Autonomous driving spurs concerns about cybersecurity risks
Aug. 21, 2013 — Self-driving cars are one of those things — like jetpacks and silver lamé bodysuits — that have come to be synonymous with “the future,” to represent everything we hope to achieve and everything we hope to become. But unlike jetpacks and silver lamé bodysuits, self-driving vehicles are on track to be a staple of the present. As I have discussed here and here, the past several years have seen tremendous strides in autonomous driving.
But for all the utopian visions of a world inhabited by vehicles that drive themselves — catch another hour of sleep while your car takes you to work; never again have to worry about finding a parking spot – there’s a potentially sinister and even dangerous side to autonomous driving. Not the “evil K.I.T.T. ” kind of dangerous, but a far more real, far more scary kind.
Security company MWR InfoSecurity recently called attention to vulnerabilities in cars with ever more sophisticated onboard computer systems. Cyber criminals could gain access to the vehicles via any number of embedded devices, they said, with potentially catastrophic consequences.
The possibility of such attacks centers around a car’s engine control units, or ECUs, the devices behind many of the souped-up options you’ll find in today’s vehicles. Criminals can gain access to the ECUs via the CAN (controller area network) bus, for example; this allows the assorted microcontrollers and devices to communicate with one another without need of a host computer.
More disconcertingly, they can take advantage of the communication channels used to transmit and received the data processed by the ECUs — wireless keyless entry systems, tire pressure sensors, etc. Also: Services like BMW Assist, GM’s OnStar and Mercedes-Benz mbrace use various protocols to obtain remote access, while newer in-car entertainment systems are connected to both the CAN bus and the Internet.
This opens up the possibility of thieves and other malefactors getting their hands on personal information like addresses and phone numbers and possibly even credit card numbers on a phone connected to the car and/or saved to a local hard drive-based navigation system. Far worse: They could access systems related to a range of services and features — including parking assist and other options as well as the services noted above — and apply the brakes or take control of the steering.
How easily and under what conditions this could happen will vary from manufacturer to manufacturer. But the potential for attack is real, and it’s not likely to go away anytime soon.
The growing risk of vehicle-based cyber crime recently prompted the National Highway Traffic Safety Administration (NHTSA) to open a new office to address the potential for such security threats.
“These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability, but are also creating new and different safety and cybersecurity risks,” said David Strickland, head of the NHTSA, before a Senate Commerce Committee hearing, as reported by Bloomberg News. “We don’t want to be behind the eight ball.”
Dave Hartley, security consultant at MWR InfoSecurity, agrees. He thinks tackling the threat of such risks should begin with automakers.
“Manufacturers should start identifying these weaknesses and resolving them before others make them public,” he said. “They need to take a step back and look at how security should be incorporated into the design process.”
MORE FROM PHOTONICS MEDIA