Written by: Natasha Kowalskyj, Social Media Summer Work Study
Edited by: Isabella Blandisi-Van Hee, Project Coordinator for Applied Research
As previously reported, there are a multitude of challenges surrounding the integration of autonomous vehicles (AVs) into our daily lives, with one of the most paramount challenges being the security of data as well as protecting the information collected and received by AVs. According to Griffin (2018), there are substantial cybersecurity threats within AVs, as self-driving cars will, and have already proven to be, irresistible to hackers. The implications of cyber threats impacting the functionality of AVs is an issue that needs to be acknowledged (through strong security measures) before the full implementation of AVs on our roads. Interestingly, when looking at public perception of AVs, consumers have noted cybersecurity as their primary concern (Hsu, 2017). A study found that participants were anxious about losing control of the vehicle [due to hacking] as well as access to driving patterns and locations leading to an invasion of privacy (Hsu, 2017; Sivak & Schoettle, 2017).With the above mentioned points in mind, this Tech Report will review the personal data and safety threats that are possible due to an AV’s connected network. This report will also discuss how these threats can be mitigated for the successful future of self-driving vehicles.
It is essential to first explore cyber threats, which have already occurred during the testing phases of AVs. There have been previous instances where the reliability of AVs have been compromised for malicious intent. For example, in 2015, two security researchers were able to remotely hack into a Jeep and successfully disable its digital system while it was on the highway (Griffin, 2018). A year later, hackers were able to steal 100 cars in Texas with simply the use of a computer in order to unlock and start the vehicles (Griffin, 2018). These examples showcase a major threat as there is the potential for hackers to reroute a vehicle to a particular location. Theoretically, it has also been argued that terrorists could manipulate an AV to drive an explosive device into a populated area when it comes to autonomous transport trucks carrying hazardous materials (Griffin, 2018). While these cases are certainly alarming, they present the reality of how AVs may be compromised with malicious intent and helped by other technology. The main cybersecurity threats lie within Electrical Control Units (ECUs) connected to an internal network, which helps the AV run seamlessly (Toews, 2016). Since AVs today are equipped with 100 ECUs, there is ample opportunity for a cyber-attack. If a hacker were to gain access to vulnerable ECUs, they would be able to take control of any critical functions of driving (Toews, 2016).
Researchers have established various types of AV cybersecurity attacks, which will now be presented (see Linkov, Zámečník, Havlíčková, & Pai, 2019). Beginning with a “spoofing attack,” this is where the perpetrator uses a fake identity to potentially send false information about the vehicle’s location (see Linkov, Zámečník, Havlíčková, & Pai, 2019). Next, a “man-in-the-middle attack” is where a hacker intercepts the AV’s original communication and changes it—sending a completely different message back to the car. A “denial of service attack” is where the hacker sends so much data to the AV that the communication signal is overloaded and cannot detect potential hazard warnings (see Linkov, Zámečník, Havlíčková, & Pai, 2019). A “jamming attack” is where radio noise is used to block the frequency used for vehicle-to-driver communication. Finally, a “black hole attack” would block communication without informing the AV about any missing messages (see Linkov, Zámečník, Havlíčková, & Pai, 2019). Other AV attacks could include falsified digital signatures of the driver, forcing the vehicle to restart, etc. (see Linkov, Zámečník, Havlíčková, & Pai, 2019).
With these threats looming, automotive manufacturers have not taken such scenarios lightly and have all begun to either acquire and/or invest in companies whose main focus is cybersecurity. Yoni Heilbronn, the executive of Argus Cyber Security, believes the best way to understand how automotive cybersecurity works, is to visualize them as having several layers of defense (Toews, 2016). For example, defensive software can be put on individual ECUs, like the vehicles brakes and into the internal network, in order to examine all network communications as well as be able to detect any changes in vehicle behaviour; this reinforces the AV against attacks (Toews, 2016).
The National Highway Traffic Safety Administration has formulated the best practices for cybersecurity in connected or automated vehicles. As mentioned above, it is a layered approach to protection with five principal functions: identify, protect, detect, respond, and recover (Griffin, 2018). Notably, cloud-security has been developed to recognize and correct any potential cyber threats before even reaching the AV, while also sending over-the-air updates in real-time (Toews, 2016). Another fundamental necessity in maintaining security is ensuring all necessary parts of AVs are sourced from trusted suppliers (Toews, 2016). For instance, companies like Tesla, Fiat Chrysler, and GM have created “bug bounty” initiatives to reward those who find and report any security weaknesses within their vehicles’ software. This is imperative as it fortifies their future systems against vulnerabilities (Toews, 2016).
With all of these possibilities on the horizon, it is important to note that there are solutions in the works. Law enforcement teams are collaborating with manufacturers and lawmakers to ensure the needs and concerns of police are also considered in the development stages of AVs (Griffin, 2018). Another proposed solution is that companies managing AV cybersecurity ensure trust and responsibility among their employees (e.g., confidentiality) as well as carefully monitoring their employees for potential cases of abuse (see Linkov, Zámečník, Havlíčková, & Pai, 2019). Another level of proactive prevention is to understand the motivations and characteristics of AV attackers; their socialization to rule-breaking behaviour and further possibilities like psychopathy and narcissism (see Linkov, Zámečník, Havlíčková, & Pai, 2019). These methods may need to delve further into intelligence-based techniques such as analyzing online social network profiles in order to understand hackers’ political leaning as well as thoughts on major issues like terrorism, organized crime, and foreign governments (see Linkov, Zámečník, Havlíčková, & Pai, 2019). Ultimately, the goal is to ensure the safety of all citizens and communities by maintaining the highest level of security in all developed connected and autonomous vehicles.
Griffin, M. L. (2018). Steering (or not): Through the social and legal implications of autonomous vehicles. Business, Entrepreneurship & the Law, 11(1), 82-114. Retrieved from https://digitalcommons.pepperdine.edu/jbel/vol11/iss1/4
Hsu, T. (2017, February 8). Cybersecurity concerns about autonomous vehicles spark consumer anxiety. Retrieved from https://www.trucks.com/2017/02/08/cybersecurity-autonomous-vehicles-concerns/
Linkov, V., Zámečník, P., Havlíčková, D., & Pai, C.W. (2019). Human factors in the cybersecurity of autonomous vehicles: Trends in current research. Frontiers in Psychology, 10. doi: 10.3389/fpsyg.2019.00995
Sivak, M. & Schoettle, B. (February 2017). Cybersecurity concerns with self-driving and conventional vehicles.University of Michigan Report. Retrieved from http://umich.edu/~umtriswt/PDF/SWT-2017-3.pdf
Toews, R. (2016, August 25). The biggest threat facing connected autonomous vehicles is cybersecurity. Retrieved from https://techcrunch.com/2016/08/25/the-biggest-threat-facing-connected-autonomous-vehicles-is-cybersecurity/.