Why autonomous vehicles are risky business

Autonomous vehicles have the potential to reduce accidents — but the consequences of lax​ security could be dire

Autonomous vehicles used to be fictional concepts in movies. These days, thanks to the likes of Tesla and Google, there are several autonomous vehicle pilot schemes already underway.

Australia’s transport ministers are currently preparing for a 2020 rollout of autonomous vehicles, which are expected to become everyday modes of transport across various sectors: automotive, aerospace, maritime, and rail.

The NSW government has officially named Coffs Harbour and Armidale as the hosts of the state’s regional trials of connected and autonomous vehicles (CAVs) as it continues to endorse driverless technology.

Much of the push toward autonomous vehicles has been backed by the hope they will reduce the number of accidents and therefore fatalities. However, before we can sit back, relax and let the vehicles do the steering, we must consider the potential risks and dangers.

The modern vehicle has become increasingly computerised and connected. Occupants are now able to listen to audio and watch video from a variety of local and remote sources, make and receive phone calls, use satellite navigation, receive live traffic data and even access the internet. Several computers also sit within most cars, which have been designed to control specific vehicle functions such as steering, braking and accelerating.

Previously, these systems were not able to connect to the outside world, only to each other – but more and more new interfaces feature types of connectivity such as Wi-Fi or Bluetooth and/or a telematic solution.

While these new features pose clear benefits, the connected relationships of different systems, services and networks also broaden the scope for cyber criminals to remotely compromise and attack an autonomous vehicle. The day this happens, the threat to public safety could be severe and the consequences disastrous.

For example, if a cybercriminal sends a corrupt image via digital radio, he/she could trigger the vehicle’s vulnerabilities and potentially gain complete control. Or, a rogue radio broadcast could hijack a popular frequency and infect vehicles in the vicinity with malicious data. An area in Sydney, for example, containing multiple affected vehicles at the same time could be brought to a complete standstill.

Newer vehicles also rely more heavily on sensor technologies like radar, camera sensors and ultra-sonic system. These sensors receive and process data about the vehicle’s surrounding environment to ensure it maintains its correct position and does not cause an accident.

However, these sensors are also highly vulnerable to manipulation. For instance, a typical radar system in a car might automatically steer away if it pre-empts a collision with an object – but if the system was compromised and ‘taught’ the opposite action, the safety implications would be very serious.

As the industry continues to evolve and we move towards autonomous vehicles being manufactured from the ground up, these vehicles must be engineered with security in mind from the design phase right through to production. Security should be designed on the assumption that every avenue is an opportunity for a cyber-attack.

Manufacturing should start with a design review, followed by the integration of all security features into the vehicle design and build process. When the vehicle is developed, it must be put through post-information security tests to discover and detect any implementation flaws or incorrectly built features.

Beyond the development lifecycle, manufacturers must also implement an incident response plan. It’s not possible to completely eradicate security vulnerabilities, no matter how much effort goes in to identifying them – as cybercriminals will consistently create new, opportunistic ways to carry out an attack.

In the event an incident does occur or when security flaws are discovered, manufacturers must have a process to respond and patch vulnerable software. More mature organisations should have a team that continuously identify, monitor, respond, and resolve security incidents. Like software on workstations and servers today, it’s important that vehicle updates can be carried out quickly and efficiently, ideally without having to visit a manufacture’s specially equipped garage.

While autonomous vehicles promise an exciting and transformative way of travelling, government and businesses have much more work to do to ensure these connected systems and their associated infrastructure cannot be exploited with malicious intent.

Tim Dillon is director of technical consulting, APAC at NCC Group. NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand against the ever-changing threat landscape. NCC Group’s Transport practice performs security testing for numerous leading brands around the world.