them to public-auto-privacy-security@w3.org (archives).

Publication as a does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 March 2019 W3C Process Document.

1. Introduction

For the use on passenger car's IVI (In-Vehicle Infotainment System), Automotive WG published three specifications: Vehicle Access API, Vehicle Data Specification, and Vehicle Information Service Specification. These APIs are not a direct interface that accesses car system but an indirect interface that obtains sensor data or changing values by sending requests. In ordered to investigate domain specific issues that may be caused by these non PC-oriented APIs, Security and Privacy Task Force was formed under the working group and business group. This document reports the result of the task force's study.

Primary concern of automakers is the safety of passengers. Vehicle APIs or IVI that implements the APIs should not compromise safety. Hence, this document focuses on not only API implementation but also IVI design. Document structure is as follows: Section 2 lists up API use cases and concerns that the task force has collected. Before discussing each concern, section 3 provides a model architecture of IVI, IVI environment and composition of the web runtime and applications. And section 4 introduces fundamental web security technologies which are commonly supported on today's browser and should be supported on IVI as well. Then section 5 extracts requirements from the use cases and shows strategies to tackle them. Finally, section 6 gives an overview of on-going activities that are taken for web, automotive, security and privacy.

This document focuses on security and privacy concerns and provides strategies to tackle them. It does not provide a certain risk assessment or endorses that conformance to this document solves thease concerns. Implementer should perform a precise risk assessment and must err on the side of caution. Also this document does not provide hardware requirements nor an entire design of IVI. For these purpose, we recommend to refer more general specifications:

1.1 Document Conventions

TODO: Mark up

Conformance requirements are expressed with a combination of descriptive assertions and [RFC2119] terminology. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and " OPTIONAL" in the normative parts of this document are to be interpreted as described in [RFC2119] However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

2. Use cases of APIs

On the process of Vehicle APIs formulation, Automotive WG has investigated use cases and concerns that would be brought by current APIs or the future revisions. Following is the summarized item list.

Note that the items come from free expectation for connected car and does not define requirements. Also API specifications does not guarantee that each item is feasible.

  1. 1.(48) Intrusion Alert Driver/Owner wants to be alerted if their car is intruded.
  2. 1.(50) Exclusive Control During the driving, prevent other users from login and controlling the vehicle.
  3. --4.(04)-- Anti-tampered Data As an insurer, I need to be sure that probe data is not tampered.
  4. Authorized Device High-reliability system, such as Advanced Driver Assistance System (ADAS) Controller, accepts input from authorized onboard sensors or authorized external source(s)
  5. --4.(12)-- Virtual Trip Driver and/or passenger(s) in car want to share journey with virtual passenger(s) that are not in car
  6. !--4.(52)-- Home Security Sensors and cameras in the car are included in the set of sensors providing input to customer (and e.g. neighbours) home security alarm. To do this the vehicle and home alarm system will need to mutually authenticate so that home alarm trusts inputs and customer's vehicle only provides input to alarm system(s) selected by the customer. Normally just their own system, but e.g. in future, a neighbourhood watch group could agree to share external sensor / camera data
  7. !--4.(53)-- Seamless Data Use Media (including photos, videos, music (subject to DRM licensing)) is seamlessly shared between all of the user's devices including their car and with offline cloud storage e.g., User's Dropbox, OneDrive etc account. User can seamlessly view and play their content on any device including their car. Requires that each device or service that the user has content stored on can securely share the user's content. To do this, either the device or the identity of the user logged in on the device or service will need to be verified before content can safely and securely be shared between devices. If content is to be seamlessly downloaded from cloud storage, may need to obtain and use security token (e.g. OAUTH2) to access user's content.
  8. -4.(55)-- Public Traffic System*** Vehicle suspension sensors, front facing cameras etc can detect damage to road surface (potholes, broken manholes, broken drain covers etc) and communicate location and details of damage to other vehicles and to the local authority responsible for repairing roads. Vehicle needs to prove its identity to other vehicles and to local authority service so that input can be trusted.
  9. 2.(11) Set for Critical Control Advanced Driver Assistance System (ADAS) Controller sets safety critical controls when driving vehicle
  10. 2.(16) Set for HVAC IVI system shows the status of various climate control equipments as GUI and lets a user control it via touch screen. (Even set API is not recommended)
  11. 2.(17) Remote Window Control A user uses his smart devices to remotely check whether side windows of his parked car are closed or not, and to send a request to the car for closing it if opened.
  12. 2.(18) Remote HVAC Control A user uses his smart devices to start his car remotely, and turns heaters on to warm up the car inside before getting in the car.
  13. 2.(25) Remote Door Lock Driver would like to remotely lock/unlock vehicle.
  14. 2.(28) Remote Seats Configuration Driver would like to configure seat settings remotely.
  15. 2.(32) Set from Cloud Service Automaker only wants to allow remote settings via cloud not by direct connection.
  16. 2.(49) Exclusive set One "Set" API is only allowed to accept input from one source at one moment
  17. 3.(03) Application Audit As an OEM, I don't permit any application to use Vehicle APIs without my check.
  18. 3.(09) Trusted 3rd Parties Ability to query registry of trusted 3rd parties, retrieve identification mechanisms
  19. 3.(24) Drive Event Log 3rd party would like to see log of driving events
  20. 3.(27) Report to Owner Vehicle owner subscribes to 3rd party monitoring of vehicle data and trouble codes to ensure vehicle is running in good health
  21. 3.(29) API Limitation*** Automaker has access to all data elements including elements such as those relating to vehicle quality or operating data whereas application developer only has access to subset.
  22. 3.(45) Automated Window Operation Service monitors weather and checks if windows are open, they are closed.
  23. 3.(51) Permission for Log History An application can only access the log created by itself
  24. 6.(35) Identification of Driver Current driver is identified.
  25. 6.(36) Identification of Passengers Family is travelling in vehicle and all passengers are identified.
  26. 6.(38) Toll Payment Driving across toll bridge or parking at a charged space, the responsible party is identified and payment from their account is made.
  27. 6.(56) Personal Basis Services IVI apps such as recommendation, reservation, shopping, pay-per-use service, etc., should operate in a personal basis, which means that apps and its API have to be changed by driver/user.
  28. 6.(60) Protection for Personal Data E-commerce from the dashboard for drivers’ purchases of fast food, gas, etc. has been available. Cars become hackers' and rogue mechanics’ target for identity theft (credit card numbers, home address, e-mail information and all the other personal details).
  29. 5.(57) Sensitive Location Consumer has some locations he/she does not want other people to know. (Home, religious site, specialized hospital, secret 3rd place, etc.)
  30. 5.(58) API Control by User Consumer has less right of choice for data elements, rectification and erasure of data.
  31. 5.(06) Destination of Personal Data I am willing to provide vehicle data for traffic monitoring, but does not want a police officer to know my destination and the exact speed of my car.
  32. 5.(08) Data Granularity control As a user, I'd like to apply different data granularity depending on whom to send the data.
  33. 5.(01) Removing Personal Data As a user, I'd like to remove any private data from the car when I leave.
  34. 5.(15) Do Not Track for Vehicle When I turn DO-NO-TRACK on, I expect any of my activities are not monitored nor recorded
  35. 5.(05) Exception for Do Not Track I usually set "Do Not Track", but help me immediately after the accident.
  36. 5.(19) Prior consent for data use If users agree to provide vehicle information to the weather station, many cars can be used to get weather information such as amounts of rain and ambient temperatures.
  37. 5.(21) Record for accident IVI records the scene before and after an accident (for insurance or testimony)
  38. 5.(23) Log Transparency Driver would like to see log of ADAS/driving events
  39. 5.(39) Alert for Car Condition Customer is alerted to low tire pressure, repair locations are recommended.
  40. 5.(40) Emergency** Emergency responder is called to accident, vehicle reports who is in the car and can report if there are existing medical conditions

As described above, the expectations are not limited to Web APIs and the concerns should be treated in IVI system rather than API implementation. In the rest of this document, we provide a model architecture of IVI first and introduce fundamental W3C recommendations that supports web securities. Then we discuss issues that are derived from above list.

3. Model Architecture

This section provides a model architecture that Vehicle APIs expect. The readers could refer [GENIVI] or [AGL] for more precise architecture.

Fig. 1 shows that an IVI is located where it has access to both the internet and CAN (car area network). Typically, a web application is downloaded from the internet and executed on the IVI. The application obtains car information via Vehicle APIs and it does not have any other way to access car information.

CAN - (X) - IVI - (Y)- Internet
Figure 1 Environment around IVI

An IVI consists of an operating system and a web runtime that executes web applications. Vehicle Information Service specification requires a local server as well. Web runtime in this document stands for a module that provides UI and sends requests to OS according to a given html/js/css description.

Fig. 2 shows possible application types.

Normal content
Browser (User agent) downloads contents from the internet and executes them.
Webview based
Application uses webview to execute web contents, which is a part of application in most cases.
Native App
Application is provided in a platform native format.

Figure 2 Three application types

Webview type applications could have web contents that utilize Vehicle APIs in its package as a part of asset data. For this type of application, the market operator (i.e., the application distributer) could review application and reject them if they contain malicious codes.

Vehicle APIs provide car information in two ways. Vehicle Information Access API, a DOM API, provides an interface for Normal Content and Webview type applications.

If one is web runtime implementer and develops IVI as well, he/she hopes to provide car information in the same manner for all types of application. In this case, Vehicle Service Specification is preferable to be implemented.

4. Common Web Security Techniques

Followings are fundamental W3C recommendation for considering web security. User-Agent which implements Vehicle APIs must implement them as well.

Service provider should utilize above recommendations efficiently and incorporate general techniques of web security so that malicious code cannot be executed in IVI. Example techniques are as follows.

5. Vehicle Specific Requirements and Strategies

Use cases and concerns listed up on section 2 are vary in both domain and level. We derive three common requirements from them; (1)how to keep health of system and data, (2)how and who restricts API usage and (3)what is the standard policy to protect data owner's right. This section focuses on these topics and discuss strategies for them.

5.1 System and Data Health

The previous section introduced basic web security technologies. The technologies relies on the integrity of the base platform. This section focuses on the environment where web runtime runs and discusses its security requirements.

IVI is connected to networks and there are the same kinds of threats that exist on PCs such as unauthorized accesses or malware intrusions. To protect system from these threats, proactive protection and system update are effective.

As for proactive protection, IVI system should be designed as a set of independent modules to prohibit unnecessary accesses in both of physical and logical ways. Vehicle Information Service Specification has a model architecture where a request is passed from application to car through several modules. This multi step architecture makes it harder for a malicious code.

System update is critically important to keep system safe from attacks. Once a security hole is found, system should be updated as soon as possible. [CVE] continuously announces vulnerabilities of various OS and web browsers. In several layers such as web runtime, libraries or OS, IVI should be designed to be promptly updatable. The more serious vulnerabilities should be given priority to be fixed. [CVSS] helps to quantify vulnerability impact.

The process of system update itself often has vulnerabilities and has been attacked. ISO will define an update protocol (x.itsec-1) for software that works on car soon. The protocol could be utilized for system update for IVI as well.

To check system health is not easy because the checker itself might be tampered. Dedicated hardware helps to do it securely. [TPM] realizes highly anti-tampered electric sign and improves integrity of report that a car would send to a cloud server.

5.1.1 Protection against Intrusion and Attack

Generally, the capability of web application is restricted; for instance it does not have access to local files. It is difficult for a web application to attack a system compared to a native application. On the other hand, web runtime itself is a huge and complicated software and it has had vulnerabilities such as implementation bugs or memory corruption on its plug-in.

To prevent downloading a malicious application, system could filter URL from where code is provided. For instance, [SafeBrowsing] provides a blacklist filter that covers hosts that distribute malwares or that are suspected as phishing sites.

Removing malicious code at client side will be a solution if the public filter does not know yet that a site is a malicious one. A local proxy server can be used for such sanitizing task. Because the local server is independent from other applications or modules, the server can be updated without changing web runtime.

There are several security researches that successfully attack car systems from remote. In these studies, vulnerabilities of modules around IVI become first step of the attacks. These modules include wireless access points equipped on car, faked cellular station and cloud servers that authentication have a problem. IVI security should be designed to have less dependency on these modules.

To prevent unauthorized access, system should expose services only if they are necessary. E.g., Vehicle Information Service Specification defines a local web server but only clients on the same machine need to have access to the server. Therefor the firewall of IVI should reject packets that come from outside. For the VIS implementation, other server side security technologies can be applied as well, The specification describes details.

In case that a malicious code comes into inside of IVI by passing those filters and executed, IVI should have a functionality that detects abnormal behaviors of application and terminates it.

5.1.2 Data Integrity

Data integrity is necessary for some kind of services. ADAS works appropriately based on correct data. An insurance company may make better offer for safer drivers. Public traffic information should not broadcast misinformation. There are incentives to falsify data for monetary value or mischief on these services.

The previous section discussed protection against attack from outside. But data might be tampered by a malicious end user as well. In the domain of smart phones, OEM tries to keep user away from core functionalities of a device. However it is very hard to prevent attack from user entirely.

Vehicle APIs currently have no solution for the case that data from platform is possibly tampered. This issues will be focused in the future by having consistency with other W3C recommendations. Service providers should take this possibility into consideration and decides how to treat obtained data.

5.2 API Availability

For most DOM APIs, implementers provide an API implementation and developers utilize it with no limitation. Hence developers have access to current time, user input events and page scroll without any permission. This unlimited use can cause user inconvenience or privacy risk, so some API, such as Geo-location API, requires user's permissions.

Today, some browser detects abnormal call of API, such as alert popup, and asks user whether to stop subsequent requests. Frequent API call is strongly suspected as malicious behavior but there is a small possibility that it is an intentional behavior.

For Vehicle APIs, to ask user about each behavior is distant idea. There are more than hundred data points and most users would feel difficulty to answer the question properly. Therefore implementer should consider API limitation on behalf of users.

5.2.1 Set Method

Vehicle Data Specification defines data points and Vehicle Information Access API provides 'set' to modify the data, 'get' to obtain current value and 'subscribe' for continuous report.

For some data points, 'set' is meaningless. Fuel type or gyro could not be changed in nature. There is another type of data points that the value should not be modifiable because of safety or maintain purpose. Engine speed and distance-since-total name? are categorized into this type. 'Set' for these data points should be failed with 'invalid_operation' error.

'Set' interfaces is mainly expected to be used for non critical data points such as HVAC system. With having safety consideration, implementer may or may not implement 'set' for HVAC.

isSettablle?
Yes -> isHVAC?
Yes -> isSafe?
Yes -> implement
Figure 3 Decision flow to provide set

'Set' implementation needs resource lock mechanism not to cause race conditions. Imagine that two applications A and B work at a time, and app A tries to heat up a room while B tries to cool down. Or imagine, application A senses rain and tries to close window and sunroof. Application A should be given both of control or none of them. Otherwise the consequent result will be unexpected.

5.2.2 Best Practice for Access Control

To have access with some kind of API, each [ORIGIN] need permission which is granted by end user. Implementer should keep this manner for Vehicle APIs as well and provide option that end-user can present their preference.

Some of data points defined by Vehicle Data Specification might not be preferable to be public from the perspective of implementers. Specification allows implementer not to expose these data points. Also, considering user's benefit, an implementer would like to expose some of data points only to certain 3rd parties or authorized contents. Here is best practices to realize such access control.

  1. Web runtime is able to recognize the origin of web contents. It could allow the origin to access the API only if the origin is listed in a given white list.
  2. IVI could have a web proxy for code sanitization. This proxy could also remove certain call of APIs.
  3. If the API is implemented as a polyfill of requests for a local web server, the web server could filter requests by [OAuth] or [CORS] framework.
  4. If IVI supports native application, permission model of native OS and a market system for the OS could be utilized to reject suspicious applications. (The native operating system should have a permission to have access with vehicle information)

5.3 User's right for their data

Vehicle data and its location data are considered as "personal data" because a driver or the owner of a vehicle is easily identifiable by correlating with information from other sources. Therefore, these data should be treated as object information for privacy protection. However, the way of privacy protection may differ by individual, by situation, and by local regulation.

Service provider must protect end-user's privacy when they send out location or information from Vehicle APIs. Followings should be proceeded and information has to be treated in complying with user preferences.

User agent should ask user's permission when an application tries to use Information Access API. The answer could be stored for future API use by the same origin but user agent should provide UI to change the preference.

5.3.1 DNT and its Exception

The Do Not Track ([DNT]) is the proposed HTTP header field that requests that a web application disables either its tracking or cross-site user tracking of an individual user. In view of peculiarity of automobile, in the event of emergencies to protect the vital interests and property of an individual, temporal deactivation of DNT function may be required.

Including DNT, exceptions for privacy protection is not implicitly allowed. A questionnaire performed by a contributer of task force shows that there are non-negligible number of people do not want to provide their privacy information even if they are facing an emergent situation. Service provider should have explicit consent for use of private data in advance.

5.3.2 Multi Drivers/Users

A driver would have number of cars and a car would have multi number of drivers. For the latter case, the drivers could be one's family or could be one's collogues. IVI, therefore, should keep their personal data and preference in secret not to be seen from other drivers Personal information includes followings:

  1. Trip information such as places visited, roads taken, number of passengers
  2. Password or serched word inputted on forms
  3. Payment data such as credit card number
  4. Visited site information
  5. Site data, such as Cookies, Indexed DB

To use different profiles for different users, IVI has to implement user authentication and login. It is natural that operating system provides this functionality but web runtime also could be the provider. In any implementation, this profile change should be transparent from applications.

On the other hand, service provider should take into consideration that an IVI will be shared with multi user. For the purpose of user authentication, "account and password" have been used but that is not friendly for drivers. [FIDO] allows service providers to realize convenient authentication.

User would use a service in deferent situation. Appropriate contents for driving with family would be different from moving with collogues. Service provider should consider this possibility and should be careful to display contents based on one's preference.

A driver might be different from the car owner. The car could be owned by a company or could be shared with friends. In these case administrative operation should be permitted to the owner and drivers should be kept away from the operation. Here is faculties which should be allowed only for owners.

  1. Adding user, deleting user
  2. Adding application, deleting application

In principle, even the owner should not be able to see other driver's personal data without their consent. If an IVI needs to exposes these data for the purpose of user's benefit, the IVI should ask user in advance.

A. References

A.1 Normative references

[CORS]
Cross-Origin Resource Sharing. Anne van Kesteren. W3C. Recommendation. URL: https://www.w3.org/TR/cors/
[CSP]
Content Security Policy Level 2. Mike West; Adam Barth; Dan Veditz. W3C. Candidate Recommendation. URL: https://www.w3.org/TR/CSP/
[DNT]
Tracking Preference Expression (DNT). Roy T.Fielding; David Signger. W3C. Candidate Recommendation. URL: https://www.w3.org/TR/tracking-dnt/
[FIDO]
Member submission FIDO 2.0: Web API for accessing FIDO 2.0 credentials. Hubert Le Van Gong; Dirk Balfanz; Alexei Czeskis; Arnar Birgisson; Jeff Hodges. W3C. Member Submission. URL: https://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/
[HTTPS]
HTTP Over TLS. E. Rescorla. IETF. Infomational. URL: https://tools.ietf.org/html/rfc2818
[OAuth]
undefined. D. Hardt, Ed.. IETF. Proposed Standard. URL: https://tools.ietf.org/html/rfc6749
[ORIGIN]
The Web Origin Concept. A. Barth. IETF. Proposed Standard. URL: https://tools.ietf.org/html/rfc6454/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
[SafeBrowsing]
Google Safe Browsing. Google Inc. URL: https://developers.google.com/safe-browsing/

A.2 Informative references

[AGL]
Automotive Grade Linux Requirements Specification. Linux Foundation. URL: https://www.automotivelinux.org/sites/cpstandard/files/pages/files/agl_spec_v1_280515.pdf
[CVE]
Common Vulnerabilities and Exposures. CVE. URL: https://cve.mitre.org/
[CVSS]
Common Vulnerability Scoring System v3.0. FIRST.Org, Inc. URL: https://www.first.org/cvss/specification-document
[GENIVI]
GENIVI Reference Architecture. GENIVI Alliance. URL: https://www.genivi.org/sites/default/files/resource_documents/GENIVI_Reference_Architecture_29Oct2015.pdf
[ISO26262]
Road vehicles -- Functional safety. ISO. Published. URL: http://www.iso.org/iso/catalogue_detail?csnumber=43464
[ISOIEC15408]
Common Criteria for Information Technology Security Evaluation. ISO/IEC. Published. URL: http://www.commoncriteriaportal.org/cc/
[TPM]
TPM Main Specification. Trusted Computing Group. URL: http://www.trustedcomputinggroup.org/tpm-main-specification/