Driverless cars at risk of being hacked

A fleet of Uber's Ford Fusion self driving cars are shown during a demonstration of self-driving automotive technology in Pittsburgh, Pennsylvania, US, on Sept 13, 2016.
A fleet of Uber's Ford Fusion self driving cars are shown during a demonstration of self-driving automotive technology in Pittsburgh, Pennsylvania, US, on Sept 13, 2016.PHOTO: REUTERS

Vehicles with electronic set-ups pose a challenge to the cybersecurity industry

DETROIT • Any part of a car that talks to the outside world is a potential opportunity for hackers.

That includes the car's entertainment and navigation systems, preloaded music and mapping apps, tyre-pressure sensors and even older entry points such as a CD drive.

It also includes technologies that are still in the works, such as computer vision systems and technology that will allow vehicles to communicate with one another.

It will be another five to 10 years - or even more - before a truly driverless car, without a steering wheel, hits the market. In the meantime, experts will have to solve problems that the cybersecurity industry still has not quite figured out.

"There's still time for manufacturers to start paying attention, but we need the conversation around security to happen now," said Mr Marc Rogers, principal security researcher at cybersecurity firm CloudFlare.

Their primary challenge will be preventing hackers from getting into the heart of the car's crucial computing system, called a Can (computer area network).

While most carmakers now install gateways between a driver's systems and the car's Can network, repeated hacks of Jeeps and Teslas have shown that, with enough skill and patience, hackers can bypass those gateways.

And the challenge of securing driverless cars gets only messier as carmakers figure out how to design an autonomous car that can safely communicate with other vehicles through so-called V2V, or vehicle-to-vehicle, communication.

The National Highway Traffic Safety Administration in the United States has proposed that V2V equipment be installed in all cars in the future.

But that channel, and all the equipment involved, open many more access points for would-be attackers.

It is not just V2V communication that security experts are concerned about. Some engineers have imagined a future of vehicle-to-infrastructure communication that would allow police officers to automatically enforce safe driving speeds in construction zones, near schools or around accidents.

Given the years-long lag time from car design to production, security researchers are also concerned about the shelf life of software deeply embedded in a car, which may no longer be supported, or patched, by the time the car makes it out of the lot.

In 2014, for example, some curious Tesla Model S owners did some tinkering and claimed to have discovered a customised version of a type of Linux software called Ubuntu.

Ubuntu was first released in October 2010 and has not been supported since December 2014. "In effect, that means the operating system in your car was depreciated before you bought it," Mr Rogers said.

Carmakers also stitch together software from dozens of different suppliers, all of them with different shelf lives and patch cycles.

If carmakers have any chance of keeping cars secure, figuring out a secure way to roll out patches to every car remotely, for different software components, will be a problem that even the software industry itself has not totally figured out.

"The problem is when people buy a car, they think, 'Oh, I'm buying a Toyota', but what they're really buying is parts from 100 suppliers all cobbled together," said Mr Nidhi Kalra, a senior information scientist at Rand.

"Cybersecurity cannot be applied on top of everything else. It needs to be based in the design of the vehicle and embedded throughout the entire supply chain."

Last year, the Department of Transportation announced a 15-point safety standard for the design and development of driverless cars, which included mention of digital security.

But the guidelines were intentionally vague and required only that "the vehicles should be engineered with safeguards to prevent online attacks".

Discussions are ongoing about which government body will ultimately govern the cybersecurity of connected and autonomous cars.

For now, a number of private organisations are hosting discussions among carmakers, identifying and documenting common security threats.

But, as with any technology, Mr Rogers said: "We won't be able to shut people out forever."


A version of this article appeared in the print edition of The Straits Times on June 10, 2017, with the headline 'Driverless cars at risk of being hacked'. Print Edition | Subscribe