With the development of a new generation of energy technology, Internet of Things technology, communication technology and artificial intelligence technology, the global automotive industry has started a transformation towards “electricity, intelligence, networking, and sharing”. Data has become an important factor driving the development of intelligent and connected vehicles, and the importance of vehicle data security has become increasingly prominent. Recently, the “Data Security Law” and “Personal Information Protection Law” have been released successively. Combined with the “Cyber Security Law” passed in 2016 and the “Cyber Security Review Measures” passed in 2020, the country’s management system framework for cross-border data transmission security is preliminary. Formed, and the “Several Provisions on Automotive Data Security Management (Trial)” to be piloted on October 1 this year also made clear regulations for the export of automotive data. In this context, CNCERT, relying on macro data, cooperated with the Institute of Intelligent Mobility (ICMA) to analyze the recent data export situation of 15 mainstream models, and the results are as follows.
1. A large number of car data such as vehicle identification numbers go out of the country
Similar to the ID number is the unique identification of a Chinese citizen, the vehicle identification number is the unique identification of a car. A total of more than 1 million domestic vehicle identification codes were found to exit the country through the Internet. The daily statistics are shown in Figure 1. The maximum number of exits in a single day is nearly 83,000.
Figure 1 Daily statistics of vehicle identification code exiting the country
The results show that starting from a certain date in July, there will be a large amount of data going out of the country every 7 days. After in-depth analysis, it is found that the data center of a car city in China mainly transmits the data of a certain brand of automobiles to the data center of an e-commerce service company located overseas, and it is presumed that it is mainly used for automobile sales. Except for the 5 days of intensive transmission, the average number of transmissions per day is still about 7,000 times. On the whole, the amount of car data going abroad is large and the frequency is high.
2. The scenarios of car data going abroad are complex and diverse
A total of 45,638 domestic IP addresses with car data export behavior were found, covering all 31 provincial-level administrative regions in China. The number of IP addresses and the number of outbound trips in different application scenarios are shown in Figure 2 (“Other” in the figure includes CDN and other situations).
Figure 2 The number of IP addresses and the number of car data exits in different application scenarios
The number of IP addresses in the home broadband scenario is the largest, reaching 36,293, but the number of car data going abroad for each IP address is relatively small, which is presumed to be mainly the overseas access behavior of individual users; the number of IP addresses in the data center scenario ranks second. , reaching 5,838, and the number of car data exits ranked first, reaching 944,078 times, but the responsible entity of the data center is difficult to trace; there are 1,798 corporate private line IP addresses, ranking third, and the average number of car data exits per IP address. Up to 27 times, second only to the data center, the IP address of the enterprise private line is generally exclusive to a certain enterprise or organization. For the enterprise private line scenario, a total of 791 identifiable units were found. As shown in Figure 3, the types of identifiable units cover automobile sales and maintenance services, automobile manufacturing, logistics and passenger transport, government affairs, insurance and property rights transactions (“Other” in the figure includes scientific research institutions, banks, etc.). Overall, car sales and maintenance service enterprises accounted for more than 50%.
Figure 3 Distribution of identifiable responsible subject types
3. Car data export behavior is common
A total of 15 types of brand car data were analyzed, of which 12 types produced outbound behavior, with a coverage rate of 80%. Among them, the number of the first brand outbound reached 413,435 times. The specific situation is shown in Figure 4. Overall, the car data Departure is not just an individual behavior of a certain type of car brand, but a general behavior involving many types of car brands.
Figure 4 Car brands to which outbound car data belong
4. Outbound data involves personal information and important data
The analysis found that some of the exit data involved personal information and geographic location information such as ID number (driver’s license number), driver’s license file number, license plate number, mobile phone number/fixed phone number, address, longitude and latitude, and the details are shown in Table 1. Among them, the ID number and latitude and longitude data have exceeded 10,000 times. Personal information involves the personal privacy of citizens, and geographic location information involves the driving trajectory of the car. They can be combined with car data to restore the driver’s identity and car information, form a driver’s portrait, and then combine with latitude and longitude to form an activity trajectory.
Table 1 Personal information and geographic location information leaving the country
Based on macro data, CNCERT and ICMA analyzed the current situation and characteristics of my country’s current automobile data export from four aspects, including the number of automobile data exits, exit scenarios, exit brand coverage, and important data exit behavior. CNCERT and ICMA will pay long-term attention to the safety of car data going abroad, and continue to carry out data analysis and situation reporting.