Collision course: autonomous vehicles will be more vulnerable to cyberattack

Sprawling lines of code will give hackers more room for manoeuvre

The more wifi hotspots and Bluetooth interfaces, the more open cars are to a malicious attack and takeover
The more wifi hotspots and Bluetooth interfaces, the more open cars are to a malicious attack and takeover

We have been warned, repeatedly, over the past few years about the vulnerabilities that new vehicle technology brings to our cars. The more wifi hotspots, the more Bluetooth interfaces, the more open our cars are to a malicious attack and takeover.

That threat is set to increase as cars move closer and closer to fully autonomous driving. This is partly because cars will have to communicate more – signals will have to be sent to and from your car to other cars, to road traffic monitoring systems and more.

Partly, though, it’s simply because of the enormous amount of coding that will be necessary to run all of the complex systems a fully robotic car will need. Every move or electronic twitch that a computer makes is determined by its code, and the trillions of lines of code that will be needed for a self-driving car will make for what experts call a larger attack surface. Simply put, the more code there is, the more room for gaps, for mistakes, for openings.

Those openings have cracked a little wider recently with news that a group of Chinese “White Hat” hackers (so-called because they break systems only to report the flaws they have found so that fixes can be applied) have broken, remotely, into a Tesla Model S.

READ MORE

Keen Security Lab senior researchers Sen Nie, Ling Liu and Wen Lu, along with director Samuel Lv claim they broke into the systems of Tesla Model S P85D and 75D models and that their techniques would work on any current Tesla car.

Based in Shanghai, the team was able to access the controls for lights, mirrors and more worryingly the braking system, causing the car to brake hard despite being 20km away at the time. The group has not released it specific techniques and has instead reported privately on the matter to Tesla.

A Tesla spokesman told science news site the Register that "within just 10 days of receiving this report, Tesla had already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.

Vulnerabilities

“We engaged with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”

Not everyone is as convinced that this is as good a solution as Tesla seems to think.

Brian Spector, chief executive at internet security firm Miracl, told The Irish Times "these hacks demonstrate the serious problems around identity verification in today's connected cars.

Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today.

“Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.

“Given the huge number of components in connected cars, hackers usually find a pathway by following a ‘weakest link’ scenario which attacks the easiest point of entry to the vehicle. This problem is compounded by the array of parts that comprise a vehicle, and the lack of a security protocol that ensures they will all work together safely and securely.”

He said the current security checks “often fail because they rely on slow, centralised identity verification services”.

The challenge is big enough that it is even seeing some who have worked for established automotive giants jump ship to smaller tech firms in an effort to stay one step ahead of the hackers.

One such is Michael Müller, president of EMEA at Argus – a cybersecurity company that is making a name for itself in the automotive world. Müller is a former managing director of Mercedes-Benz Technology Consulting and a former head of strategy and process management at Mercedes-Benz Cars Development.

According to him: “Connected cars of today and tomorrow require multilayered, end-to-end cybersecurity solutions that ensure safety and privacy.”

Privacy

Privacy is as much at stake as safety. Robert Hartwig is president of the Insurance Information Institute in the United States and he recently told the Guardian: "This is America, and if you have a breach of personal data, you are absolutely positively going to be sued. The legal fees and settlement costs will be more than the cost of the attack."

The danger of hacking, both to life and to finances, has woken politicians up to the danger. US lawmakers have urged the national highway traffic safety authority to take the car industry to task over the potential for malicious attack, with Republican congressman Fred Upton saying it represents "a growing risk to the safety and security of passengers".

Autonomous and robot car technology has been designed, primarily, to reduce accidents and collisions. Quite what happens when autonomous tech and malicious hacking collide remains to be seen.