Once again, I was lucky enough to get a chance to sit in on a webinar courtesy of the cybersecurity experts at Kaspersky. This time, the focus was on the imminent spread of driverless cars throughout our society and the cybersecurity threats entailed.
According to the Australian Government, driverless cars will become increasingly prevalent over the next 20 years, and humans will eventually no longer be required to drive cars at all. The benefits of driverless cars (fewer accidents, greater efficiency, greater access and independence for those unable to drive) have been widely touted, but giving computers control of vehicles also comes with some inherent risks.
Senior Security Researcher from Kaspersky ANZ, Noushin Shabab spoke on the cyber threats targeting autonomous cars. She briefly went over the history of autonomous vehicles, which I was surprised to learn dated back all the way to the 1910s.
Noushin then went on to describe a few examples of hacker attacks that have been performed on connected cars.
Speaking about a prototype attack on a Jeep in 2015, Shabab said, “Hackers gained wireless control of the car, with a proof of concept code that could send commands through the Jeep’s entertainment system, to its dashboard functions, steering, brakes and transmission, all from a laptop that could be across the country.”
The idea that essential functions like steering and brakes could be compromised by hackers is quite a stark realisation that reinforces the importance of cybersecurity development for autonomous cars. Noushin pointed out an analysis of connected car apps that were vulnerable to hacking in one way or another.
She went on to describe some other noteworthy hacks on connected cars and finished by saying “These examples have proved that the cars have different vulnerabilities at the moment, but we’ll see what happens.”
The cars hacked in these examples were not autonomous, they were simply cars that were connected to the internet via their electronic systems. The relative ease with which hackers can access and control connected systems in cars should give autonomous car manufacturers some pause.
Business Development Manager at Kaspersky, Evgeniya Ponomareva covered market trends in automotive cybersecurity, an area where Kaspersky is leading the charge.
Evgeniya stated, “As more self-driving cars hit the roads, they attract an increasing amount of attention from cybercriminals, and significantly multiply the danger of hacks.”
Evgeniya explained that modern cars can have over 100 electronic components in them, with autonomous cars having even more elaborate systems. She added that there was a trend in the automotive industry towards a change in the architecture of electronic systems, with high-performance controllers replacing many separate electronic control units and consolidating the technology within the vehicle, with the goal of making it easier to defend against cyber-attacks.
Ponomareva went on to explain that the automotive industry is rethinking cybersecurity along the entire value chain, revealing that industry regulators have also started working on defining the minimum cybersecurity requirements for new cars. She mentioned that until recently, car regulation had been mainly focused on just the physical safety of drivers and passengers.
Evgeniya said, “Now we have a new era of cybersecurity in cars.”
She then explained how the upcoming cybersecurity regulation UNECE WP.29 was setting out the standards for the development of new vehicles. The regulation sets out that, from the initial design phases, cybersecurity threats need to be considered in the creation of a secure vehicle. Evgeniya stated that the regulation advocates for a ‘security-by-design’ philosophy where cybersecurity mechanisms are built into the vehicle from the start, rather than added on later.
Evgeniya then spoke about Kaspersky’s approach to transportation system security, describing a portfolio that engages automotive industry experts in creating an end-to-end service covering a complete connected car ecosystem. She explained that this includes cybersecurity assessments, as well as special dedicated software solutions to protect electronic control units in new vehicles.
Evgeniya also talked about the importance of cybersecurity in the backend, which means protecting infrastructures that support and inform connected cars, including mobile apps. In fact, she mentioned that ridesharing applications could be hacked into to steal credit card information from users.
She summarised, “In this new cybersecurity era, we need to think about the whole ecosystem of connected cars.”
Evgeniya noted that as connected cars become more complex, greater collaboration is needed between all participants in the connected car ecosystem. She added that Kaspersky was collaborating with engineering companies, suppliers of hardware platforms, application developers, and car manufacturers to achieve automotive cybersecurity outcomes.
The guest speaker was race car driver, Vicky Piria. As someone who drives at a professional level, she had some unique insights into the future of connected cars.
Vicky was asked about the continuing appeal of manual driving in a world that’s set to become dominated by autonomous cars. The Kaspersky Ambassador talked about the utility of driverless cars for busy people who could get more done while in transit, such as sending emails or making phone calls.
However, Vicky also said, “Driving is still something that’s enjoyable.”
She added that driving for leisure along a scenic route was still something that people want to be able to do and that society was unlikely to want to give up total control overnight.
Whether or not more people would head to tracks to experience manual drive, Piria adds,
“I can imagine people going to a track to experiencing driving with a real engine, but I don’t think we’ll get to a stage soon where people don’t even get driving licenses.”
Vicky also mentioned that autonomous cars are beginning to enter the racing scene, where the skill of engineers and programmers is tested rather than human drivers, something that I was surprised to hear about.
Looking into the future of connected cars, here are some of my key takeaways:
- Connected cars are inherently vulnerable to cyber-attacks, and these attacks can endanger drivers physically in ways that computer hacks can’t (such as remotely controlling the engine or steering).
- Industry leaders are getting ahead of these vulnerabilities and collaborating with car manufacturers and other stakeholders to protect connected cars with a mix of advanced hardware and software solutions.
- Regulatory standards are crucial in ensuring that cybersecurity is built into new cars from the ground up, rather than added on later, i.e. ‘security-by-design’.
- Educating users on best-practise cybersecurity habits is just as important for connected cars as it is for today’s computers and mobile devices.
- While autonomous cars have a lot of utility in terms of optimising society, the enjoyment of driving for sports/recreation won’t disappear anytime soon.