Why automated driving safety needs hackers more than ever
Since the appearance of connected driving, cars have become increasingly vulnerable to hacker attacks. But while most drivers might view the potential threat of car hackers obviously as a curse, automated driving without "hackers" would be even more harmful.
This article is based on the guest contribution from Xu Hui on our Chinese site 2025AD.cn
Many people may not know that the term "hacker" originally had a positive connotation, referring to the elites of the computer field who try their utmost to make the best use of computer programs. However, with the flourishing of the Internet, people who have suffered from virus attacks or disclosure of their confidential information have gradually started to think of "hackers" as a group of people that are synonymous to injurious insects. The vigorous propaganda propelled by work of cinematography and literary fiction has created the impression that a hacker's behavior consists mostly of damage and attack. The movie „The Fast and the Furious 8," serves as a good example: It depicts a scene with thousands of driverless automobiles remotely controlled by hackers, that suddenly transform into weapons of mass destruction. This powerful image suggests to the audience that vehicles with automated navigation features are inherently dangerous, and that the lives of drivers and passengers can easily be controlled by hackers.
Throughout the past hundred years of automobile development history, from the original purely physical transmission to a more automated auxiliary mechanism, automobiles have developed at a steady pace, step by step. From the Stone Age of the Internet (before 1994) to the time before the advent of automated driving and car networking, almost all automobile manufacturers believed that they need not be concerned with hackers, for a very simple reason: No matter how skillful they were and even if they knew the intricacies of the CAN bus, they could not touch the in-vehicle circuitry, because it used to operate in a closed-loop state. Simply put: Unless you were physically present in the vehicle, there was nothing you could do to control it, even if you managed to physically access the OBD interface.
Automated driving: new gateways for hackers
No wonder movies would always show vehicles only being manipulated by cutting brake cables, pulling out oil tubes and so on. The advent of the remote key truly exposed vehicles for the first time to a wireless environment; however, the risk was limited to property damage, not as severe as a threat to life. Nowadays, the rapid development of the Internet of Things, car networking and automatic driving requires a data transmission network. This led to the development of the CAN network bus, an interface with a design almost as unsecure as leaving the back door to your home unlocked. The inexpensive ELM327 Bluetooth OBD II interface was not originally desired for usage by car manufacturers, however nowadays it can be seen everywhere, which shows the sense of helplessness of manufacturers regarding the popularity of such products. (Editor’s note: However, due to developments in the AUTOSAR standard, first steps are done to secure the CAN bus communication through the SecOC feature in AUTOSAR). Once we reach the stage of automated driving, remote control of the electronic throttle, electronic brake and electronic steering alone can cause tragedies (or to quote a classic hacker phrase: "As long as there is network access, I can control everything.")
When thinking of hackers, we usually envision computer criminals; however, in China the terminology itself was adapted from foreign languages, and the nature of a hacker (good or bad) is not determined by the term itself. As a veteran Internet user who surfed the Internet using a 28.8K modem in 1994, similar to most other early users, and as a veteran reporter who has been reporting on the Internet from early on, I am something of an expert in the offense and defense of hackers and the use of tricky technology on the Internet.
Black Hat vs. White Hat: “a smokeless war”
The attack and defense of automated driving technology nowadays bears resemblance to what in that context would be called a war between Black Hat and White Hat users. Black Hat users carry out attacks in a hostile manner and sell security information and relevant technologies gained through the attack to other criminals. White Hat users on the other hand maintain the security of system they have breached, as well as block on-board network vulnerabilities and continuously patch and perfect the system with technology. Black Hats are easy to identify, but White Hats – and Grey Hats, who wander between White Hat and Black Hat activity – are difficult to distinguish. White Hats interact with manufacturers through cooperation, detection, upgrades and the blocking of vulnerabilities as commissioned by the manufacturer before the product is ultimately released. Grey Hats detect vulnerabilities all by themselves, although they can get rewards by reporting those vulnerabilities to manufacturers.
This "smokeless war" has been on-going over the past several years. One famous example is the ConnectedDrive Service vulnerability submitted to BMW in Germany by White Hat security researcher Benjamin Kunz Mejri in his Vulnerability Laboratory. ConnectedDrive was the "connected driving" service developed by BMW in conjunction with Google in 2006. In February 2015, the German automobile club ADAC (18 million members in Germany) reported that about 2.2 million automobiles equipped with BMW Connected Drive and using EDGE for access – including the Rolls-Royce Phantom, MINI hatchback, i3 electric car and some products of the BMW brand – had security vulnerabilities in their digital services. Technicians could take advantage of such vulnerabilities by remotely opening the car door. Soon afterwards, BMW announced that they had upgraded the digital system and thereby solved this security problem. Another case, making even bigger waves, was the “Jeep hack” in 2015.
Is the CIA able to remotely control cars?
Chinese White Hats are admired around the world. The Qihoo 360 vehicle safety laboratory led by Liu Jianhao gained fame in 2016 for having the first White Hats in the world to find Tesla security vulnerabilities. The automated driving security vulnerability was recognized and acknowledged by Tesla; and for this achievement the Qihoo360 Skygo Team was selected, as once before, for the "Tesla Security Researcher Hall of Fame".
As for true Black Hat hackers, you shouldn't think they only exist in Hollywood movies. On June 18, 2013, American journalist Michael Hastings accidentally crashed his vehicle into a tree on a Los Angeles highway. As disclosed by Wikileaks, Hastings car was suspected to be controlled by the CIA Hacker Tool “Library Vault 7”. The related data released by Wikileaks includes evidence sparking assumptions that the CIA had the ability to control vehicles remotely through certain tools.
Car hacking: a game of thrones?
Every year, Black Hat hackers from all over the world assemble in Las Vegas. The 20th “World Black Hat conference” was held in the last ten days of July 2017 in Las Vegas, USA, along with the DEF CON hacker secret party. International hacker teams make presentations and show their latest hack results and cases, as well as various intrusion methods, such as
- issuing commands from the cloud in order to control vehicles or read information remotely
- controlling vehicles by entering their underlying systems through their infotainment system
- obtaining identity authentication or encryption methods from mobile clients in order to find loopholes, and
- stealing, falsifying or resetting communication content in the process of transmission in order to obtain information or the right to control vehicles.
These shocking presentations show that the interference of hackers in the automobile industry, where automated driving technology is getting more and more advanced, is like a game of thrones, and the technology that is mastered resembles a sword of Damocles dangling over the field of automated driving. The only question of true relevance is who controls this double-edged sword – Black Hat, White Hat or Grey Hat.
The existence of hackers has its justifications. In automated driving technology, hackers play an indispensable role. The attack from Black Hats forces us to find problems, the counterattack from White Hats lets us solve the problems, and the ambiguity of Grey Hats makes up for the careless mistakes of Black Hats and White Hats. Automated driving technology needs to take precautions against users with ulterior motives, while praising and honoring contributions made by conscientious users. In this modern age of automated driving, we can achieve nothing without the help of hackers.