How does your drive home from work begin? Do you consider whether your vehicle might be hacked on the way home? The answer is likely no, but with multiple automakers promising fully automated vehicles by 2021, that reality will soon be something we all have to deal with.
The Internet of Things (IoT) has already been revealed to have numerous weak points, as was demonstrated in October with the internet-crippling attack against backbone internet provider, Dyn. That attack was carried out using a botnet comprised of webcams and other small devices.
If a network of webcams is capable of taking down services like Twitter and Reddit, what could the outcome from a larger attack look like? For example, an attack on connected cars?
While the technology to make cars physically navigate a roadway has been available—and good—for quite some time now, it’s the unanswered questions that make deploying self-driving such a roll of the dice.
For self-driving cars to make informed decisions about where to go and how to behave in traffic, every vehicle on the road must communicate with a system so the cars get information about their surroundings. They will be completely reliant on network resources and the IoT, which renders these cars highly vulnerable to network-based attacks.
The same types of vulnerabilities that hackers used in webcams and peripherals to build the Mirai botnet responsible for October’s attack will almost inevitably exist in first-generation software for self-driving cars. Not because we haven’t learned from our mistakes, but because it’s nearly impossible to anticipate every possible attack vector.
Car makers know this, and you can bet no shortage of security testing will go into early self-driving systems before they are made available to the public, but that won’t stop hackers from trying.
To be prepared when they do, groups like the Cyber Statecraft Initiative for the Atlantic Council are working to point out security flaws and potential attack vectors in early self-driving models. It’s a practice commonly called “white-hat” hacking.
With tensions already running high, you’ll be glad to hear this is one example where competition hasn’t gotten in the way of performance. Manufacturers have already begun to share data about where they’re finding actionable threats through a program endorsed by the National Highway Transport Safety Administration (NHTSA).
The Automotive Information Sharing and Analysis Center (Auto-ISAC), is at the forefront of information sharing efforts designed to mitigate the risks of automotive hacks, and even they admit it’s not realistic to imagine a future vehicle with zero risk from cyber-attack.
The caveat for carmakers, then, is designing some type of response system. Currently, if you want to update the software for your car, you have to take it back to the dealership. That won’t suffice in a world where a zero-hour exploit could render highways unusable in a matter of minutes. There must be a more efficient way to distribute countermeasures when vulnerabilities are discovered.
As one of the most crucial systems for the proper function of self-driving cars, your vehicle’s onboard GPS suite represents both the largest risk for cyber-attacks and a potential weapon to fight back in the battle for control of your ride.
Your car already records vast quantities of data about your location and speed through its GPS system. Researchers aiming to stave off the danger posed by renegade hacked cars believe the best way to identify a possible hack is to monitor this information for erratic driving behavior.
After all, high-speed chases should be a thing of the past in the era of self-driving cars. If surveillance catches your vehicle beelining it through a residential zone, they could hypothetically use preventative measures baked into the car’s software to shut it down. If the authorities have their way, self-driving cars could ring in a new era of police surveillance on the streets.
But police power to shut down a renegade vehicle won’t prevent all forms of attack. Even if the authorities can shut a car down, imagine the repercussions of doing so on a crowded street. Keeping up with the efforts of cybercriminals will be a full-time job for the foreseeable future once we transition to this new means of transport.
Already, groups of researchers have built out hacks to show how vulnerable existing cars are using the example of Chrysler’s Jeep Cherokee. White hat groups have managed to hack into and exploit just about every system present in modern cars, including the air conditioning, infotainment, windshield wipers and even your engine and transmission. Experts on the subject, such as software engineer Stan Hanks, have expressed that this is a very real concern.
In a more recent competition, teams of security researchers were pitted against real-world scenarios designed to mimic the events of an automaker revealing new models to the public. The winners even got to take a test drive some of Audi’s latest new sheet metal, the sporty RS Q3 performance crossover.
Part of the challenge in protecting against threats in a real-world scenario like this is that not every attack vector exists within the car itself. The average driver these days carries at least a smartphone or tablet around and probably a laptop as well. Each of these devices possess the wireless technology to interface with the car, and many do on a regular basis. Each of those are avenues for hackers to exploit.
Making Sure You’re Not a Victim
If insecurity is the coin of the realm in the car of tomorrow, how can someone stay secure? It’s a good question, considering that phasing-in self-driving technology in its entirety involves all drivers handing control over to the car.
One potential technique is to allow systems to develop. Just like any new feature in a car, the early attempts probably won’t be that good. But while drivers must go all-in for self-driving to work, not all drivers will have such a feature at the same time. Hold out on ditching that “manual” car for a bit, and when you do let it go, you might pick up a more secure model than what’s available right out the gate.