Cyber Security in the Age of Autonomous Vehicles
The age of the driverless car draws ever nearer and the automotive industry is acutely aware of the need for greater connectivity in order to realise the ambitions of fully autonomous vehicles. New cars today are already utilizing connected services and electronically controlled systems are managing various driver assist functions.
With cars featuring millions of lines of code, cyber security is becoming one of the hottest topics in the industry as these computer-based systems require impenetrable protection. Vehicle-to-X communication and the many services that can be provided by connectivity will advance autonomy, but the paradox is that these advances may also create further vulnerabilities in terms of hacking. The situation is further exasperated when we consider autonomous fleets of vehicles, over-the-air updates, personal data stored in vehicles, and various other aspects.
It is becoming more and more evident as the technology for autonomous cars develops, that cyber security is a critical subject which will impact on public trust and acceptance of driverless cars. This is not a new concept by any means and manufacturers, as well as those involved in the supply chain, are treating cyber security with the utmost priority as they embark on the journey towards autonomous vehicles.
The Dangers of Hacking
It’s worth dwelling on the potential problems that hacking poses to connected vehicles, and two such well-known examples include those of a hacked Jeep Cherokee and Tesla’s model X. Security researchers have demonstrated in the last two years that it is possible to not only hack into the systems of connected cars, but also to seize control of vital functions such as braking and steering.
In 2015 researchers Charlie Miller and Chris Valasek demonstrated that they were able to hack a Jeep Cherokee and control the vehicle remotely - an incident which led to the recall of 1.4 million cars by Fiat Chrysler.
In the first instance, Miller and Vasalek attempted to hack into the Jeep’s multimedia system via the car’s WiFi connection. This was not as difficult as one might presume since the car’s WiFi password was automatically generated based upon the time that the head unit was turned on for the first time. Generating a password like this is relatively secure as it is based upon the date and time down to the second, so there are many potential combinations. However, the researchers found that if you know the year and month of manufacture the number of combinations is reduced to 15 million, and working on the assumption that it was first turned on during the day, the number is reduced to 7 million combinations.
This according to the research could be hacked within an hour - if you were able to stay in touch with the vehicle’s WiFi for an hour. Digging deeper, the hackers found that the Cherokee’s password was generated before the time and date was set, thus based on the default time plus the few seconds during which the head unit boots up. That makes the number of combinations very small, and in the case of this research it was January 01, 2013, 00:00:32 GMT.
This hack enabled the researchers to do things like change the radio system, the volume, and even track the car via its GPS navigation system. This was just the start though. Miller and Valasek went with the aim of hacking the car’s CAN Bus - the internal network. The multimedia system is not connected to the CAN Bus, but they found that they could communicate with it via a connected component, the V850 controller. This controller is designed to be able to ‘listen’ to the CAN Bus but not send commands to it. However, the researchers were able to reprogramme it with a firmware update over the car’s WiFi connection. From that point they were able to send commands to the CAN Bus and remotely control the car remotely, including everything from the engine and transmission to the steering wheel and brakes.
Tesla Model X
Earlier in 2017 the Chinese researchers who exposed vulnerabilities in the Model S the previous year, did the same with the Model X. They were able to take control of the vehicle’s brakes remotely, open the trunk and the doors, and take control of the radio.The researchers hacked the vehicle through WiFi and cellular connections using malware, which was sent to the car’s web browser in a series of circuitous computer exploits. Samuel Lv, director of the Keen Security Lab at Chinese tech giant Tencent, confirmed that Tesla were made aware of the research in June and that the firm had fixed the vulnerabilities within two weeks.
Tesla are at the forefront of connectivity in vehicles, which makes them prime targets for hackers, but the company has always welcomed such research to highlight and prevent potential issues. It is also worth stating that any real risk to customers is minimal, and no customers have been affected in either of the instances mentioned above. Indeed, only three groups in the world to date have ever managed to hack cars, including the two here. However, what this kind of research shows is how crucial cyber security will be to autonomous vehicles.
In the UK a new ‘Autonomous and Electric Vehicles’ bill has been introduced this year to create a framework for self-driving vehicle insurance, covering motorists when they are travelling in automated mode as well as when driving. This is part of the UK’s push to be at the forefront of autonomous vehicle research and testing as it aims to embrace the new technology.
Alongside this, the government has issued guidelines for ‘The Key Principles of Cyber Security for Connected and Automated Vehicles’. These have been introduced to ensure that all parties involved in the manufacturing supply chain - from designers and engineers, to retailers and senior level executives - have a consistent set of guidelines which support the industry. They have been created by the Department for Transport (DfT) and the Centre for the Protection of National Infrastructure (CPNI). The eight principles which follow are each broken down further into more detailed sub-principles:
- Principle 1: Organisational security is owned, governed and promoted at board level.
- Principle 2: Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
- Principle 3: Organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
- Principle 4: All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system.
- Principle 5: Systems are designed using a defence-in-depth approach.
- Principle 6: The security of all software is managed throughout its lifetime.
- Principle 7: The storage and transmission of data is secure and can be controlled.
- Principle 8: The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.
Blockchain Solutions for Cybersecurity
One area which is gaining great traction in cyber security is blockchain, and we expect to hear much more about the technology in the coming years. Eventually the aim is to make autonomous cars ‘hack-proof’ and blockchain security may provide the answers.
Many people associate blockchain with the digital currency Bitcoin - this was the first manifestation of blockchain in 2009 - but it can be used in many applications where security of data is important. At a basic level blockchain is a distributed database which maintains an ever-growing list of records that are both protected and tamper-proof. Each valid block is made of time-stamped transactions and linked to a previous block, with the whole forming a chain. This means a distributed network of computers can reach a consensus about the veracity of the data without the need for a central authority. The system uses cryptography and advanced algorithms to verify the security of data and add blocks to the chain, creating a digital public (or private) ledger of transactions shared among the network.
The technology could be a huge breakthrough in terms of connected and autonomous cars, as it enables an environment where all data sent to and from a vehicle can be checked and verified in real-time to confirm integrity.
It’s clear that as the automotive industry moves towards fully autonomous vehicles that cyber security is going to be one of the cornerstones of trust - both digitally within the supply chain and the vehicle itself, and in terms of public trust of driverless cars.
In previous years cyber security may not have been something that was truly understood or taken seriously at board level, so it is interesting to note that the new UK guidelines specifically place ownership at board level within their guiding principles. Cyber security is fast becoming one of the auto industry’s biggest topics, and we expect to see much discussion about blockchain technology in the next few years.