Home > Analysis > AVs and cyber security inseparable, says software developer

AVs and cyber security inseparable, says software developer

Autonomous vehicles may present more risks than benefits if developed without cyber security in mind. As Green Hills Software’s Dan Mender tells Freddie Holmes, what use is there in an autonomous vehicle that can be hacked?

Every year, groups of skilled hackers pick apart the cyber vulnerabilities of various products on the market, from smartphones and connected cars to domestic appliances and online streaming services. The idea is to find weaknesses in design and flaunt them to the manufacturer, occasionally for reward, before ultimately presenting the findings to audiences at dedicated conferences such as DEF CON and Black Hat in Las Vegas. Incidentally, the city is also home to CES, the world’s largest annual consumer electronics conference.

Automated vehicles remain a popular target, with the potential to control how – and where – a vehicle moves of much interest to hackers around the world. Tesla, given its capabilities both in terms of connectivity and autonomous driving, has fallen prey to trophy hunting over the last few years, first with the Model S, and more recently with the Model X. Other OEMs such as Mitsubishi and Nissan – the former now owned by the latter – have also been targeted, with steering, braking and private vehicle data being compromised.

While all of these activities have been carried out as research scenarios, it raises the question of whether the industry is up to the challenge of keeping hackers at bay. The relationship between cyber security and automated driving continues to strengthen as a result, with vehicle manufacturers scrambling to ensure their vehicles are not subject to a malicious attack in future.

There is a core tenet tied to autonomous vehicles where you can’t have safety without security

As Dan Mender, Vice President of Business Development at Green Hills Software, tells Megatrends, cyber security is a core aspect of making an autonomous vehicle viable. “There is a core tenet tied to autonomous vehicles where you can’t have safety without security,” he explains. “This is really what an autonomous vehicle needs – you can’t have one without the other, you need to have both.”

In essence, Mender points to the fact that while a vehicle’s software may be extremely effective at detecting potentially dangerous scenarios on the road and avoiding them, this means nothing if the vehicle can then be hacked and controlled remotely. “One of the major challenges is going to be stopping people from being able to hack in and take over control of the vehicle,” he elaborates. “That is something we have been discussing for the last five to seven years, and now it is becoming a more commonplace topic in many different circles.”

If not now, when?

Megatrends spoke to Mender back in April 2015 at a time when in-vehicle infotainment (IVI) systems were being targeted by hackers. For OEMs, he said then, it was not a case of ‘if’ the connected and autonomous car will get hacked, but ‘when’ it will get hacked, and how severe the consequences will be. More than two years later, the automotive cyber security landscape has unfolded just as Mender expected it would: more hacks, and of increasing complexity. “Just recently, there was another Tesla hack where researchers were able to take over the brakes, open doors, and do certain other things to the car,” he observes.

One of the major challenges is going to be stopping people from being able to hack in and take over control of the vehicle. That is something we have been discussing for the last five to seven years, and now it is becoming a more commonplace topic

Mender refers to the second round of attacks presented by a Chinese research group in July 2017, which exposed gaps in the on-board Wi-Fi and 3G connectivity systems of a Model S. The team had previously exploited cyber security vulnerabilities in this car a year earlier, and managed to gain remote access while the driver searched for nearby charging stations. The touchscreen was disabled, brakes controlled remotely and windscreen wipers disabled whilst driving through heavy rainfall.

“If we don’t get the cyber security aspect right, and built in from the beginning, there will be chaos when it comes to autonomous vehicles,” affirms Mender. As the autonomous fleet grows in future, he suggests there will be two main forms of cyber attacks on vehicles: those that are dangerous, and those that are inconvenient. While both are motivated by monetary gain, the former will have malicious intent to cause harm.

“Somebody may want to cause harm by taking over a fleet of vehicles, and people’s lives will be at risk,” he says. “They are doing it for financial gain, to a company and ask for a ransom, and we are already seeing more of that happen in other industries.” For example, the recent ‘WannaCry’ cyber attack that began in June 2017 held various global organisations – including national medical and transport services – to a reported US$300 (€254) ransom per targeted user.

I believe there is a false impression about how far the technology for autonomous vehicles has progressed. The current systems on the road today are not built for production, they are proof of concept vehicles, and many companies have not thought about the necessary approach for security

“We are going to start seeing that kind of thing with the automotive industry,” suggests Mender. “Once there is a larger target base, you will start to see things that are very malicious, and these people will be looking for a ransom – be it for financial gain, or even political gain.”

No room to cut corners

In various languages, there is often a single term for both safety and security. For the autonomous car, however, there are distinct differences between the two terms and the industry needs to ensure that both needs are met.

There have been calls for the industry to slow the rollout of autonomous vehicles until cyber security standards have caught up with advances in autonomous driving capabilities. However, Mender suggests that this is likely to occur without regulatory intervention, and instead will occur naturally.

If we don’t get the cyber security aspect right, and built in from the beginning, there will be chaos when it comes to autonomous vehicles

“I believe there is a false impression about how far the technology for autonomous vehicles has progressed. These vehicles have been tested in a very managed and contained way with people in the car as a fall-back,” he observes. “The current systems on the road today are not built for production, they are proof of concept vehicles, and many companies have not thought about the necessary approach for security.”

Creating an autonomous vehicle that works is completely different to developing a driverless car that cannot be hacked, and in the pursuit of launching the first mass-produced fully autonomous vehicle, Mender warns that some companies are likely to cut corners. “They will do so because they can, due to gaps in regulation,” he concludes. “In order to be first, people will work to ‘best practices’ and everyone will feel better – until the system gets hacked, vehicles crash, and people die.”

This article appeared in the Q3 2017 issue of Automotive Megatrends Magazine.