Following the tragic death of a woman in Arizona who was struck by a self-driving Uber in autonomous mode, questions have arisen over the other risks of connected cars. In particular, hacking.
But what are the risks, really? And what needs to be done to minimise them?
In what is believed to be the first fatal collision between a self-driving car and a pedestrian on a public road, an Uber struck and killed a woman in Tempe, Arizona yesterday. The car was in autonomous mode at the time of the incident, according to Tempe Police Department. There was a vehicle operator sitting behind the wheel, but there were no other passengers.</p> <p>In response, Uber has suspended its autonomous vehicle program across the US and Canada. Here is what Australian experts have to say about the incident.Read more
We spoke to Rik Ferguson, VP of Security Research at Trend Micro about what the risks are, and what can be done to prevent vulnerabilities.
As the world changes, so does security. But what has changed, exactly?
“What has shifted, and will continue to shift are the kinds of information we exchange and the ways in which we do so,” Ferguson tells me. “We are no longer talking about simply human to human exchanges, or human to machine but increasingly machine to machine and even ecosystem to ecosystem, particularly in the area of connected transportation.”
Autonomous vehicles and connected transportation systems promise huge benefits, in travel time, safety and environmentally, Ferguson points out – it is the unavoidable evolutionary direction of transport. It is important though that we do not overlook or ignore the inherent risks, instead designing in safeguards and mitigation he emphasises.
It is already possible – with certain makes and models of vehicle – to “hack” a self-driving vehicle.
“For as long as security fails to be a focus area, and vehicles are increasingly connected and interconnected, it will only become more possible,” Ferguson points out warns.
And what security measures are currently in place?
“Beyond simple firewalling, few manufacturers currently have any security in place,” Ferguson points out reveals. “Trend Micro research has shown that the flaws in current vehicle information architecture are so fundamental that only a complete redesign of the CAN bus can stand any realistic long-term chance of changing that.”
“Security systems in current CAN bus architecture are rudimentary at best and easily overcome.”
What is needed now, is for vehicle systems manufacturers to learn from many of the lessons that enterprise security has taught over the years, Ferguson says.
“Network segmentation, making traversal through vehicle systems harder to achieve, encryption, access control and intrusion prevention are all starting points that easily achievable through effective partnerships and the sharing of expertise between established security players and vehicle equipment manufacturers.”
So what can your everyday consumer do to protect themselves in an autonomous vehicle?
“Make sure the seatbelt is fastened,” says Ferguson.
So autonomous vehicles are safer than human controlled vehicles? Absolutely, Ferguson says.
“Autonomous vehicles absolutely offer a safer future, they remove the human from the equation, no more DUI, no more lapses of concentration, no more speeding or poor lane discipline, no more distracted or ‘over-ambitious’ drivers (all leading causes of road accidents) combined with exponentially faster decision-making capability in the event of a crisis.”
“This is why it is imperative that we get security right, now, at the outset.”
As for risks the future holds, Ferguson says criminals will continue to look for avenues to monetise online crime – whether that be through the advent of ransomware for connected cars, locking owners and even technicians out of a vehicle until a ransom is paid, or through information theft and leakage, for resale into the thriving data economy (whether legitimate or underground).
“In a worst case scenario,” Ferguson says, “we could even be looking at hacktivist or terrorist groups taking advantages of software vulnerabilities to weaponise individual or even fleets of vehicles for use in attacks, a future version of the attacks we have unfortunately already seen in London, Nice, Barcelona and New York, among others.”
Ferguson says what we need to combat this is effective partnerships between leading security experts and automotive manufacturers. Putting security first rather than trying to retrofit it into a “pre-cyber” vehicle architecture helps not only to secure vehicles to share the expertise and to address the cyber-skills gap.
“It is also imperative that the wider connected ecosystems are engineered with security at their heart so that anomalous or dangerous behaviour and events can be spotted and isolated,” Ferguson says.
“Information exchange is moving beyond simple V2V (Vehicle to Vehicle and becoming V2X or Vehicle to Everything. This encompasses V2V, V2I (Vehicle to Infrastructure), V2P (Vehicle to Pedestrian), V2D (Vehicle to Device), and V2G (Vehicle to Grid) — and you can expect that list of acronyms to continue expanding.”
So if you’re looking to witch to an autonomous vehicle, Ferguson says one of the one of the things you should consider is the NCAP rating.
“How safe is this vehicle for the occupants in the event of an accident?” is what you should be asking yourself.
“In the future when truly autonomous vehicles are an everyday reality on our roads, I would hope to see concerns about non-physical events and intrusions incorporated in that testing so that consumers have a reliable third-party resource to inform their buying decision.”