David Emm, a principal security researcher at Kaspersky Lab, outlines the threats and opportunities presented by autonomous driving
The Department for Transport in the UK recently announced that it wants to see fully autonomous cars tested on the country’s roads by 2021. Astonishingly, this expectation was set out after several fatal crashes in Arizona.
The communications infrastructure used in cars today (known as a Controller Area Network) was designed back in the 1980s. It was developed for exchanging information between different micro controllers. Essentially, what we have is a peer-to-peer network – and an old one, at that.
The main issue here is that these networks weren’t built with security in mind, as it was not a key concern back then. As time has gone on, modern-day functionality has been layered on top of existing functions, all connected to the CAN. This means that the CAN has no access to control or security features, but instead, gives criminals access to cars.
While no real-world hacks have been carried out in this way, it has been proven possible. For example, in 2015 two researchers and a journalist were able to use wireless technology to drive a Jeep Cherokee off the road. As a result of this flaw, half a million cars were recalled.
This is an example of emerging technologies being layered on top of old infrastructure, without fully considering the security implications.
Potential security issues don’t just lie in the underlying communications network of the car itself. There’s also the possibility of an attacker accessing a driver’s smartphone and hijacking any apps they use to control functions on the car – for example, to lock and unlock it.
Following the fatal incident in Arizona last year, it was predicted that it would be many years before autonomous cars replaced human drivers. The reality is, I don’t think driverless cars will or should ever replace human drivers in the way that we currently think, which is that nearly everyone will continue to drive a private car, but it will be self-driving.
However, the issue of how we implement the technology is something for society to ultimately decide – whether this takes the form of private vehicles, or a coordinated public transportation system – but I do not believe either should remove the human aspect of vehicles.
I think people are becoming more apprehensive when it comes to driverless cars, where safety is paramount, and rightly so. Historically, driving has been an aspect of life where human control has been essential, so the idea of watching a film, or sleeping, while a car transports us, feels understandably ‘wrong’ to many people.
There are various levels of autonomy with self-driving cars – ranging from add-on features such as parking assistance through to completely driverless cars. A grey area lies between the two, where the driver has very little to do, but has responsibility for the vehicle and might need to take control at some point. In the latter scenario, there’s a danger that the driver may switch off because they don’t feel required to be in full control and might, as a result, be unable to regain control in an emergency.
Driverless car fatalities have shown that there is a very real danger with autonomous vehicles, and it is therefore reasonable to question whether it is wise to resume the use of them so quickly after the incident in Arizona.
There are real safety concerns about pedestrian and driver safety – as recent stories surrounding autonomous car testing have demonstrated, which society needs to tackle before driverless cars are launched.
There’s also a moral or ethical issue to consider. Automotive journalist Christian Wolmar raised the issue of ‘the Holborn problem’: if driverless cars are programmed to stop when they sense a pedestrian, what happens when they are confronted with a mass of people milling across a busy road? Will they wait all day? Or will they programmed to operate with a lower safety bar? Or if the car is given the chance to choose to avoid hurting pedestrians or the passenger in the car in the lead-up to an accident, how and who will it choose? A car isn’t able to make moral decisions on its own.
Ethics aside, in terms of cybersecurity, it is important to remember that nothing can be 100% secure. Just like housework, security is never ‘done’ – you need to continually repeat the process of vacuuming and dusting as the dirt will be back next week.
This same logic applies to securing the increasingly advanced technology in modern cars. There are still many unanswered questions and unconsidered scenarios, which we need to resolve before we can even start to consider loosening the reigns on bringing autonomous cars to our roads.