Cybersecurity in Autonomous Vehicles

Can you imagine the vehicle of the future… perhaps the one with no steering wheel, and no pedals for acceleration and brakes and the one where you are not driving the vehicle. The vehicle of future is a big computer on wheels with enough room for few people to sit. The occupants of the vehicle could sleep, take rest or take official meetings. Would it be safer ? Would it make your day more productive? As you read through this article, you can assume that your grand kid will never need to own a drivers license as the future grandkids will not be driving any vehicle.

I am exploring the ramifications of autonomous driving in the IT infrastructure space, as this involves Interconnected Vehicles, Vehicle Automation, Internet of Things, Machine Learning, Big Data and Shared Economy. This opens the pandora box of increasing attack surfaces for the vehicles of future, and the possibilities that your next car can be hacked. Almost every automobile company has reported hacking/ cyber theft incident in the past 15 years. In 2015, one of the major reasons GM recalled 2.7 million Jeeps was when the hacker walked up to the vehicle on the road, lets himself inside the vehicle, takes control of the steering wheel, starts the vehicle and drives away as the new owner of the Jeep. And the ordeal was recorded on camera. ?

Apart from major automobile companies (including General Motors, Ford, Tesla, Toyota), several other companies like Waymo, Cruise, TuSimple, and Aurora are already testing driverless technology on public roads in the U.S., with some companies expecting to be fully driverless as early as 2024. When Tesla became the largest automobile company with $980 billion market capitalization despite selling less than a million vehicles; as compared to Toyota the second biggest automobile company that sold 10 million vehicles and market capitalization of $200 billion; there was a barrage of bear traders across the world desiring to short the stock as the valuation and metrics compared to its automobile peers (including vehicle sales, market capitalization, profitability, dividends, production costs, etc.) were comparable with each other, but was miles apart from Tesla……… this is because Tesla should not be considered as an automobile company. It’s a Big Data and Artificial Intelligence company. Every time, Tesla drives on the road, it uploads all the information that it has gathered per kilometer. Information including the road dimensions, sidewalk dimensions, number of intersections, number of lanes, number of pedestrians crossing at the time, speed breakers, the thickness of the tar (asphalt) on the road, demographics of other car owners, traffic, nearest health center, charging stations, weather, natural lighting, streetlights, nearby cameras, cellular service in the area, other Tesla cars in the neighborhood and the possibility of interconnecting with other Tesla cars. This gets better when the second Tesla car drives on the same stretch of road – just like any algorithm. And this is the bedrock of mapping for autonomous vehicle driving.

Today’s car has more computing power than was on board Apollo 11 spaceship that went to the moon.?The average car today has 40 different computers, and high-end cars have as many as 100, and they’re accompanied by 100 different electronic sensors.?And it’s not just the hardware that’s ballooned, but the software too.?Apollo 11 had 145,000 lines of computer code, but cars today can have more than 100 million.

What are these computers doing??Referred to as ECU’s – short for Electronic Control Units – they run most of the functions of your vehicle. The biggest coordinates all the aspects of a car’s engine, including the fuel injection rate to the ignition, throttle, timing, emissions, and cooling. Others monitor the anti-lock brakes, traction control, stability control, air bags, the windshield wipers, headlamps, and air conditioning.?Then there are those that run the navigation system, music system, mobile phones, digital dashboard displays and, more recently, the driver assist systems.

?Cyber threats to Autonomous Vehicle

• Ransomware – Generally affects the car manufacturers, Original Equipment Manufacturers (OEM), attacks on supply chain for Tier 1 and Tier 2 dealer networks and maintenance dealer networks. On an average, there is 10,000 suppliers for each vehicle. How easy could it be to have one of the suppliers with compromised IT security.
• Engine Control Units – Attackers could use ECU’s (including Engine ECM, Powertrain PCM, Suspension SCM, Vehicle Safety ECU to obtain access to the vehicle internal system.
• Cloud Service Providers – Insurance services, driving records,
• Denial of Service Attacks – Wheel Jamming, IoT endpoints on the wheels, brake systems
• Remote Hacking – Wireless Carjacking, Key Fob cloning
• Attack on IoT devices – GPS jamming, Bluetooth jamming, external sensors, entertainment devices

For many automobile and transportation companies, ransomware attacks have already happened. Upstream Security's report mentions a ransomware attack on the Australian transportation company Toll Group, which affected 1000 servers and 40,000 employees. And Honda was forced to stop production in June 2020 due to ransomware attacks on plants in Europe and Japan.

Given that new threats are constantly emerging, we have seen susceptibilities all the way along the supply chain. There has been some Intellectual Property theft from Industrial Research and Development groups, hacks into manufacturing operations, customer data theft and even the electrical charging networks are susceptible.

Andromeda Risk Consulting recommends three ways automakers can build secure vehicles. First, security must be part of the design of every component bringing all suppliers in one robust IT platform. Second, there needs to be a multi-layered cybersecurity solution that involves in-vehicle, IT network, and cloud security defenses. Third, automakers need to develop vehicle security operations centers to monitor, detect, and quickly respond to cyber incidents to protect vehicles, services, fleets, and road users.

Believing that any cyberattack will never happen is the easiest and least expensive path for any company. History has shown that attacks have happened to everyone. Doing threat modeling, assessment and audits are wise investments to mitigate attempts turning into realized threats to a business or life. Any hubris is false overconfidence.

??

------ Natarajan Karri

?

??

References

?https://www.forbes.com/sites/stevetengler/2020/06/30/top-25-auto-cybersecurity-hacks-too-many-glass-houses-to-be-throwing-stones/?sh=59b0e2917f65

?https://www.caranddriver.com/news/a37453835/car-hacking-danger-is-likely-closer-than-you-think/

https://www.stealthlabs.com/blog/autonomous-car-security-adversarial-attacks-against-new-mobility/#:~:text=The%20apparent%20risks%2C%20such%20as,drivers%20and%20other%20road%20users.

https://ceinetwork.com/cei-blog/auto-computers-means-complicated-costly-longer-repairs/#:~:text=The%20average%20car%20has%2030,ballooned%2C%20but%20the%20software%20too.

?https://cyberstartupobservatory.com/cyber-security-connected-autonomous-vehicles/