Q&A: IDC research predicts a three year lag before car security systems are protected from hackers.
We are speeding towards a driverless future, with everyone from government to manufacturers trying to claim poll position in the driverless car race.
While big carmakers such as Volvo and Jaguar Land Rover have already committed to driverless car roll-outs on UK roads, other manufactures and tech companies are choosing their partners carefully, choosing who to carpool with in order to beat competitors. Uber is working with Ford, BMW has partnered with Intel and others such as Google and Apple are keeping their cards close to their chest with secret labs and projects.
UK insurance is also trying to get to grips with liability, with Allianz, Zurich and AXA among a 11-strong ABI group looking into how to insure smart cars. The UK government is also trying to keep a hand on the situation, with the Queen’s 2016 speech pointing to a Modern Transport Bill. This Bill will reportedly be discussed after a nine week nationwide consultation on driverless cars, with the consultation looking to revamp the highway code and insurance in preparation for next-gen vehicles.
So why is industry and government all jumping on the driverless bandwagon? Well, it’s all the supposed benefits that driverless will bring – the number one benefit being safety. Driverless cars will get rid of human error, decrease fatalities and save lives.
However, is driverless really as safe as it is purported to be? With all the technology underpinning driverless cars, could there be very real cyber security issues with the car of the future? Could lives still be at risk?
Looking into the uncertain future of driverless cars, CBR spoke to John Smith, solution architect at Veracode, about the very real cyber security threat targeting driverless and connected cars.
EB: Why would hackers target a driverless car? What would their ultimate aim(s) be in the attack?
JS: The short answer here is fairly simple: Money. Almost every attack that we see today has money as its root motivation. The longer answer is a little more complex as there are a number of different ways that a hacker might seek to monetise an attack on a driverless car.
As an extension of today’s most common approach of stealing corporate and personal data, connected cars will host a significant wealth of personal information that hackers will be keen to access. From the ability to track our whereabouts, to sourcing personal information from in-car infotainment applications, to being a potential access point to the car’s cloud platform, a great deal of data is at stake.
However, there are also concerns regarding how the vehicle itself might be manipulated by a hacker. The severity of this situation could range from a hacker disabling the car, or slowing it down, so the driver misses an important meeting or even to orchestrating an accident. These kinds of attacks would present an opportunity to blackmail the manufacturer.
EB: What sort of cyber attacks do you foresee being targeted towards driverless cars? What are the key weaknesses or vulnerabilities?
JS: The security industry has already demonstrated the range of potential attack vectors on connected and driverless cars: from hacking the locking system, to halting a Jeep driving down an American highway. The multitude of attack vectors comes from the greater number of elements in the car which are internet connected, each with its own software and connections to external data sources.
The software vulnerabilities found in vehicles’ network connections pose a significant risk to the security of driverless cars. Exploiting security flaws is becoming an increasingly popular attack vector across all connected devices – from mobile phones, to connected toys – with the number of cases rising 66 percent year on year since 2009. Unless car manufacturers work hand in hand with the security industry, software vulnerabilities will persist. Indeed, bug bounty programmes, like that of General Motors, may prove essential to this industry to help mitigate this risk.
EB: Are these sort of attacks being seen in today’s connected cars? Will attacks be amplified when cars go driverless?
JS: We’ve already witnessed how software vulnerabilities can be used to compromise elements of the software in connected cars. Last year, researchers from the Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, detected a vulnerability in the BMW Connected Drive system, which allowed researchers to imitate the BMW servers and send remote unlocking instructions to its vehicles.
When these sorts of software vulnerabilities start being exploited for malicious gains will depend on when we see a greater roll out of connected cars. By and large, hackers want the greatest bounty for the least effort. With such a small pool of connected vehicles currently in circulation, it is unlikely to be a focus to many hackers. However, as with all connected devices, this will change as they become more popular and capture more data.
EB: What lessons can we learn from the roll out of connected cars and subsequent attacks?
JS: There is no question that greater work needs to be done to secure connected vehicles. With over 200 million lines of code in today’s connected car, not to mention the smartphone apps linked to the car, it is important that car manufacturers and the security industry collaborate to ensure they are developed with security at the heart of the strategy, rather than as an afterthought.
EB: Will the liability lie with manufactures in the event of a cyber attack/accident?
JS: This question simply hasn’t been answered – and needs leadership from industry and government to reach a consensus. Currently, if a car falls victim to a cyber-attack through applications in a third-party infotainment system, and has an accident, we don’t know who’s at fault. Another example, we don’t know who should be held responsible if an application downloaded to a car – or linked smartphone – has a vulnerability and puts the safety of the car or personal data at risk. These are just a couple of questions that need answering and will require strong leadership to do so.
EB: Will car insurance have to account for the risk of cyber attacks?
JS: The driverless car consultation launched by the government is looking at the role that insurance will play in autonomous vehicles; for instance, is a driver liable for a crash if he doesn’t have his hands on the steering wheel? It is important that as part of this consultation that consideration is also given to liability in the case of a cyber-attack. Without any precedent to go on in other industries, the conclusion it comes to on this issue could have significant ramifications on cyber liability across a number of sectors.
EB: While modern day cyber-attacks can result in data theft or extortion, an attack on a car could potentially endanger lives of passengers. How seriously are manufacturers taking cyber threats in relation to connected/driverless cars?
JS: New research from IDC, based on interviews with leading manufacturers, predicts a security lag of up to three years before application systems catch up with cyber threats. While we have no doubt that manufacturers are taking this threat seriously, it is critical that they consult with cybersecurity experts to ensure that their systems are not vulnerable.
EB: Why is there this lag of up to three years before car security systems are protected from hackers? What created this lag?
JS: What we’re seeing happen in the car industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector – applications not developed with security in mind, creating a major area of risk. The key difference here is that an application vulnerability in a car could put somebody’s life in danger, and that is why manufacturers, technology companies and the government must work together to ensure the safety and security of drivers in this connected age.