Project Lion Cage, About us and how we plan to work S02E02

This project was conceived initially by me. Now I am lucky to be accompanied by a core team of local enthusiasts, bringing the team up to six individuals!

This is us:

?shild Marie Tveit Walseth : tech enthusiast and tech neurotic, innovation manager in the telco sector, psychological sciences professional by education, terrible sense of humor?

Levin L?ssfelt : pharmacist by education with a heart for technology, working as business and information architect in the health sector. Passion for data protection, writing, reading, gaming, building, cooking. A jack of all trades.

Dániel Horváth : extensive knowledge on complex mobile ecosystems, has been hands-on setting up 2G to 5G telco infrastructures. Dani is also a cloud security advisor… and a driving instructor!

Thomas Frivold : Thomas is the mastermind behind the monitoring architecture, he has established a state-of-the-art system that integrates both hardware and software to intercept and analyze network traffic for our reverse engineering purposes. Day to day he works as a program manager in cyber security and runs a cyber security advisory firm, Frivold Digital AS

Arild Tjomsland : tech entrepreneur in the mobility sector, process manager, future scenario developer, artist, writer, all-around creative… and vintage car enthusiast.

Me: background as a rocket-technician from And?ya Space Center, started to reverse engineer various technologies when I was 12 years old (not fun to be 16 and a tech geek, more fun now) and really loves two things in life, technology and people. Tor loves to sail and likes to invite the Lion Cage team to his sailboat for sailing & discussion lunches.

In addition, this being a community/crowd-sourced project, there are several other people who have or will contribute to the project. Thank you all!

Next let’s have a look at how we plan to work.

Firstly, we’ll sort the risks into a risk picture, to show their impact. The reason is that we want to discuss not only that there are data leakages from the car, but what the real risks of these leakages are. Yes, data are leaking, but how does this translate into risk for me as the owner and driver of the car? If a picture from the car leaks to a cloud service operated by a Chinese NIO operator, this is in self not a problem unless it is used for something negative. This is what we want to show with the risk picture, and to verify that we have broad coverage of all relevant viewpoints, we use the STEEPV methodology.

STEEPV stands for Social, Technological, Economic, Environmental, Political and Values. The methodology helps us look at each risk through these six viewpoints. The idea here is to be able to get the complete 360 degrees view on how technology, in this case a Chinese EV, is affecting our daily life. From this top level starting point, we can define more specific questions to research.

Below is an explanation of how the STEEPV-method can be used in our project. The risk scenarios we plan to outline should cover the following:?

• Social way of life. How we use our car as a part of our family life patterns, as the ?glue? in demographic patterns and in social structures.?
• Technology. EVs are packed with advanced technology, we continue to identify new features, for example the camera in the rear-view mirror. Modern EVs are also remotely kept updated through a large number of providers throughout the world.
• Economic structures and distribution of economic growth, the industrial structures behind EV’s. Competition between the east and west. Is China subsisting the industry to an extent to make it impossible for other EU or US competitors? Are there other possible reasons?
• Political structures and viewpoints. Technologies, end EVs, are a political tool. Regulatory structures try to keep up with innovation. Direct political actions or through non-state actors e.g. pressure groups / paramilitaries.
• Values in our daily life, deference to authorities, demands for mobility and self driving EVs. Social relations, status and more.

Our first and main focus is the risks as seen from the owner and user of the car. However, we also want to STEEPV-view of the risks as seen from the manufacturers point of view. Additionally, we would welcome any and all contributions as to other viewpoints that are relevant. For instance government, regulatory, etc.

If we do this, we can connect the scenarios and risks to the technical findings from the car. We can also visualize this in a heat-map / dashboard to see how likely it is that an unwanted event could happen, and its potential impact.?

One example of a risk scenario for the “Social way of life” part of the STEEPV could be the negative effects from all the cameras in the car, and what effect the leakage of these data could have. This is an area where another manufacturer, Tesla, has gotten quite a lot of negative press.?

E.g. the article “Tesla owners shared sensitive images recorded by customer cars” could in the NIO case translate into a risk scenario like this:

“Chinese intelligence services are updating their overview of military installations worldwide, and are actively tracking key persons in the military. The intelligence agencies use legislation enforcing the Chinese NIO operator / company to share location of x number of named individuals and using this information to prepare for Y that impacts Z.”

This will allow us to use our findings from researching the car, to assess the likelihood of the risk happening.?

As previously mentioned, we welcome suggestions for different scenarios!??

Season 1 covered the following areas:?

1. Where does all the data go??
2. How much data is transferred from the car??
3. Voice control functions, where and how are they processed? Are these processed within the car? Are the voice messages transferred somewhere??
4. Position data. Who will know where the car is at all times??
5. The automatic driving system, is this contained within the car or can this be overridden? Can anyone drive me off a cliff??
6. How secure are the vehicle manufacturers' hosting manufacturers environment??
7. How is the car authenticated? Can we be "Man-in-the-middle”??
8. How is the car secured? Can anyone hack the car using remote or close to target operations??
9. How is the mobile app I am using communicating with the car? How is it authenticated? How is it secured? Can we impersonate the app? Should we reverse engineer the app?

Season 1 got a lot of interest! 10.000 reads of the articles, 100+ comments, media calling, special interest groups within the automotive industry contacted us!

Season 2 will be crowd sourced and it is up to you to determine what we should do.,

Some ideas:

• Let’s continue eavesdropping on the car. We have made an SSL terminator we could use to see encrypted traffic (as requested from season 1)
• Can or should we hack the car? Last round we did not.?
• Risk seen from the user vs car manufacturer?
• Is the battery swap a concealed data leakage channel?
• How is this related to the tense geopolitical climate? We know the Chinese are supporting their industry, but with what and to what extent. Can we put this discussion in a structure?

We would also like to dive into some philosophical/ethical/political discussions, like for instance:

• How much data are we expected to donate to the manufacturers’ AI’s? The car is only self-driving to some extent, we need to give data to allow it to become better.
• Risk discussion; difference of opinion between security enthusiasts and the car industry?

We have been working on outlining scenarios and done scenario modeling using from the workshops we have had using Mural and gives the following structure:?

?

As previously, we’re looking forward to what will be revealed, and hope you will join us as readers and/or participants!

Next: Technical description on the monitoring setup we have put in place