Driverless cars are the future of the automotive sector, and promise a major break with today’s driving habits. However, recent events have shown that these vehicles are not immune to cyberattacks.
A significant risk: the Chrysler Jeep and Tesla examples
An autonomous car is, by definition, an online car: it is connected via GPS, sensors, and to the Internet via 3G/4G. All these elements are gateways into the car’s system, which is essentially a network of dozens of specialized computers managing various parts of the vehicle. The steering wheel, the brakes, and the accelerator—each must be computerized in order for the “brain” of the driverless car to direct them.
The combination of these external connections and the computerization of the driving functions poses real risks. Long considered hypothetical , the driverless car vulnerability to attack has been observed in two iconic cases. The first was the Chrysler Jeep case in the summer of 2015. After several years of research, Charlie Miller and Chris Valasek showed how they could remotely kill a production vehicle. In August 2016, they even took this further by demonstrating their ability to control the driving functions. The second case hit Tesla in September 2016. Similar to the Jeep incident, a Chinese research team at Tencent managed to intercept a Tesla car and completely take control of it.
The consequences proved serious and resulted in a heavy toll on the manufacturers’ reputations. In addition, Chrysler was forced to institute a costly rectification program and sent a patch via a USB key to millions of affected customers. Tesla, a player more familiar with cyber environments, managed to update its vehicles and correct the fault remotely in the space of ten days. It should be noted that this was an exceptionally short time compared with current norms for connected objects.
A growing sense of awareness
These two demonstrations of vulnerability have raised awareness among the public and vehicle manufacturers regarding the challenges of cybersecurity. Many manufacturers are reinforcing investments and strengthening their capabilities in this respect. Volkswagen, for example, has invested in the creation of the Cymotive company, in order to developp cybersecurity for future connected cars. Tesla previously launched a “bug bounty” program, where security researchers are paid based on the number of faults they find on vehicles. This program also helps prevent these vulnerabilities from being sold on the cybercrime black market.
The cyber crash test, or how to choose the right driverless car!
Not all manufacturers are equal when it comes to cyberattack awareness and investments. How can customers ensure they are choosing a car that is “cyber secure”? Today, beyond reading a handful of research papers, there is no simple way to answer this question. It is high time for organizations, such as EuroNcap, which specializes in crash tests, to grasp the nettle and define cybersecurity indicators for a vehicle! A number of simple characteristics could be used to help assess the level of security of each driverless vehicle on the market. For example, the degree of protection fitted to the control functions that use an internet connection, a reliable and non-blocking update capability, and a system that alerts both the driver and manufacturer in the event of an attack.
This could be developed into a star-based system to rate vehicles on cybersecurity, which is a simple method that would be understood by all. Customers could then make an informed choice, and in the same way as traditional crash tests, such system would encourage manufacturers to enhance their capabilities when it comes to cybersecurity!