Hack attack: Will driverless cars be safe from cyber-attacks?
Technology and Business
The threat of hacking has grown exponentially as our world has become increasingly connected – a recent study found that, on average, a computer with internet access is attacked every 39 seconds. The fusion of internet-connected devices and our cars has therefore raised concern among many, and autonomous vehicles (AVs) which rely on wireless connections are often perceived as particularly vulnerable to attack.
We know that car hacking is not some far off threat but has already been done. In 2014 Charlie Miller and Chris Valasek made headlines when they hacked into a Jeep Cherokee and showed how they could take control of the car remotely. More recently, at a hacking contest in the US, Amat Cama and Richard Zhu used the Tesla Model 3 infotainment system as an ‘attack surface’ through which to take control of the car.
It seems that hacking will always pose a threat to automotive tech, but is it something we should be worried about? Is there a way to protect AVs from cybersecurity threats? We went to an expert ‘white hat’ hacker – also known as ethical hackers who test, rather than exploit, systems – to gain more insight into the world of hacking, and the impact it will have on our driverless future. Robert Leale, founder of the Car Hacking Village at Defcon, agreed to answer a few of our questions.
Will the cybersecurity threat to AVs grow as they become more complex?
The threat is similar to those of modern vehicles. Many are susceptible to ‘CAN Injection’ attacks, but most of these attacks require direct physical access to the vehicle network. This is, in some ways, easier when we think of fully autonomous vehicles that are used for ride-share applications.
In these applications, an implanted device could go undetected as a user may have unfettered access to the vehicle's network or other in-vehicle networks. So physical security is paramount. Many companies are considering adding Intrusion Detection Systems (IDS) to their vehicle networks to combat this. This a new concept in automotive, but has been around for decades in corporate computer networks.
In many ways, the complexity of driverless systems helps their security posture. The complexity makes each vehicle very unique from one to the next. This complexity de-incentivises attackers as creating an attack for one system doesn’t give you a large pool of vehicles which is useful for Ransomware-style attacks. However, targeted attacks are always possible.
How would you go about hacking into a driverless vehicle? Are there more opportunities to hack into a car with complex digital systems?
Hacking involves a lot of research. The first step is finding as much public documentation as possible, then getting access to a vehicle, and finally spending as much time poking at the vehicle's interfaces as possible.
However, we have to look at this from a return on investment (ROI) standpoint too. If my costs to buy or acquire the vehicle and spend a week or two with it were high, then I might not have reason to simply use this exploit for fun, but may have motivation to hold onto it. But if I wait too long a fix for the exploit may be available, thus negating my time and effort. As an attacker, I might not want to spend too much time trying to find an exploit only to have this exploit patched a week after I found it myself. Or, if I want, I can simply submit the bug to the manufacturer and receive the bounty.
In short, manufacturers are much more aware now of how these systems can be exploited and they understand best practices on how to work with the community to help them fix their issues.
How long would it take to hack a driverless vehicle?
Likely a long time for the research phase. It would require multiple people and a clear definition of the goals. There is the hacker whose goal might be to disable the system until a ransom is paid. This person would likely be defeated by over-the-air updates and up-to-date software running on the vehicle.
There is the hacker who hopes to understand how the system functions in order to reverse engineer it. They would likely only affect their own vehicle, not others. Then there is the hacker who might want to deny service on a fleet of vehicles with the goal of shorting the car company's stock. This attacker would likely need access to a command and control server inside the OEM’s IT infrastructure, so would need access to login credentials and perhaps physical access to the server. Each of the scenarios would take many people with multiple backgrounds all working together to achieve a challenging goal. Not impossible, but very challenging.
Hacking is perceived to be a big threat to the industry – there are plenty of people whose vision of a driverless future includes their cars being taken off course under someone else’s control. Is that realistic?
It would be very challenging. It would likely take a small group of people to attack driverless vehicles. That's not to say that these groups don't exist, but their motivation has not yet aligned. When it does, I anticipate that, likely state-sponsored, groups may have a go at hacking driverless vehicles and at first they will likely succeed in shutting down vehicles and preventing them starting. But when they do, the reaction by the industry will be swift, making future attacks much more challenging.
I believe there are a lot of manufacturers and suppliers working towards securing their systems and we'll see them continue. However, it is likely that the automotive cybersecurity industry is still under-funded, under-appreciated, and under-staffed, and until such an attack takes place, it’s difficult to see that changing.
Where there is new and developing technology, there will always be new threats to security. Working with experts in the field and developing a community which constantly supports fixes to any flaws in their systems will be vital to manufacturers. As long as OEMs dedicate time and resource to cybersecurity, by the time we see driverless cars of above level three become the norm, hacking into their systems should be too tough for most.
Do you think hacking poses a major threat to autonomous vehicles? Would you feel safe from this type of interference when riding in one? We’re always eager to hear your thoughts, so share your comments with us below.
Data privacy: "It’s time to treat your car like a smartphone"
Making automation a safe bet
Submit your story
Become part of our autonomous revolution and submit your stories, images and videos
Stay up to speed with our weekly briefing. Enjoy autonomous driving content direct to your inbox