Cybersecurity risks for autonomous IoT-ready cars
By Stephen M.W.
The concerted drive for autonomous cars goes back decades. You’ll probably be surprised to learn that the first self-driving car was showcased in the 1920s. Since then, significant strides have been made thanks to advances in automotive, mechanical, electrical and electronic technology.
Nevertheless, for something that saw its first prototypes a century ago, autonomous cars have struggled to really catch on. The coming of the Computer Age has however breathed new life into autonomous cars. The emergence of the Internet of Things (IoT) has only further expanded the possibilities. Cars are becoming just one more type of node in a global network of billions of connected devices. The marriage between cars and IoT has plenty of advantages. However, it also introduces several cybersecurity risks to autonomous cars.
Invasion of privacy
Autonomous connected cars are heavily dependent on sensors. As market demands push for ever greater sophistication of autonomous connected cars, the number of sensors will invariably increase. More sensors, in turn, means more potential surfaces for hacking and, with that, the risk of exposing personally identifiable information (PII).
Such sensitive PII includes location and trip data, financial information and in-car entertainment preferences. If it falls in the wrong hands, this information could be used to commit financial fraud and identity theft.
Autonomous connected cars are produced by a wide range of manufacturers whose numbers will only continue to increase. Also, each autonomous car will rely on technology sourced from multiple vendors. If one or more of the vehicle’s constituent systems has a flaw, cybercriminals could exploit it.
It is a major problem because cybersecurity concerns are often an afterthought for autonomous connected cars. This creates multiple avenues for hackers to leverage cellular networks and WiFi in exploiting these vulnerabilities. The danger is not just to the car, its occupant and the systems that run it but also the devices on any network that the car connects to such as a home or enterprise network.
Mobile application vulnerability
Smartphones have rapidly become the primary personal computing device. In keeping with this consumer trend, equipment manufacturers across the board have gone to great lengths to ensure that they have a mobile app that users can rely on to connect to, configure and/or operate the equipment. However, this convenience also introduces a new attack vector for autonomous connected cars.
Both the mobile apps themselves as well as the iOS and Android operating systems they run on can be tools in the hands of attackers. Bad actors could use a mobile app’s vulnerability to gain access to the aircon, fans, seats and steering wheels. If the autonomous vehicle is electric, hackers could even render it immobile by draining the battery.
Supply chain cybersecurity vulnerabilities
Connected autonomous car manufacturers depend on a broad range of third-party vendors for the software and hardware components that go into making the vehicle operational. Nevertheless, unless the car manufacturer imposes robust cybersecurity requirements on their most critical technology suppliers, they may inadvertently allow security vulnerabilities.
Technology-dependent components that are responsible for core mechanisms such as accelerating and braking must satisfy the highest cybersecurity standards and be subjected to regular automated testing that confirms the system is still working as it should.
Failure to apply security patches
As the technology environment, an autonomous connected car operates in changes over time, a previously secure system could become vulnerable to new security risks. There may also be pre-existing cybersecurity risks in autonomous cars that weren’t known before the system was deployed.
To stay on top of these threats, new security updates must be developed and applied to the vehicle system. The updates will usually be accessed through wireless communication networks. Any persistent connectivity problems, therefore, may mean that the patches may not be applied as soon as they should which would leave a window for bad actors.
The modern vehicle is home to a wide range of entertainment options and autonomous connected cars are no exception in this regard. Everything from streaming media to sat nav creates convenience for the occupants. Both Apple and Google have vehicle-centric app stores and infotainment systems. There are also opportunities for autonomous car systems to connect to social networking and payment applications especially concerning car-centric needs such as journey planning, parking, and tolls.
Still, these platforms utilize sensitive data that is critical to the safety and security of the car and its occupants. Therefore, there’s a danger of malware attacks hijacking or corrupting autonomous car systems.
Manipulation of safety-critical controls
If the cybersecurity controls of an autonomous connected car are compromised, there’s the danger of hackers manipulating critical safety controls of the vehicle and thereby causing an accident, injury, or death. A cyberattacker could, for example, compromise the car’s cruise control system thereby inhibiting braking and steering.
As mobile applications, wireless key fobs and digital keys gradually replace traditional means of vehicle entry, they create new avenues through which tech-savvy car thieves can gain unauthorized entry into the vehicle.
They could achieve this by intercepting the wireless communication between a key fob or smartphone and the car by using devices that emulate the wireless key and extend the range of the signal. While the move to virtual keys was initially perceived as a key step in curtailing vehicle theft, it turns out that virtual keys are almost as vulnerable as physical keys.
Autonomous connected vehicles are susceptible to the biggest threat facing any computing system or device today — insiders. Insiders have knowledge, are trusted and have access to the vehicle manufacturer’s information. The motivation for an insider’s actions vary greatly and range from sabotage and physical harm to fraud and data theft. Detecting an insider’s attack on an autonomous connected vehicle is challenging as their actions may not arouse suspicion from the onset.
Dearth of security-by-design
The automotive industry doesn’t have a stellar record for building security-conscious hardware and software for its connected cars. To be fair, security-by-design is a problem across nearly every subsector of equipment manufacturing perhaps with the notable exception of computing device manufacturers.
First-generation autonomous connected cars had glaring security shortcomings. Secure coding and rigorous security testing are often left until very late in the product development cycle when there’s little time to ensure a thorough identification and resolution of vulnerabilities. This is exacerbated by the limited budget devoted to cybersecurity matters.
Understanding cybersecurity risks and autonomous cars is key
Autonomous connected vehicles bring increasingly sophisticated digital cockpit systems that create exciting personalized experiences for passengers. But this comfort and convenience come with security challenges. Recognizing these autonomous cars’ cybersecurity risks is the first step toward mitigation.