Collision course: autonomous vehicles will be more vulnerable to cyberattack

Sprawling lines of code will give hackers more room for manoeuvre

The more wifi hotspots and Bluetooth interfaces, the more open cars are to a malicious attack and takeover

The more wifi hotspots and Bluetooth interfaces, the more open cars are to a malicious attack and takeover

 

We have been warned, repeatedly, over the past few years about the vulnerabilities that new vehicle technology brings to our cars. The more wifi hotspots, the more Bluetooth interfaces, the more open our cars are to a malicious attack and takeover.

That threat is set to increase as cars move closer and closer to fully autonomous driving. This is partly because cars will have to communicate more – signals will have to be sent to and from your car to other cars, to road traffic monitoring systems and more.

Partly, though, it’s simply because of the enormous amount of coding that will be necessary to run all of the complex systems a fully robotic car will need. Every move or electronic twitch that a computer makes is determined by its code, and the trillions of lines of code that will be needed for a self-driving car will make for what experts call a larger attack surface. Simply put, the more code there is, the more room for gaps, for mistakes, for openings.

Those openings have cracked a little wider recently with news that a group of Chinese “White Hat” hackers (so-called because they break systems only to report the flaws they have found so that fixes can be applied) have broken, remotely, into a Tesla Model S.

Keen Security Lab senior researchers Sen Nie, Ling Liu and Wen Lu, along with director Samuel Lv claim they broke into the systems of Tesla Model S P85D and 75D models and that their techniques would work on any current Tesla car.

Based in Shanghai, the team was able to access the controls for lights, mirrors and more worryingly the braking system, causing the car to brake hard despite being 20km away at the time. The group has not released it specific techniques and has instead reported privately on the matter to Tesla.

A Tesla spokesman told science news site the Register that “within just 10 days of receiving this report, Tesla had already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.

Vulnerabilities

“We engaged with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”

Not everyone is as convinced that this is as good a solution as Tesla seems to think.

Brian Spector, chief executive at internet security firm Miracl, told The Irish Times “these hacks demonstrate the serious problems around identity verification in today’s connected cars.

Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today.

“Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.

“Given the huge number of components in connected cars, hackers usually find a pathway by following a ‘weakest link’ scenario which attacks the easiest point of entry to the vehicle. This problem is compounded by the array of parts that comprise a vehicle, and the lack of a security protocol that ensures they will all work together safely and securely.”

He said the current security checks “often fail because they rely on slow, centralised identity verification services”.

The challenge is big enough that it is even seeing some who have worked for established automotive giants jump ship to smaller tech firms in an effort to stay one step ahead of the hackers.

One such is Michael Müller, president of EMEA at Argus – a cybersecurity company that is making a name for itself in the automotive world. Müller is a former managing director of Mercedes-Benz Technology Consulting and a former head of strategy and process management at Mercedes-Benz Cars Development.

According to him: “Connected cars of today and tomorrow require multilayered, end-to-end cybersecurity solutions that ensure safety and privacy.”

Privacy

Privacy is as much at stake as safety. Robert Hartwig is president of the Insurance Information Institute in the United States and he recently told the Guardian: “This is America, and if you have a breach of personal data, you are absolutely positively going to be sued. The legal fees and settlement costs will be more than the cost of the attack.”

The danger of hacking, both to life and to finances, has woken politicians up to the danger. US lawmakers have urged the national highway traffic safety authority to take the car industry to task over the potential for malicious attack, with Republican congressman Fred Upton saying it represents “a growing risk to the safety and security of passengers”.

Autonomous and robot car technology has been designed, primarily, to reduce accidents and collisions. Quite what happens when autonomous tech and malicious hacking collide remains to be seen.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.