The Department for Transport recently claimed it wants to see fully autonomous cars tested on UK roads by 2021. Astonishingly, this expectation was set out after several fatal crashes in Arizona, writes David Emm, Principal Security Researcher at Kaspersky Lab.
The communications infrastructure used in cars today (known as a Controller Area Network) was designed back in the 80s. It was developed for exchanging information between different micro controllers. Essentially, what we have is a peer-to-peer network – and an old one at that.
The main issue here, is that these networks weren’t built with security in mind, as it was not a key concern back then. As time has gone on, modern-day functionality has been layered on top of existing functions, all connected to the CAN. This gives it no access control or security features, but instead, leaves access to cars potentially open to criminals.
While there are no real-world hacks that have been executed this way, it has been proven possible. For example, in 2015 two researchers and a journalist were able to use wireless technology to drive a Jeep Cherokee off the road. As a result of this flaw, half a million cars were recalled.
It is an example of emerging technologies being layered on top of old infrastructure, without fully considering the security implications.
Potential security issues don’t just lie in the underlying communications network of the car itself. There’s also the possibility of an attacker infecting a driver’s smartphone and hijacking any apps they use to control functions on the car – for example, to lock and unlock it.
Who Needs Humans?
Following the fatal incident in Arizona last year, it was predicted that it would be many years until autonomous cars replace human drivers. The reality is, I don’t think driverless cars will or should ever replace human drivers in the way that we think of them doing so now; where nearly everyone will continue to drive a private car, but it will be self-driving. However, the issue of how we implement the technology is something for society to ultimately decide – whether this takes the form of private vehicles, or a co-ordinated public transport system – but I do not believe either should remove the human aspect of vehicles.
I think people are becoming more apprehensive when it comes to driverless cars, where safety is paramount, and rightly so. Historically, driving has always been an aspect of life where human control has been essential, so the idea of watching a film, or sleeping, while a car transports us, feels understandably ‘wrong’ to many people.
There are various levels of autonomy with self-driving cars – ranging from add-on features such as parking assistance through to completely driverless cars. A ‘grey area’ lies between the two, where the driver has very little to do, but has responsibility for the vehicle and might need to take control at some point. In the latter scenario there’s a danger that the driver may switch off because they don’t feel required to be in full control and might therefore be unable to regain control in an emergency.
Driverless car fatalities have shown that there is a very real danger with autonomous vehicles, and it is therefore reasonable to question whether it is wise to resume the use of them so quickly after the incident.
Safety First?
There are real safety concerns about pedestrian and driver safety – as recent stories surrounding autonomous car testing have demonstrated, which society needs to tackle before driverless cars are launched.
There’s also a moral or ethical issue to consider. Christian Wolmar raised the issue of ‘the Holborn problem’: if driverless cars are programmed to stop when they sense a pedestrian, what happens when they are confronted with a mass of people milling across a busy road? Will they wait all day? Or will we be programmed to operate with a lower safety bar? Or if the car is given the chance to choose to avoid hurting pedestrians or the passenger in the car in the lead up to an accident, how and who will it choose? A car isn’t able to make moral-based decisions on its own.
Ethics aside, in terms of cybersecurity, it is important to remember that noting can be 100% secure. Just like housework, security is never ‘done’ – you need to continually repeat the process of vacuuming and dusting as the dirt will be back next week. This same logic applies to securing the increasingly advanced technology in modern cars. There are still many unanswered questions and unconsidered scenarios, which we need to ascertain before we can even start to consider loosening the reigns on bringing autonomous cars to our roads.