Will driverless cars ever be secure?
UK Government releases security guidelines for smart cars, including secure software lifecycle, but do they go far enough to prevent vulnerabilities?
The UK government has issued a set of guidelines intended to improve the security of smart cars, and their future incarnation, driverless cars.
The guidelines from the Department of Transport focus on the manufacturing supply chain, from designers and engineers, to retailers and senior level executives, and set out best practice in security behaviour for the motoring industry.
“Whether we’re turning cars into Wi-Fi connected hotspots or equipping them with millions of lines of code to create fully autonomous vehicles, cars are more vulnerable than ever to hacking and data theft. It’s essential that all parties involved in the manufacturing supply chain are provided with a consistent set of guidelines that support this global industry”, the guidelines state.
The basic principles are the following:
- Organisational security is owned, governed and promoted at board level
- Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
- Organisations need product aftercare and incident response to ensure systems are secure over their lifetime
- All organisations, including sub-contractors and suppliers work together to enhance the security of the system
- Systems are designed using a defence-in-depth approach
- The security of all software is managed throughout its lifetime
- The storage and transmission of data is secure and can be controlled
- The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail
Ilia Kolochenko, security expert and CEO of High-Tech Bridge commented on the guidelines: “This is a very positive sign and a laudable effort finally undertaken by the government. Connected cars, and the IoT industry in general, need governmental regulation and enforcement of strict security standards. However, we need much more detailed practical guidelines with contribution from leading cybersecurity experts, practitioners and researchers, not just a set of generalized best-practices. Moreover, a violation of the guidelines must be severely sanctioned, otherwise car vendors, and especially their suppliers, will likely ignore them.”
The motoring industry has aspired to deliver ‘self-driving’ cars for decades, but recent innovations mean that the reality is startlingly close. Most new cars on the road incorporate some level of automation, from self-parking or collision avoidance technology. Brands such as Audi, General Motors, and Tesla are among those which may be first to market, with General Motors recently announcing plans to develop an on-demand network of self-driving cars with ride-sharing service Lyft. Live pilots are already under way on the streets of the UK, such as Nissan’s London-based development labs, using the all-electric Leaf model to test responses to street furniture, other driver behaviour and pedestrians.
The government guidelines come as a group of US security researchers published a paper that investigated the possibilities of defacing street signs to confuse self-driving cars. The researchers from University of Washington, University of Michigan, Stony Brook University, and the University of California, Berkeley found that minor alterations to signs reliably fooled existing technology into making the wrong driving decisions, potentially putting the lives of passengers in danger. In one example, the researchers lightly defaced a "Stop" sign which was recognised by smart cars as being a "Speed Limit 45" sign in 100% of cases.
Ilia Kolochenko commented: “This is an excellent example of underestimated fragility of autonomous cars. Even if we assume that a vehicle is unhackable remotely, there are many trivial methods that can be used to manipulate and trick the car. Worse, organized crime will hardly miss such a great opportunity to crash cars (e.g. by setting a sign of minimum speed limit of 100 mph in a city) and kill their passengers, shifting the blame to technology. Law enforcement agencies are not equipped and have no experience in the investigation of such offences and won’t be able to protect the society.”
The increase in technologically sophisticated vehicles on the roads will almost certainly lead to the rise of vulnerabilities within the cars and surrounding infrastructure, and the potential for issues to occur, especially where malicious attacks are concerned. In many ways, this is the opposite scenario to IoT, where the market has been flooded with products that in many cases have low security protections at best - even given the long lead times of the heavily regulated automotive industry, there is still time to tighten security processes and minimise the impact of any flaws - and at least that’s a positive takeaway.