By Belton Zeigler
Driverless cars and driver-assist systems are poised to change transportation as profoundly and as quickly as the internet has changed shopping and communications. Examples of the first wave of this technology that are on the road now include adaptive cruise control, front crash avoidance, and lane assist systems. When fully implemented, the Automated Vehicle (AV) technology promises to do the following:
- Slash highway deaths and injuries
- Eliminate most fender benders
- Allow interconnected vehicles to flow at top speeds on congested highways
- Expand transportation options for the disabled and elderly
- Eventually replace car ownership with fleets of self-driving cars that come when we call and take us wherever we like.
All indications are that this future is coming at us much more quickly than seemed possible before now. But there is a looming pothole – cybersecurity.
The Cyber Perils of Driverless Cars
In many ways, the digital vehicle is here already. The more advanced cars on the road today employ about 100 million lines of computer code. That code directs more than 100 electronic control devices that run the car. Today’s automobiles are in a sense computers with seats and an engine.
The computer code that runs our cars can hide the sort of malware that lets criminal seize cars and hold them hostage, just as ransomware now does to an innocent victim’s computer controls and data. Imagine malware turning your car into an unresponsive brick on a hot August afternoon in a parking lot far from home. What would you pay to get it back running? And how quickly?
One day, automobile-based malware could allow criminals, terrorists, or hostile governments – known in the cyber world as “threat actors” – to take active control of your car and use it for whatever they want.
White-hat hackers, the ethical hackers who demonstrate what is possible so the good guys can fix problems before disaster strikes, showed in 2014 that it was possible to hack a passenger car and remotely engage the brakes while it was traveling down the road. That particular security flaw was quickly fixed. But what if terrorists or other threat actors could control all of the systems in a hacked car from thousands of miles away? What would a terrorist do with that capability?
Or what if cybercriminals or hostile governments could simply shut down a significant portion of the cars on the road during rush hour in a major city? How would we respond?
AV technology creates chilling opportunities for new forms of crime, terrorism, and cyberwarfare.
Introducing Malware into Automotive Systems
How would malware get into digital vehicles?
Through Original Equipment
The computer code that will drive the AV revolution will come from tech companies, parts suppliers, and mapping and sensor companies from around the world, many from China and Europe. Malware of a mysterious origin has on occasion been found factory loaded in the operating code of consumer goods like thumb drives and cellphones. Malware in an insignificant place – in the controls of the seat warmers, for example – can be configured to commandeer the car’s internet or Bluetooth connection and download a full control kit from a distant server.
There are now multiple ways cars connect with the outside world digitally. Each is a potential pathway for malware, including the following:
- The internet connection that enables the navigation system to function
- The Bluetooth interface that connects your phone to the car’s infotainment system
- The diagnostic ports through which your mechanic can access the car’s on-board computer
- The USB ports that allow you to plug in thumb drives with song lists
Through V2V Networks
Eventually, cars will be connected to each other through vehicle-to-vehicle (V2V) networks. Cars within about 1,000 feet of each other will create an ad hoc wireless network to signal each other about their speed and direction, stops and turns, road conditions, and unseen dangers. In March 2017, Cadillac put the first such cars on the road. For now, they can only communicate with their sister Cadillacs.
But in the future, most cars on the road will wirelessly connect to nearby cars. If security flaws allow it, threat actors can exploit V2V networks to push out malware or to spread havoc on the road directly.
Meeting the Challenges
But there is good news. The automobile industry is well-financed and technologically sophisticated. It has operated for decades under intense safety regulation and has firsthand knowledge of what it costs to ignore safety flaws. A major cyber incident could damage public acceptance of the new AV technology the industry is investing in heavily. The auto industry has every reason to get vehicle cybersecurity right.
Congress is in the early stages of writing the rules of the road for auto cybersecurity. This September, the House of Representatives passed the Self Drive Act. It enables rollout of the next phase of AV technology and handles cybersecurity with a light touch, requiring only that manufacturers develop cybersecurity plans to mitigate threats and establish best practices.
And there are success stories. A number of highly interconnected systems in the United States – the telecommunications system, the banking system, and the electric grid – have so far avoided major cybersecurity catastrophes. In one particularly attractive potential model, industry councils set standards that federal regulators adopt and enforce. This approach could ensure consistency of cyber protection while maximizing the industry’s flexibility and responsiveness.
In the meantime, the auto industry has formed an Internet Security Information Sharing and Analysis Center (ISAC) to share research, best practices, and real-time threat information. For obvious reasons, much of what the industry is doing behind the scenes is not being discussed publicly, but it appears that a good deal of work is being done.
The automobile industry has the opportunity to reinvent personal transportation in this country and change our lives profoundly for the better. The effort faces many challenges, and none may be more important than the cybersecurity challenge. Charles de Gaulle once said, “Only peril can bring the French together. One can’t impose unity out of the blue on a country that has 265 different kinds of cheese.” I suspect the same might be said of the auto industry; it has recognized a common peril, and we will all get to see how the various players in the industry come together to face it.
Belton Zeigler, a partner with Womble Bond Dickinson, has a South Carolina-based practice in cybersecurity, utility, environmental, and energy law. He is a senior member of the firm’s data management and cybersecurity team. Connect with Belton at linkedin.com/in/beltonzeigler.