By Cabe Atwell, Contributing Editor.
It’s undeniable—driverless cars are coming. We could have guessed when the first autonomous semi-truck successfully hit the streets in 2015 that the technology would at least be explored as a way to improve the safety of ground transport. We might have suspected when Google’s autonomous car gave a blind man a lift, something was up. Well, now it’s certain. Driverless will hit the consumer market as early as 2021.
What does this mean for security? Cyber threats today are more serious than any other time in history. With talk of foreign hackers and trolls potentially having swayed the 2016 election and serious Internet of Things (IoT) security flaws, how safe could autonomous vehicle technology be, really? Unfortunately, not very.
Hacked, with Relative Ease
Charlie Miller and Chris Valasek became hacker celebrities in 2015 when the team remotely hijacked the smart system of a 2014 Grand Jeep Cherokee and killed the transmission. The duo wanted to prove that connected cars, like all other IoT devices, must address security. They wanted automotive manufacturers and leaders in the industry to take responsibility for that security. So, they hijacked a Ford Escape, Toyota Prius, and Jeep Cherokee, to prove that hacking into a car can do much more than turn off and on the headlights and blare the horn.
By hacking into the connected collision system of a Prius, the duo was able to apply the car brakes remotely, against the will of the driver. The Jeep hacks were even more terrifying. Miller and Valasek caused the car to accelerate unexpected, then when it reached 80 mph, they turned the steering wheel by accessing the park assist. In this instance the passenger was okay, but Miller warned in a fully autonomous vehicle, this might not have been the case.
In semi-autonomous cars, physical drivers can manually override if something goes wrong. But much of the technology under development is fully driverless. The theory is autonomous vehicles would greatly reduce the rise of traffic death—which rose to an all-time high of 40,000 deaths in 2016. It would also provide more mobility and freedom for persons who cannot drive, such as the elderly and those with visual impairments. Anyone could warm to the idea of a chauffeur, but it is possible to do so safely?
New Security Trends
Since Miller and Valasek’s stunt, the industry did begin taking security threats more seriously. The Automotive Information Sharing and Analysis Center was established in 2015 as a platform for collaboration among automakers. The government got involved this past year with the Highly Automated Vehicle Testing and Deployment Act of 2017, which limits the number of autonomous vehicles on the market without adequate security and establishes guidelines for the industry.
But Miller wants to take it further. He says autonomous cars will not be safe until they feature encrypted systems that cannot be overridden remotely or by physical compromise (by, say, a black-hatted passenger). One solution is Tesla’s proposal for a type of encryption called “codesigning,” which would only trust specific cryptographics keys. Another strategy includes deploying a different security systems for each car make or model, so hackers could only target a specific make or model at a time.
Miller is now calling for collaboration among automakers and security experts, but time is running out.
Whether we are ready or not, autonomous cars are coming. Lawmakers and automotive manufacturers are beginning to take these threats seriously, but the best and most secure systems still might not arrive in time for the expected market release of 2021. Still, the security breakthroughs that will be developed through this process may go a long way in securing the Internet at large—and just in the nick of time.