For science fiction and fast-and-furious fans, it’s old hat: fleets of vehicles out of control paralysing a city and injuring people. Unfortunately, it is no longer fiction: two hacks show how great the danger is for autonomous vehicles and what car manufacturers can and must do. A guest article by Cristian Ion in the current eMove360° magazine in german language(download PDF).
There was something going on: On 1 September, more than 50 taxis in Moscow caused a veritable traffic jam because unknown persons hacked the taxi app Yandex and sent tens of taxis to the Fili District on Kutuzovsky Prospekt. After an hour, the spook was over, also because there are currently still people driving the taxis. It is reminiscent of the incident in San Francisco at the end of June, where 30 driverless taxis from the Cruise company gathered at an intersection and stopped service. This caused chaos and traffic jams for hours.
The two examples show that attacks on autonomous vehicles are a worthwhile target for hackers: To steal vehicles, cause accidents and damage the reputation of the operator or manufacturer, seize cargo or disrupt targeted logistics transports. Even operations in war or terror scenarios are conceivable. At Uber, the death of a cyclist (who was run over by an autonomous prototype) four years ago led to the termination of all development activities. In this case, a software error (and not an attack) was the cause, but the loss of reputation resulted in an investment loss of several hundred million dollars.
IT security is one of the core functionalities in cars
Car manufacturers and suppliers are therefore well advised to protect all vehicles (not just autonomous ones) against risks arising from the increasingly complex infrastructure for connected vehicles and smart mobility. Currently, this is not yet the case. To do this, an intrusion detection system (IDS) would have to detect any electronic and electrical intrusions into the vehicle – especially important for cars without a driver: here, the autonomous vehicle itself must detect whether attackers have modified it and manipulated sensors or even sensor feedbacks physically or remotely.
In smart city environments, vehicles will in future permanently exchange encrypted data with many actors (traffic lights, other road users, fleet control centres) and evaluate whether these are or could be correct. In addition, there will be (encrypted) communication with all onboard sensors and components.
Software skills indispensable
This requires high computing capacities, specialised AI chips, cybersecurity know-how and comprehensive security strategies. This list of criteria alone makes it clear that this requires highly developed software skills, which are often not available at the necessary maturity level at car manufacturers. Automotive companies must therefore rely on partners like Cymotive, who as VW’s cyber partner since 2016 have built up both automotive know-how and specialised cybersecurity skills, and are also familiar with the legal IT security frameworks in all major automotive regions of the world. They can accompany and support vehicle manufacturers from planning, project planning, roll-out to end-of-life of vehicles.
Those who take IT security for (autonomous) vehicles lightly are taking high risks, which (as with Uber) can lead to high losses. Only manufacturers with a “security-by-design” approach that considers all eventualities, has effective risk minimisation in mind and uses up-to-date security software will be successful in the long run. www.cymotive.com/de.
About the author: Cristian Ion is an IT expert in automotive and application security. After studying computer science, industrial engineering and cyber security, he gained over 20 years of experience developing security architectures and applications for DAX companies. Since 2017, he has been Head of Secure Engineering at CYMOTIVE Technologies, leading an accomplished team of security experts, risk managers and security architecture and penetration testers. His areas of expertise include the security of driver assistance systems and autonomous driving functions, but also topics such as e-mobility and the security architecture in the vehicle and backend.