Cybersecurity and self-driving vehicles: How are they connected?
By Jori Hamilton December 18, 2019
The true measure of 21st-century technology is not in its cool design, level of innovation, or the myriad of features it provides. Instead, consumers want to know if the device they invest their time and money in delivers wireless connectivity.
Artificial intelligence, machine learning, IoT, cloud-based platforms, and smart devices have all driven developers to think beyond the machine and focus more on its mobility. While connectivity ushers in a level of sophistication, it also provides the catalyst for one of the greatest threats to the modern world – cyberattacks.
As autonomous vehicles (AV) prepare to flood the market over the next five to 10 years, the biggest area of concern that manufacturers must work out is vehicle safety. The second is vehicle security. Only this time, the concerns come from the hacker inside the vehicle, not the thief outside. With the onslaught of cyberattacks that stack up each year, will the security and privacy of drivers be compromised on the road?
Who has control of your vehicle?
That’s exactly what happened to tech journalist Andy Greenberg while he was driving a Jeep Cherokee at 70mph near downtown St. Louis. As he was cruising along in his Jeep, the AC blasted out of the vents, the radio switched the channel, the wipers turned on, the transmission cut out, the accelerator failed, and the vehicle slowed down. All of this occurred within minutes.
Regardless of Greenburg’s attempt at taking back control of the vehicle, he was rendered powerless by two hackers who had performed an act of digital mutiny on the Jeep’s self-driving system. Thankfully, the hack was an experiment, and the perpetrators were in on it. Greenberg has performed numerous hack experiments on vehicles before and since, many with the same frightful conclusion: It takes little effort for hackers to breach an AV’s system.
Since autonomous vehicles are reliant on software and connectivity, they are vulnerable to the simplest of hacks. Automated technology is still in its infancy. Therefore, there is not enough data to quantify the impact of large-scale hacks. What is clear is that the potential for vehicular breaches could slow the growth of the AV market and fuel further skepticism that is already present in over 70 percent of consumers.
Can manufacturers keep up?
The cat-and-mouse dynamic between cybersecurity experts and hackers has plagued the digital security industry for years. So, it stands to reason that AV hacks could become commonplace with AVs and self-driving trucks. These hacks could both endanger drivers while operating a vehicle and compromise their personal information. How are manufacturers currently responding to imminent threats? Right now, it’s unclear.
Tesla’s latest efforts to counter cyber threats in its models are more or less in the experimental phase. The leading producer of EVs pays top dollar to anyone who can hack their car’s AV system through its incentive programs such as the Pwn2Own contest.
Fiat Chrysler offers similar incentives to hackers through its Bug Bounty Program. Launched in 2016, the program pays $1,500 per hack. This open invitation for third-party penetration testing may seem counterintuitive. However, it allows automakers to identify, analyze, and correct vulnerabilities in their systems.
Outside of testing and analysis, car companies are still very much in the early stages of assessing how secure their systems are. Part of this is due to the insufficient number of cars on the road. In addition, the technology is still very much in the beta phase. As a result, there are no real-world examples of tested models on the road.
Auto and cybersecurity partnerships
Back in October, the Automotive Information Sharing & Analysis Center (ISAC) held its annual Auto-ISAC Summit to facilitate sharing and collaboration on automotive cybersecurity. The summit addresses a range of issues such as in-vehicle connectivity, vehicle ecosystem, regulation and standards, and education. The event is part of ISAC’s ongoing efforts to promote partnerships between auto manufacturers and cybersecurity companies.
Established in 2015, ISAC’s members include some of the world’s leading automakers, including Volvo, Fiat Chrysler, Mitsubishi, Toyota, Mazda, BMW, Ford, Hyundai, Kia GM, and Mercedes. In addition, it has also enlisted many of the top cybersecurity developers and companies around the world. By working together, organizations can create a global initiative to prevent in-vehicle cyber threats and make cars more secure.
ISAC’s initiative includes an ever-evolving plan for identifying key cybersecurity functions and implementing the best cybersecurity practices industry-wide. Areas of concern include security design, risk assessment, threat detection, incident response, governance, and awareness/education.
AV security legislation still up in the air
While everyone agrees that federal legislation would provide a clear path for AV safety, lawmakers are still clueless as to precisely what it is they are legislating. Current federal law prohibits deployment of AVs without driver controls or overrides. However, nearly every major bill that has been presented on Capitol Hill since 2017 (Self Drive Act, AV START Act) has stalled out.
As it stands, 37 states have enacted some form of legislation regarding autonomous vehicles. Of the 37 states, 13 have authorized research and funding for AVs. Eleven states have authorized full deployment. Twelve states have authorized deployment or testing without a human operator.
Currently, there is zero regulation regarding AV cybersecurity. Until legislators have a better understanding of the technology and security threats facing autonomous vehicles, bipartisan efforts to enact cybersecurity laws will drag on.
Until then, the concern for in-vehicle cyber threats continues to grow. Both the National Highway Traffic Safety Administration (NHTSA) and the Department of Transportation (DOT) are putting steps into place to adopt regulation around autonomous vehicles. Furthermore, auto manufacturers and cybersecurity agencies will continue to make strides toward building a more secure car. In the meantime, consumer confidence in autonomous vehicles continues to be an uphill climb.