Published: December 01, 2015
New cars carry more interlinked computing systems than a typical small business. Buried under hoods and behind touchscreen control panels, microprocessors run by millions of lines of code operate an array of crucial functions, from brakes and steering to headlights and horns. Automakers are constantly adding more features, processors and software.
This new era in the evolution of motorized transport seems like a win-win situation for all. Most consumers embrace the technologies, and automakers welcome the bigger profit margins that teched-out cars provide.
But the cyber-security experts fear that this increasing use of technology is also a big threat to people’s lives. Like all other computer-linked system, the autonomous or semi-autonomous car system can also be hacked, and in this case the risk to the life of the driver and other passengers increases manifolds.
The electronification of vehicles has accelerated in recent years into a break-point in automotive history. Every year the latest models feature a new convenience-related personal technology features, like smartphone connectivity, or safety-critical computing functions, such as auto-braking to void rear-end collisions. But with the cutting edge technology comes serious safety issues. This is putting automakers smack in the middle of a cybersecurity business with an ever steepening learning curve.
“The automakers haven’t fully prepared themselves for this problem, and when organizations don’t have a background on security, they make certain assumptions that can compromise security,” said Rich Mogull, analyst and CEO with Phoenix-based Securosis, a security research firm.
Wired magazine published a widely read story showing how a Jeep Cherokee’s critical control functions could be hacked to take control of brakes, steering wheel and engine shutoff. Noted white-hat hackers Charlie Miller and Chris Valasek exhibited an alarming ability to remotely control safety-critical functions of the Jeep from miles away, using little more than an Android smartphone, a laptop, and months of research into the vehicle’s digital guts. The hackers used their coding expertise to drill through the infotainment system to reach the electronics that control the brakes, steering wheel and engine power. From there they remotely interfered with the moving vehicle driven by cybersecurity journalist Andy Greenberg. This wasn’t the first time Miller and Valasek have shown off this alarming feat: they did similar hacks to systems on a Ford Escape SUV and a Toyota Prius hybrid.
The University of Virginia began researching and developing ways to counter cyber attacks on autonomous vehicles in 2010. Its work is ongoing. The university’s research has opened the door to private partnerships and commercialization.
The test also addressed some of the concerns raised by Sen. Edward Markey, D-Mass., in a February report titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.”
The study identifies several vulnerabilities in cars with wireless technology including the inability of auto manufacturers to monitor previous hacking incidents, a lack of security procedures to prevent cyber attacks and compromised privacy due to data collection.
The attacker can plan to destroy the cyber circuit and enter the system by many methods. A motivated attacker can realise these threats by identifying and exploiting attacks via a number of ‘entry points’. Examples include wireless interfaces such as cellular, Bluetooth and keyless entry systems, wired connections such as the OBD-II diagnostic port, sensors and attacks on the electronic control units themselves.
Hugh Boyes, cyber security lead at the IET (Institute of Engineering and Technology) , said the reliability and security of software used in driverless cars will be a major issue for manufacturers and insurers. He said: “If the hacker community could start to target vehicles we can imagine a fair amount of chaos.
“The motor industry is really strong on safety but if someone tries to interfere with the vehicle, tries to hack it and disrupt it, then these don’t fall under the typical safety issues.
“Unfortunately living in the world today people do try to tamper with technology. The industry is only just starting to recognise this.”
He also said that software would have to be reliable and bug free. “Recent reports analysing software show that 98% of applications have serious defects and in many cases there were 10-15 defects per application,” he said.
“If ultimately you want to use autonomous vehicles, we need to make sure they don’t have a defect.”
In spite of these hacking threats the technology is quite enticing and people are ready to embrace them. Experts also believe that if the hacking threat is eliminated, the autonomous car technology would be very beneficial for all drivers and car owners and it would also make roads safer. There are ways in which hacking could be prevented.
Charlie Miller says one important way to secure vehicle data, is to simply put some of it in the cloud so that that cars themselves are “dumber not smarter.” This would prevent hackers form targeting individual vehicle to access sensitive data, because the data would be stored remotely and access through a system used by major tech commonages to secure their cloud-storage services. “The easiest way for an auto manufacturer to fulfill requirements of car data security is to never store any data in the car and never let the car be the decision maker about external commands,” he said.
A practical way of protecting certain critically important in-car computing tasks is to sequester networks by ensuring there’s no way for a hacker to bridge from the infotainment system (which is the most vulnerable access point because it’s connected wirelessly) to burrow into a car’s safety critical microprocessors. In security circles the term is known as creating “air gaps” — no wires or wireless connectivity between a critical system and one that can be hacked remotely for back-door entry.
“The safest way to resolve this issue is to isolate control systems, separating life-and-safety systems from convenience systems,” said Mogull at Securosis. “You need extensive compartmentalization around safety systems, and this get very complicate when people want cars that park themselves.”
Steve Hultquist, a cybersecurity expert at RedSeal security analytics company, says another way to boost cybersecurity is by forcing systems to check with a human before performing certain tasks. He compared it to situations where computer users have to give permission to IT specialists to access their computers remotely.
“If the functions are not air-gapped, then it’s clear that special access approaches, including what the technology industry would term multi-factor authentication, must be used,” he said. “These methods would likely include approval by the vehicle operator before the vehicle would allow access.”
To protect safety-critical vehicle functions from hackers, security experts say automakers simply need to ensure that every single computer operated device in a car uses the same complex software encryption and authentication deployed to process mobile payments. There should also be a strict security monitoring and alert system when there is a network breach.
That shows all is not that fearsome about the autonomous car technology. Some safety measures and it becomes desirable at the same level.
By Kriti Ranjan