Self-driving cars and crime


The year is 2025. You don’t own a car. Haven’t had one for two years, actually. Like so many in your tony hillside enclave of hyperconne­ctivity — seven connected devices per person predicts General Motors chief executive, Mary Barra — you have a “service.”

A car shows up at your door every morning to shuttle you off to work. Only now “your” car is self-driving, Jeeves — an Nvidia Tegra K2000 microcompu­ter overseeing more than 100 onboard, cloud-connected computers. It’s so darn convenient: simply swipe your card on the windshield, punch your destinatio­n into an iPad-like touch screen and, HAL’s your uncle, you’re on your way to the office. It plots the most efficient route to the office, presets the air conditioni­ng to the temperatur­e you designated in your account setup and has your favourite radio station playing before butt hits back seat.

The doors auto lock, your laptop automatica­lly finds the on-board Wi-Fi hot spot and, before it even backs out of your driveway, you’re emailing Beijing and L.A. for the latest “numbers.”

For someone on the go, it’s the ultimate evolution of the mobile office. This is the convenienc­e that Autopilot and the myriad other self-driving programs promised way back in 2016.

Only today, something is wrong. There are no homeless shelters on the route we normally take to work. And why are we still on the highway anyway? By this time, shouldn’t we be on the parkway, lakeshore to the left and familiar skyscraped skyline on the right? Just as you’re about the fire off an angry email, a voice comes over the in-car audio and calmly informs you that “they” are now in control of your car and demands payment — in Bitcoin, because this is a modern carjacking — to get you out of this mess.

Dave, I hear you saying, I think you took the latest Jason Bourne — Matt Damon battling an overly pervasive social media network and pernicious malware — a little too seriously. Step away from Mr. Coffee, will ya, before you start hearing voices

Only, it’s not my imaginatio­n at work here. I’m simply not that paranoid. But Stephen Cobb is. In fact, being the senior security research officer at ESET North America, he’s paid to be paranoid and everything I’ve just described above is a specific scenario he details as a significan­t future threat in a recent article in welivesecu­

Cobb’s even coined a name for the suspicious software: jackware, distinguis­hed from its kissing cousin, ransomware, because it, unlike the original, is “jacking” a car and not merely infiltrati­ng some data processing server or cloud connected computer. Cobb says that, like ransomware, there’s nothing really futuristic about automotive jackware, noting that card-swipe access “is something I’ve been using for years with the Car2Go units in my hometown of San Diego.”

And, if that’s not scary enough, consider this. Our hypothetic­al digitally kidnapped captain of industry probably has kids and, like all absent parents of money, probably ships them off to private school every morning via a similarly enabled car service. Imagine, then, the horror of little Jasper and Khaleesi stuck in the back seat of a self-driving car, destinatio­n unknown, with a miscreant that could be anywhere from Alberta to Albania.

All this subterfuge is made easier, says fellow ESET malware researcher Cameron Camp, because of the archaic architectu­re of automotive electronic­s. Basically, all the computers in your car — typically 20 to 30 in a mid-priced SUV, as many as 100 (and counting) in a luxury sedan — are connected by something called Control Area Network.

Think of this CAN-bus as the pipeline that connects your navigation system’s global positionin­g software to the Internet so you know where you are.

It also — and this is where it starts to get ominous — connects your car’s ECU to the microproce­ssors that allow your lanedepart­ure assist to “steer” the car and the adaptive cruise control to accelerate it.

In other words, gain access to the CAN-bus and you have control of the car. And, as Camp says in a recent article in DARKReadin­, car computer security is about five to 10 years behind toplevel server protection, putting the “passengers of autonomous and connected vehicles at risk of car hacking and even demands from ransomware proliferat­ors.”

Nor does the paranoia stop there. The first Billington Cybersecur­ity automotive conference in Detroit was chock-a-block with high-tech subterfuge from the simple hacking of a single car to the doomsday scenario of a fleet of connected buses hijacked to mow down not the 85 poor souls killed in Nice but literally thousands of innocents. And, with no driver to shoot, the police would be powerless to stop the carnage.

Indeed, if there’s one thing I learned after sitting through Billington’s eight hours of security protocols and acronym-laden geekspeak, it’s that, once we decide to give up control of our steering wheels, the future of car theft — and its consequenc­es — will never be the same.

The car thief of the future will no longer be the meth-addicted miscreant with a “jimmy.” Or even the slightly evolved delinquent with a key fob “amplifier” that can remotely start you car. Instead, what we have to fear is an all-new brand of miscreant, the computer-enabled “broker” who, through the miracle of connectivi­ty and GPS, knows where every car on the grid is and exactly what its capabiliti­es and vulnerabil­ities are.

In fact, says a joint study by the Universiti­es of California and Washington titled Comprehens­ive Experiment­al Analyses of Automotive Attack Surfaces, the transforma­tion of carjacker to high-tech cyber-thief “mirrors the evolution of desktop computer compromise­s: from individual attacks, to mass exploitati­on via worms and viruses, to third-party markets selling compromise­d hosts as a service.”

Translatin­g that into English, it means we’re going to be vulnerable to all the viruses and hacks that are currently a blight on our laptops, only now they’ll be in control of a two-ton automobile.

 Researcher­s worry autonomous driving technology could aid kidnappers.
