Connected cars: the security challenge for autonomous vehicles
Excitement around connected vehicles conceals the risks they introduce into our transport networks. What can we do to remove these vulnerabilities and build cars that are secure by design?
“We disabled every Jeep, Chrysler and Fiat in every tunnel and bridge in Manhattan,” Josh Corman calmly declares. “In that situation, you can’t get anyone in or out of the city.”
Such a conversation starter raises a few questions: who is Josh Corman, where were the news reports and, more importantly, why isn’t he in prison? The first point to note is that Corman cares deeply about your safety. Among other roles, he is a founder of The Cavalry (iamthecavalry.org), a grassroots organisation focused on issues where computer security intersects public safety and human life. The second point is that the hack was simulated …but that fact should offer little in the way of relief.
In 2015, fellow white-hat hackers Charlie Miller and Chris Valasek remote-hacked a Jeep. The stunt earned headlines because the physical powerlessness of the driver was shocking and palpable. Corman’s simulated exploit was lower key in one way - demonstrating such a hack wasn’t an option in the real world - but the points he made were higher minded. On one hand, Corman highlighted how patched up vulnerabilities can be exploited in multiple ways. While Miller and Valasek entered via Sprint’s 3G network, Corman targeted local weaknesses – typically tyre pressure sensors, Bluetooth headsets and infotainment consoles – to access critical systems. On the other hand, Corman highlighted why ending the conversation at the level of a single driver’s safety is naïve: the safety of our entire transport system is vulnerable.
Within the context of The Cavalry’s work on automotive security, the group aims to educate everyone with a stake in the industry – from parts suppliers to consumers and politicians – in order to protect and build trust around emerging innovations. The lack of segmented systems shown up by Corman’s scenario demonstrated a failure in just one of five key areas The Cavalry deems important on the road towards a healthier future transport ecosystem. The Five Star Automotive Cyber Safety Program the group has developed incorporates ‘secure by design’ assurances, open third-party collaboration, a commitment to evidence capture, over-the-air security updates and logical/physical segmentation and isolation of critical and non-critical systems (see box). The Program won’t prevent every future hack, but it will embed preparedness in the industry when those failures arrive.
Much is at stake. Around 1.25 million people a year die in road traffic accidents worldwide. Driver error accounts for over 90 per cent of those deaths, but connected, automated transport systems won’t be successful in saving those lives until manufacturers build vehicles we can all trust. “The promise of autonomous and connected vehicles is that they can, should and will dramatically improve safety, crash avoidance and crash survival” says Corman. “The peril is that these markets, which are very large parts of our relative economies, are built on trust – and if we’re cavalier about security and privacy concerns in our march to embrace the benefits, that trust won’t just be eroded, it will be shattered.”
In the days when cars didn’t connect to the outside world, there were a lot of very good reasons for a car’s critical systems to be built on a Controller Area Network (CAN) bus, but now any components the CAN bus deems trustworthy, such as an OBD2 port, which helps gauge emissions, or the black boxes fitted by some insurance companies, can be a gateway to hacking critical systems.
Simply put, the original standards followed to design core car systems may be unfit for use in a highly connected car, exposing vulnerable systems to the Internet. “While adding connectivity to these systems, we were unwilling to challenge existing architecture like CAN-bus and OBD2,” Corman points out. “I strongly believe new vehicles will need alternative reference architectures to safely meet future requirements.” As OEMs start considering these fundamental changes, they must also take steps to protect cars already on the road.
Last year, 117 million LinkedIn email and password combinations popped up online. The information was stolen by hackers four years earlier. “Companies are hacked all the time and sometimes this doesn’t emerge until months or years after the fact,” states Anna Bonne, transport lead at the Institution of Engineering and Technology. “With cars, that’s not good enough; we need to know a vehicle has been compromised immediately to ensure it can revert to some form of safe mode.”
This is an area in which major tech companies might show OEMs the way. After all, there’s a very good reason why companies like Microsoft and Apple request customer failure reports when their operating systems crash. These digital records are very effective at leading engineers to an error’s root cause; by extension, investigating errors ‘in the wild’ is a very effective approach to improving the overall strength of a system. Error logging would allow car manufacturers to separate malfunctions from design defects, human error or deliberate attack. In the case of Jeep, it would have alerted them to the fact that two white-hat security experts were intensively hunting for weaknesses in their cars over a matter of months: hardly an insubstantial matter. Equally, an over-the-air update might have better protected the Jeep system once the original vulnerability was discovered.
In the cyber-mechanical world of connected cars, there are a couple of key obstacles. One issue is differentiating system anomalies from hacks. “Providing analysis that absolutely quantifies an event based purely on data is a very difficult thing to do,” says Peter Davies, technical director at Thales e-Security and chair of the automotive security work stream within the UK’s Automotive Electronic Systems Innovation Network. “I’m not aware of any industry currently doing that successfully at scale.”
Segmenting critical from non-critical systems is another major task. “Traditionally, safety tests are based on static analysis that considers the probable hazards associated with a component,” Davies explains. “The level of analysis conducted reflects how safety-critical the component is, but in highly connected vehicles, the seemingly fixed functionality of a component may shift from non-safety-relevant to part of the safety case.” This lack of physical segmentation is already a major problem for cars still rolling off production lines, so work-arounds are needed.
The current state of the art of car security has given rise to third-party specialists like Argus, which was founded in 2013 by former Israeli Defense Force officers. The company aims to reduce risk in current car systems where the surface area for hacks is large, but it is also working with OEMs on the next generation of vehicles to ensure logical security is embedded rather than bolted on. “As soon as an OEM has a concept for a vehicle, we can escort them through their architecture, code reviews, penetration testing, vulnerability analysis and risk assessment to ensure security is embedded in every stage or production,” says Argus marketing director Monique Lance.
Security experts commonly refer to the trope that, in general terms, security is not composable. This means if two components are proven to be secure individually, that still doesn’t guarantee their security when combined. “I suspect understanding how to segment systems will partly come down to understanding, from a data science perspective, which characteristics can be made composable and which cannot,” says Davies. By extension, a future smart transport ecosystem is reliant on car security improving markedly: “All the rhetoric around the benefits of vehicle-to-vehicle or vehicle-to-infrastructure communication is undermined by the fact we don’t have trust in individual vehicles,” Corman points out.
As the level of risk posed by IoT vulnerabilities continues to unfold, the ‘money-no-object’ safety innovations developed for the aerospace sector may offer some blueprints to a safer automotive industry. “Airbus built in redundancy to combat hardware failures and software errors, but the same logic could apply to prevent hacks,” explains Jeremy Watson, vice dean of engineering sciences at University College London (UCL) and director of the PETRAS IoT Research Hub. “Understandably, aircraft system security is extreme: five parallel computer systems are onboard, each with different software authors.” If a low-cost parallel system could be built into cars, only one might communicate with the external environment while the other cannot; in this scenario, both systems would have to behave predictably for the car to consider itself safe. That would be a step in the right direction, but ultimately, responsibility does not fall to OEMs alone.
The complexity of IoT security has often led to little action beyond compliance and general principles among Tier 1 manufacturers. In the consumer electronics market, a few notable leaders, such as Apple, use enhanced consumer data protection through encryption as a marketing opportunity. If market leaders in the car industry do likewise, by showing commitment to The Cavalry’s automotive cyber safety programme, consumers may have clearer choices, for example, between cars that are likely to suffer critical system hacks and those that aren’t.
To meet security standards that are fit-for-purpose, consumer security awareness will be just as important. At present, the entire industry is motivated by consumer demand for connected features. “Profit margins are lower in the car industry than other transport modes; at the moment, interrogating every piece of software in a vehicle isn’t cost-effective,” says Bonne. “We may need to pay more for cars.”
Insurers and litigators will also have a key part to play. As Davies explains, some of the broader legal implications are only just being grasped: “If someone cuts a brake pipe, a manufacturer isn’t required to take counter measures in every vehicle because the malicious act is confined to a single accident; a cyber-attack has different consequences – a single attack may manifest every vehicle in a fleet, especially if it targets a common component further down the supply chain.”
“The question of liability is an extremely interesting one,” says Davies. “The UK government’s desire to ensure cyber security is treated as consumer protection means it falls to insurers to work out where liability lies, meaning teams of expensive lawyers may be ironing out these arguments sooner rather than later.” This doesn’t mean car security won’t be solved in the courthouse. As the transport ecosystem begins to evolve rapidly, the private sector, regulators and legislators need to understand where to lead, follow and stay out of the way.
The final piece of the puzzle comes back to education. For all the uncertainty around connected car safety, there is one area of overwhelming agreement: the severe skills shortage. Experts as knowledgeable as Corman and Davies are thin on the ground on both sides of the Atlantic and the sheer number of security specialists that pour out of the Israeli Defense Force’s 8200 Unit is not typical elsewhere. By 2020 there is set to be a global shortfall of around 1.5 million cyber-security workers, according to (ISC)², an organisation for information professionals.
“We’re in a position where senior management now recognise there are risks and coders understand the mechanics, but at an intermediate level we need security-minded engineers and product managers who can sniff out risk and understand the proportionate response,” says Watson. “We don’t train people to do that yet, which is why at UCL we’re designing a course that crosses over between the technical and behavioural sciences to address this shortfall.”
In April 2016 Corman took up a position with policy think tank Atlantic Council. “To exert real change we need to involve the public policy arena,” he insists. Clearly, a road forward for car security is emerging, but without urgent multilateral cooperation, that road could be long and bumpy.
Who can look at your driving data?
“Privacy doesn’t drive the business model [for connected cars], quite the opposite: data does,” asserts Carsten Maple, professor of cyber systems engineering at Warwick University. “Put it this way, I’m very careful to delete all my navigation history from rental cars before I hand them back. If I drive from home to the university and back again five times a week, it’s not hard to guess where I live and what my job is.”
As cars become increasingly tailored to user preferences, it’s clear that any linked data upon which that’s based can reveal highly valuable personal details, including geolocation, driving habits, information on our music tastes and internet browsing history. If you were planning to burgle someone’s house, it would be useful to know beforehand that they were nowhere nearby; it would be even more convenient to steal their credit card details thanks to poorly protected in-car entertainment services.
In-vehicle features will increasingly drive car sales, but the need for constant real-time communication between users, their environments and data collectors creates many opportunities for privacy to be compromised. Just as smart phones have led us to a point where globally cybercrime cost $3tn in 2015, connected cars look set to follow suit.
The regulations on the matter are close to non-existent, but awareness is growing. It’s no surprise most of Europe is looking to the US to lead on policy change. Sales of cars and light trucks there totalled 17.55 million in 2016; political bravery Stateside has the power to transform the entire industry’s approach to cyber security.
A bill introduced to the new Congress in January offers signs of hope. The Security and Privacy in Your Car [SPY] Study Act of 2017 will, if passed, require federal and state administrative bodies, OEMs and suppliers, academics and other experts to agree on a set of appropriate cyber-security standards for new vehicles.