Autonomous cars are terrifying some cybersecurity experts

23 Mar 2016

Driverless cars are on the way, of this we are sure. But, truthfully, how safe are they going to be? We asked some cybersecurity experts and the answers were pretty worrying.

When you hear of connected cars, what do you think? If it’s all iOS, with your iTunes synced up to the car stereo, your calendar synced with the hands-free kit, Siri telling you where and when you have to be somewhere, you’re not a million miles off.

For a fully autonomous car, do you think of sitting back, enjoying a gin & tonic while your ultimate, encasing wearable ferries you from A to B? Again, in theory, you’re not a million miles off.

But, it’s important to be aware of one key element that each of these future-leaning concepts enjoys, which is that they are both essentially a new dawn of travelling data centres.

You pop your smartphone into your dashboard docking station, syncing up your entirely Android interactive elements – we’ve switched from iPhone to Galaxy, just like that – and it’s dragging up data from everywhere as you move.

Connected autonomous car

Syncing up your car with your smartphone, via Shutterstock

Roving treasure troves

Location data? Check. Time? Check. Habits? Check. Making it to your meeting on time? Check. Knowing where you were when you missed your meeting? Check. Who are you contacting when commuting? Check. What items you were browsing for during your commute? Check.

Basically, the lifeblood behind companies like Google, all in one self-contained, compatible cube of metal, doing 60km/h down the Coast Road.

‘We shouldn’t have to learn how to do all of this again. We shouldn’t kill people, literally, just to learn’

With greater connectivity, digital transformation and willingness from service providers, you could end up paying your car tax per mile, rather than per year. Your insurance could be tailored to you, specifically. People waiting for you at a venue could be told exactly how long you will be. So much hassle erased from our lives. So much control, too.

“Who owns all this data?” asked Tadej Vodopivec, information security manager at Comtrade. “Will insurance companies charge me more for aggressive driving? One can only be compensated for his defensive driving if others are penalised for aggressive driving. The system will only work if everybody is involved in it.”

Just like that, we’re in

Autonomous vehicles are currently being researched with LIDAR systems, which will help them navigate around streets, avoid obstacles and, in theory, be safe.

However, as a research fellow at University College of Cork proved last year, it’s quite easy for a modestly-talented hacker to compromise this safety to such a degree that the car panics and shuts down.

This is a risk we will have to accept as technology heads down a new transport route, claims Vodopivec. Much like a human’s control of a car can be influenced, so too can technology.

“We can talk about business intelligence on this data but, at the end, the problem is when the device is on the user car,” he said, noting external influences as nothing new, despite techniques being different.

“Users are the first problem, then come external influences: someone from outside puzzling LIDAR, someone taking remote control of a Cherokee Jeep. These will have to be addressed somehow.”

Threat modelling is Vodopivec’s suggestion, something pretty much every cybersecurity expert does for any new piece of software, patch, solution, whatever you want to call it.

Calling it “an iterative process”, getting to the level of a mature ecosystem is how Vodopivec best sees a safe route through the impending cybersecurity nightmare. However, this takes time, and it doesn’t look like time is necessarily on everyone’s side.

Google and Apple are racing to get their first models out onto the road, while more traditional car makers are fighting against this new tide, attempting to do something similar themselves. They’re trying to develop these things as fast as they can, but speed kills.

Evgeny Chereshnev (right), global vice president at Kaspersky Lab, is no fan of autonomous cars

Evgeny Chereshnev (right), global vice president at Kaspersky Lab, is no fan of autonomous cars. Photo: Connor McKenna

No room for chancers

One suggestion is to look at other models in society that are streets ahead in terms of digital transformation of services, and technological pioneering of actual devices.

Evgeny Chereshnev, global vice president at Kaspersky Lab, thinks the immense processing power we have available means modelling the risks in these data centres on wheels is an absolute must.

Chereshnev said he thinks “it’s the will we are missing, not the processing power”, lamenting how a growing number of companies have thought of entering the cybersecurity field with little or no experience, something that greatly concerns him.

At Kaspersky Labs it took “18 years of constant evolution of the mindset” to be able to deal with today’s threats. “You can’t just start with: ‘We’re successful, with strong engineers, we can do it’. I disagree. Arrogance is the main enemy of cybersecurity. People get over-confident. It’s obscene.”

This is something many experts seem to agree on, blow-ins thinking they know the industry, just as it’s exploding with vast multiples of potential threats, neverending devices and an increasingly unaware customer base.

F-Secure’s Mikko Hypponen recently spoke on a similar footing, telling me more and more devices are being built by more and more companies with absolutely no history in security engineering.

“This applies to driverless cars, or cars in general,” he said. “Cars have become data centres on four wheels and the companies building them have not been doing security engineering.”

Plains, trains and then automobiles?

It also applies to things like airplanes, but even the internet of things in general. The selling point of these things, typically, isn’t security. Chereshnev too thinks the evidence is all around us, that the future of driving is reflected in industries already well established.

“In many cities, trains are already completely automated. Maybe we should look this way. Look at what scenarios they were anticipating when this was introduced, what scenarios actually happened, what didn’t.

“We shouldn’t have to learn again. We shouldn’t kill people, literally, just to learn.”

This gets back to the nub of the concern. Automated cars are essentially new devices. Much like the Xperia in your pocket, the FitBit on your wrist, the utterly bizarre smart bottles that tell you when you’re thirsty.

The problem is if customers, and even manufacturers, think of them simply as that then we’re facing a major concern.

“With internet programming we can make mistakes,” said Chereshnev, “Malware gets in? It’s okay, there’s probably no life lost. Every mistake in the automotive industry, though, means real danger, death.

“An autonomous car is perceived as another gadget. But an autonomous car and an iPhone are not the same thing. One is for leisure while the other has an outcome that can affect someone else.”

Autonomous car device

A car designed as a smartphone. Seems legit, right? Via Stanislaw Tokarski/Shutterstock

Everybody need to work together

But how can we add the layers of security needed to keep experts happy? There are options, but many, if not all, require some truly dedicated synchronicity throughout the automotive supply chain.

If software is used, it must be updated. New threats arise, patches are disseminated to counter that, before more threats arise and the cycle continues. If software is embedded in everything from the tyres to the windows, utilised by both the car dealer and the user, patches must be actively supported throughout.

When you look at how Android is designed and disseminated, that can be a worry: one underwriting platform is utilised in freeform in the wild by any manufacturer that chooses. Control is lacking. With cars that simply can’t be accepted.

Of course, all of this doom and gloom sounds quite extreme, which it certainly is, and it’s something Hypponen is not a fan of.

“Most of the worries people have around this are not really realistic,” he said. “I’m not worried about random hackers accessing cars to drive them off cliffs or hack the brakes just for fun. Why would a hacker be interested in that? There has to be a benefit. Causing damage or killing people is unrealistic. Getting the car running to open the door and steal, that is a realistic threat.”

Monetary gains rule the world, of course. However, even knowing this likelihood isn’t enough for some – certainly not enough for Chereshnev.

“Maybe my kids and grandkids will adopt it, but I will never use an autonomous car.”

Main toy car crash image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic