Electronic setups of driverless cars vulnerable to hackers
Any part of a car that talks to the outside world is a potential opportunity for hackers.
That includes the car’s entertainment and navigation systems, preloaded music and mapping apps, tire-pressure sensors, even older entry points like a CD drive. It also includes technologies that are still in the works, like computer vision systems and technology that will allow vehicles to communicate with one another.
It will be five to 10 years — or even more — before a truly driverless car, without a steering wheel, hits the market. In the meantime, digital automobile security experts will have to solve problems that the cybersecurity industry still has not quite figured out.
“There’s still time for manufacturers to start paying attention, but we need the conversation around security to happen now,” said Marc Rogers, the principal security researcher at the cybersecurity firm CloudFlare.
Their primary challenge will be preventing hackers from getting into the heart of the car’s crucial computing system, called a CAN (or computer area network).
While most automakers now install gateways between a driver’s systems and the car’s CAN network, repeated hacks of Jeeps and Teslas have shown that with enough skill and patience, hackers can bypass those gateways.
And the challenge of securing driverless cars only gets messier as automakers figure out how to design an autonomous car that can safely communicate with other vehicles through so-called V2V, or vehicle-to-vehicle, communication.
The National Highway Traffic Safety Administration has proposed that V2V equipment be installed in all cars in the future. But that channel, and all the equipment involved, open millions more access points for would-be attackers.
It’s not just V2V communications that security experts are concerned about. Some engineers have imagined a future of vehicle-to-infrastructure communications that would allow police officers to automatically enforce safe driving speeds in construction zones, near schools or around accidents.
Given the yearslong lag time from car design to production, security researchers are also concerned about the shelf life of software deeply embedded in a car, which may no longer be supported, or patched, by the time the car makes it out of the lot.
In 2014, for example, some curious Tesla Model S owners did some tinkering and claimed to have discovered a customized version of a type of Linux software called Ubuntu. Ubuntu was first released in October 2010 and has not been supported since December 2014. “In effect, that means the operating system in your car was depreciated before you bought it,” Rogers said.
And automakers stitch together software from dozens of different suppliers, all of them with different shelf lives and patch cycles. If automakers have any chance of keeping cars secure, figuring out a secure way to roll out patches to every car remotely, for different software components, will be a problem that even the software industry itself has not totally figured out.
“The problem is when people buy a car, they think ‘Oh, I’m buying a Toyota,’ but what they’re really buying is parts from 100 different suppliers all cobbled together,” said Nidhi Kalra, a senior information scientist at RAND Corp. “Cybersecurity cannot be applied on top of everything else. It needs to be based in the design of the vehicle and embedded throughout the entire supply chain.”
Last year, the Department of Transportation announced a 15-point safety standard for the design and development of driverless cars, which included mention of digital security. But the guidelines were intentionally vague and only required that “The vehicles should be engineered with safeguards to prevent online attacks.”
Discussions are ongoing about which government body — the Federal Trade Commission, the National Highway Traffic Safety Administration or another body — will ultimately govern the cybersecurity of connected and autonomous cars.
For now, a number of private organizations are hosting discussions among automakers, identifying and cataloging common security threats.
But, as with any technology, Rogers said, “We won’t be able to shut people out forever.”