Autonomous cars vulnerable to cyber attack

Self-driving cars will be great for commuters. Let technology take the wheel and the morning grind becomes a leisurely ride while you watch the news on your tablet or engage in meaningful Twitterings.

But for some of us the idea of the fully autonomous car raises a lot of red flags.

Google disclosed recently that autonomous cars do crash. During the past six years of research and development, Google has logged a total of 13 crashes involving its self-driving Toyota and Lexus models. Expect more prangs as the company moves development out of controlled driving environments and into real-world traffic.

We had a glimpse of the future in November last year when Audi demonstrated the technological prowess of its autonomous A7 – named Jack – which ran unaided from San Francisco to Las Vegas. But let's be very clear here, Jack is a semi-autonomous vehicle with a human driver ready to take control at any moment.

A fully autonomous vehicle is capable of driving itself without human assistance, and that technology is still decades away.

The race is on amongst Audi, Benz, BMW, Tesla, Cadillac and Volvo to remove you from the driver's seat and replace your ears, eyes and driving skill with sensors, cameras and ultra-quick computers that are far better at controlling a car than the average carbon-based human. Google, Apple and other non-car brands realise the opportunity and may expand their business model beyond software and gadget development and start designing and assembling autonomous cars. If this sounds like a transportation revolution, it certainly is.

Technology introduced into the average car during the next decade will be more than interesting. It will revolutionise how we interact with the car and how cars interact with each other.

Listen to the pundits and fully autonomous cars will be better – ie: safer. You know and maybe you've shouted it within the security of your car, there are idiot drivers on our roads. Besides the idiot factor, let's not forget alcohol, drugs, fatigue, distraction, texting, bad weather, animals, poor roads, speeding. They all contribute to on-road crashes and occupant injuries.

Are we supposed to believe a self-driving autonomous car will delete these risks? Well, yes. According to Morgan Stanley in a research paper published about two years ago, fully autonomous vehicles may give society a huge payback and paycheque. US drivers clock about 75 billion hours yearly so redirecting that time from behind the wheel to more productive tasks is a great business advantage. Global financial savings are estimated at more than USD $5.6 trillion annually.

Crashes could become rare and the road toll in countries such as the US and Australia could drop to a fraction of what they are today.

Talk with others, such as General Motors President Dan Ammann, who has read the Morgan Stanley research paper, and the promises surrounding autonomous vehicles become tempered with realism.

"I think autonomous vehicles will be more complex and more expensive than we anticipate," he said.

There is an interesting and deep downside. We often never see the problems hiding in the shadows of bigger benefits. Autonomous technology is full of what-ifs. What if the car's autonomous driving system suffers a software glitch or gets hacked or simply drops offline? What if the road surface at a high-speed corner is coated with ice or oil? Do we really want to totally trust autonomous technology?

"Everyone thinks technology is cool, but I don't believe we really trust it," says Patrick Ryan, a retired US Air Force officer who was deeply involved in developing the USAF's drone and Unmanned Aerial Vehicle (UAV) programs. "Autonomous control offers a lot of advantages, but I don't believe we'll really trust it."

"Those who say they trust technology; let me ask this: Would you put your kids in an autonomous car and let it drive them to school? That's the question. I know I wouldn't. In time in a few generations maybe we will trust the technology – in 50 years."

"There were times when we were flying a UAV when something would happen, and we'd lose control of it. No one knew why," he said. "It just happened. There are always a number of unknowns."

The greatest risk is perhaps hacking. Think about it; in perhaps 20 years from now with thousands of fully autonomous vehicles on the road, a hacker could create enormous disruption by remotely 'manipulating' a few vehicles during rush hour.

Chris Valasek is vocal about hacking of autonomous vehicles: "I think it was 2013 when I started talking about this, discussing research done in 2012. And we're still doing research on vehicle security."

As Director of Vehicle Security Research at IOActive, an independent consultancy group with clients in the automotive industry, Valasek is very matter of fact.

He points out that the more connected the car becomes the more backend systems we have supporting those vehicles. For fully autonomous vehicles to drive themselves, they need to 'talk' to other cars, to receive information about weather and road conditions as well as interact with your smartphone, voice commands, and GPS inputs. In future, your car may store important personal information such as credit card data or have the ability to access that information via your connected smart phone.  

"Anything that talks to the car is an attack vector. Even the tyre pressure sensors that send a message via radio frequency to the car's computer could be a point of entry into the system for a potential hacker," he says. "An app store, for example, is another possible entry vector." To explain, you download an app onto your phone and then link the phone to your car and that may be how the hacker gains access to your car.

Valasek's work (in collaboration with research partner Charlie Miller) has attracted the attention of Massachusetts Senator Edward Markey, whose office questioned 20 car makers about their security and privacy measures.

The results, claims Markey, are not reassuring. His report states: "An 'overwhelming majority' of modern car makers collect and store driving history information such as the car's physical location, and about half of the companies said they transmit that data to a third party's server. When asked about the security of that transmitted data, six of the companies made ambiguous references to encryption, IT security practices, and protecting personally identifiable information. The rest didn't answer."

Hackers are lured mainly by greed, which is why they target banks for account information, credit card data, Ebay and LinkedIn accounts for personal information, and government payroll records.

"At this point, cars aren't a target because there's no financial gain for a hacker," says Valasek. That will change as we integrate more technology into our cars and share more financial information such as credit card and bank account details with our car via broadband to banks and shops.

The principal aim in hacking autonomous cars is to gain physical/driving control of the car, according to Valasek. And the more our cars become more connected like our smartphones and tablets, the more vulnerable they become.

BMW often claimed its technology is secure, but in January the Allgemeiner Deutscher Automobil-Club (ADAC) found entry through BMW's telematics. The ADAC was able to unlock BMW cars via Connected Drive by mimicking server commands sent to the car. An estimated 2.2 million BMWs were vulnerable. BMW quickly developed a patch and began encrypting communications to cars sent over public cellular networks.

General Motors, with its corporate reputation suffering from massive recalls last year, made a proactive move and appointed its first cyber security chief. Jeffrey Massimilla previously was a GM engineering group manager in charge of the car maker's infotainment systems. GM is now offering 4G LTE high-speed mobile broadband in all 2015 Chevrolet cars and trucks and most Cadillac models with plans to introduce vehicle-to-vehicle connectivity in the 2017 Cadillac CTS. Cadillac is also soon to launch Super Cruise, an automated driving technology allowing extended periods of hands-free driving on highways.

Ford seems to be moving slowly.

"We're aware of the threat of hacking," said Raj Nair, Vice President Advanced Technology at Ford. "It is one thing to hack into a Pandora account, but this is an entirely different thing." He claims Ford is researching the best means of protecting their systems, including strategies such as isolating critical functions – known as siloing.

Most modern vehicles use a CAN-Bus (controller area network) digital system to pass commands from the car's main computer to the engine, transmission, braking system, and other functions. But, the CAN-Bus system is also terrible in terms of security, says Oron Lavi, vice president R&D at Argus Security, an Israeli company specialising in automotive cyber security.

"We don't believe in a single magic security system. We believe in multi-layer protection systems as the best Intrusion Protection System [IPS]."

The car-makers are listening.

"There are no OEMs that say no we don't need this, an IPS," Lavi says. But he's also a realist when he says: "Sometime in the future someone will infiltrate a system and with intent can do some really bad stuff."

He's not envisioning a Hollywood style disaster, but the risks are real as fully autonomous vehicles emerge from R&D into reality.

Ask NVIDIA, TRW, Valeo and Autoliv – supplier companies developing systems and sensors for autonomous controls – if they are also developing an IPS and they aren't. Security seems to be the responsibility of whichever company puts its badge on the bonnet.