It’s fun to imagine a world of self-driving cars; after all, we’ve seen them in the Jetson’s, Blade Runner and countless other shows and movies, but the realities surrounding autonomous vehicles and the potential damage inherent in their arrival make even the best science-fiction stories look tame. When we talk about autonomous vehicles, there is much more under the hood than you might think.
Society expects autonomous vehicles to be held to a higher standard than human drivers, but who, or what, actually has access to the car and the transportation system?
Autonomous vehicles are an engineering marvel, but there is an underbelly to this technology that isn’t understood or adequately addressed. It involves cybersecurity issues that can result in life and death situations or even lead to corporate and international espionage.
Now that we have your attention let’s look at this as a two-sided problem.
First, let’s talk about the devices themselves because autonomous vehicles are essentially moving computers that use large and complex sets of data to function. Not only is that data created and consumed by systems within the car, but it’s also generated, consumed and shared with and by the external infrastructure required to support that vehicle. After all, this infrastructure is really a vast, interconnected network of static or centrally controlled IoT (Internet of Things) devices that is complicated to physically secure.
While there are several Regional Technology Development Sites in Ontario, working with academic institutions such as Durham College Autonomous Vehicle Applied Research, the cybersecurity solutions protecting both vehicle occupants and the municipalities that manage the road infrastructure are still in a conceptual phase.
This means the data and related systems can be breached.
So, we have two problems. People can hack into vehicles, and people can hack into the infrastructure supporting those vehicles resulting in a breach with potentially deadly consequences.
The critical problem revolves around trust. When you think about it, the entire system is a network of devices that must talk to each other in order for the system to work. Vehicles use internal systems to monitor the external environment around the vehicle, but there is also an entire system of external devices that includes smart traffic lights with sensors that measure traffic speed, direction and volume in order to connect to a broader network of smart devices to create a much more efficient traffic system.
In fact, a complete traffic grid consists of thousands of IoT devices that include permanent devices, such as street signs and traffic lights, various road and environmental sensors, as well as temporary devices that provide data on construction and road conditions. (Picture construction signage placed on streets and highways during construction.) All of these devices and the systems that control them need to integrate and communicate with one another and process, aggregate and analyze all of the data created to manage the collective system.
So permanent infrastructure, temporary infrastructure and individual vehicles must trust each other, and more specifically, the data they’re exchanging if the system is going to work. Let’s call this the “network of trust.” Now, the main threat is that cyber-attackers will try to disrupt that trust. They will look for weaknesses in the system and use those weaknesses for their own gain. One of the most obvious reasons to do this is to create some kind of disruption with the ultimate goal to cause chaos, traffic jams, accidents, or even to instigate economic disruptions and civil unrest.
Other reasons, however, can be more subtle, such as hacking into some or all those smart devices to get some kind of malware or backdoor access into the vehicles or the infrastructure itself. As hard as it may be to believe, there is no single standard around cybersecurity for either autonomous vehicles or the infrastructure to support these across the automotive industry. There are some decent security standards such as UNECE W.29 and ISO/SAE 21434 for automotive suppliers and manufacturers, but those standards do not deal directly with issues around autonomous vehicles’ cybersecurity, nor are uniformly applied or enforced. For autonomous vehicles and smart systems, it’s still the wild west. For example, Tesla conducts updates to their cars over the air. Think about the danger when an update is sent to hundreds of thousands of cars wirelessly. The problem is, as we’ve seen with the recent issues from the SolarWinds breach that the whole supply chain can be compromised through updates, especially when parts of the code come from multiple independent parties. Malware and backdoors can be introduced at any time.
Given how many devices exist in a real autonomous and smart-grid network and how many separate systems are required to make those devices and the entire network function, you only have to access one piece of the system in order to potentially disrupt the whole. Once again, the SolarWinds breach demonstrates the potential problem. Now imagine someone who wants to take control of even a small municipality by placing malware in one area of the system and, months later, being able to hold that region hostage until they pay a ransom to release it? The economic damage and potential for death and injury come into play as bargaining chips. Now, what would happen if they targeted a major city like New York, London or Toronto? What if China used malware to disrupt traffic in Taiwan as a prelude to a military attack?
Political thriller or real threat?
In the not-too-distant future, our urban networks will increasingly involve facial recognition, where high power cameras watch and record data that can determine who you are, where you’re going and, through AI, can even generate predictions for your future behaviour. You may think this is science fiction, but these technologies are already here.
External cameras are not the only threat to our personal privacy. Like our phones, most of us have used audio cues to tell our vehicle to connect to the Internet or to place a call. As our vehicles become extensions of ourselves, much in the same way as our phones have become, they will be continually listening to us, taking orders from us and learning more about us. The security and privacy of that information can be breached.
It isn’t hard to see how an adversary could use a breach to find and follow dissidents or public officials and gain access to their conversations, even taking control of their vehicles for nefarious purposes. Imagine a situation where a bad actor can find and verify that a specific person happens to be in a particular vehicle and then use that information to predict the perfect place to take control of the vehicle, locking the doors and driving it externally to a “safe” location where a kidnapping can take place. A scene from a spy novel? What if it involved a family separation where one parent decides to take their son or daughter against the will of the other parent and/or court system. The situation feels less far-fetched now, doesn’t it?
When it comes to autonomous vehicles, bad actors can even turn a vehicle into a weapon without physically taking over the vehicle. Image if they disrupted the visual inputs of the car or truck, changing the geometric pattern recognition to turn a stop sign into a yield sign or worse, an increased speed sign, causing the vehicle to rapidly accelerate through the stop sign and into oncoming traffic. What if the vehicle visual was re-trained to ID a boardwalk as an on-ramp, allowing potential terrorists to take over the vehicle and drive it into a group of pedestrians?
Autonomous vehicles and network security issues are more significant than we realize. This is why the entire system requires fail-safe countermeasures. For instance, we always need to know that a vehicle has correctly read road signage, but rather than relying solely on sign recognition via internal vehicle sensors, there should a signal transferred from that sign back to the vehicle to reinforce that the vehicle has correctly read that sign. Only then can the vehicle continue. Our network of “trust” becomes a network of “trust but verify.”
Yes, some of these situations outlined may lean toward science fiction, but most of these scenarios are very real. That’s why, as different municipalities prepare for autonomous vehicles, we need to understand these cybersecurity issues. There can be no doubt that our infrastructure is going to be a target of cyber-attacks because our adversaries see opportunities in the very things that we see as threats, and they’re setting up real-life labs to discover the best way to breach these systems.
Sophisticated adversaries, including foreign nations, will not immediately jump to action to take advantage of a breach. Instead, they will watch as our networks are being built and take their time to discover each potential vulnerability in the connected infrastructure network. It’s a reality that Russia and Iran are much further ahead in terms of their cyber warfare capabilities than most nations, and we have seen them repeatedly testing those capabilities as cyber warfare against their adversaries, whether we’re talking about the attacks on the power plants in Ukraine, or we’re talking about attacks against a refinery Saudi Arabia.
We need to build autonomous vehicles and create a network capable of preventing and eliminating known and unknown threats and breaches. The ideal network would be a network of “zero trust,” where there is no external access provided and robust and automated cryptographic and entitlements management that allows the system to work, but this isn’t possible given the scope and scale required to build traffic infrastructures across vast regions. The cost is simply too expensive. Our devices and vehicles are going to need cheap hardware and software to make the system affordable at the scale required. Think about entire computer vision systems in the car that are less expensive than the Raspberry Pi. Guess what, even cheap IoT devices will still be multi-billion-dollar projects for smaller municipalities.
How will we defend ourselves against these breaches?
The model of trust that we need to build must be rethought. We need to protect ourselves by working with academic institutions, municipalities, vehicle manufacturers and collectively, establish a secure “trust but verify” network that come as close to “zero-trust” as economically feasible. This means engineering an integrated system including autonomous vehicles, and evaluating every piece within our infrastructure, testing the system from both an AI and cybersecurity perspective to ensure that nothing relies on a single trust factor. In other words, we need to be aware of the problems and work together to secure the system and keep us free from threats.