By: Hugh Shepherd
January 28, 2021
Cybersecurity in Connected Autonomous Vehicles
By: Hugh Shepherd
January 28, 2021
Autonomous vehicles (AV) are becoming mainstream in our society. Globally there's an ongoing development and testing of autonomous vehicles in several countries, setting the stage for widespread adoption of self-driving cars.
It is projected that, by 2025, there will be 8 million autonomous or semi-autonomous vehicles on the road, and by 2030, more than 18 million. The estimated autonomous vehicle market is $54 billion, with an anticipated tenfold increase over the next 5–7 years.
When it comes to safety on the roads, autonomous vehicles can play a significant role in saving lives and preventing injury. Human error is the cause of 94% of serious crashes. By removing the "human factor" in driving, autonomous vehicles may have huge safety benefits. Overall, the emergence of autonomous vehicles presents an exciting and promising future.
However, the high level of interconnectivity and technical complexity of autonomous vehicles exposes them to numerous potential threats. Furthermore, these vehicles share sensitive data to help improve traffic conditions and increase safety. All these attributes make autonomous vehicles extremely attractive targets for cyber-attacks.
Autonomous Vehicles Briefly Explained
Autonomous vehicles are a complex combination of sensors, algorithms, automotive systems, infrastructure, and high-speed communications seamlessly interacting to make decisions in milliseconds to navigate the car from point A to point B safely.
SAE International (Society of Automotive Engineers) defines six levels of driving automation. The US Department of Transportation has also adopted these SAE levels. Below are brief descriptions of each level.
- Level 0 – No automation; all major systems are human-controlled.
- Level 1 – Includes automated systems, such as cruise control or automatic braking.
- Level 2 - Partial driving automation, but human intervention is still needed.
- Level 3 – Conditional automation and environmental detection; human override still necessary.
- Level 4 – Officially driverless vehicles. Can operate in self-driving mode in limited areas and speeds, but legislative and infrastructure limitations restrict full adoption of these vehicles.
- Level 5 – Full vehicle autonomy; no legislative or infrastructure restrictions limitations and no human interaction required. Testing of fully autonomous vehicles is currently ongoing in several markets globally; however, none are currently available for the public yet.
There are various designs for autonomous vehicles, but the most common components normally include advanced software enabling artificial intelligence, navigation systems, advanced driver assistance system (ADAS) sensors, cameras, radar, and LIDAR (Light Detection and Ranging). Additional supporting infrastructure includes:
- Wi-Fi networks.
- Roadside computing units.
- Vehicular cloud services.
- Dedicated short-range communications (DSRC).
- Vehicle-to-vehicle (V2V).
- Vehicle-to-infrastructure (V2I).
- Other vehicle-to-everything (V2X) systems.
Without even going in-depth on the various technologies, the level of complexity of autonomous vehicles is clear. Unfortunately, a high level of complexity brings an increased level of risks. This makes autonomous vehicles very tempting targets for hackers.
AV Cyber Security Concerns
The widespread adoption of self-driving interconnected vehicles is a huge technological advancement. However, security and privacy concerns are a significant drawback to widespread adoption. There are security concerns about a hacker taking control of the vehicle/supporting infrastructure and/or theft of an individual's data.
A malicious actor can potentially exploit numerous vulnerable points to cause misdeeds. Gaining access to even the most mundane control unit, such as the entertainment system, will enable a hacker to pretty much access any part of the vehicle. To raise awareness, security researchers have conducted demonstrations to show how vulnerable autonomous vehicles are:
2015 – Ethical hackers demonstrated how they could hack a 2014 Jeep Cherokee (Level 2 vehicle) to control it from their homes remotely. Furthermore, they discovered over 2500 other vehicles contained the same vulnerability.
2017 and 2018 – Researchers hacked into several different Tesla models.
2019 – An anonymous hacker cracked over 7,000 iTrack accounts and over 20,000 Protrack accounts to track commercial fleets via GPS. This enabled the hacker to track vehicles in several different countries, shut down the engines, and access user information.
2019 – Ethical hackers accessed a Tesla Model 3 computer in only a few minutes by hacking into the vehicle's onboard entertainment system browser.
2020- The same researchers that hacked the Tesla vehicles successfully installed malicious code in a Lexus NX300.
Due to AV complexity, innovative measures must be taken to protect autonomous vehicles from cyberattacks. How to improve the security posture of autonomous vehicles?
Securing Autonomous Vehicles
Like other connected devices on a network, some of the common attack vectors of autonomous vehicles include man-in-the-middle (MitM), side-channel, denial-of-service (DoS), unauthorized software modifications, and compromised privacy, among other threats. A well thought-out end-to-end approach to cybersecurity is necessary due to the complexity of the autonomous vehicle ecosystem and people's safety concerns.
In addition to fundamental vulnerability mitigations (e.g., authentication/authorization, encryption, data integrity, etc.), techniques specifically developed for autonomous vehicles are necessary. Based on research and guidance provided by the National Highway Traffic Safety Administration (NHTSA), the Institute of Electrical and Electronics Engineers (IEEE), and Physics World Magazine, the following list contains ten recommendations for protecting autonomous vehicles:
- Change default passwords and use complex passwords.
- Deploy smaller network segments for connected vehicles instead of one large flat network.
- Ensure software is regularly updated and patched.
- Implement security by design in the applications developed for vehicles.
- Limit usage of GPS; enable it only when needed.
- Vehicle owners need to be familiar with their cars to identify issues better.
- Develop and deploy Vehicle-to-Vehicle Public Key Infrastructure (V2V PKI) specifically designed to meet autonomous vehicles' complex security and privacy needs.
- Leverage standards and frameworks like the Automotive Secure Development Lifecycle (ASDL), V2V Communication Security System Design (DOT HS 812 014), Information Security Management (ISO 27001), risk management (RMF), and/or threat modeling (STRIDE).
- Build-in defense-in-depth by addressing the security concerns at the three layers of AV architecture: Layer 1 – In-vehicle Security: ECU (Engine Control Unit), CAN (Controller Area Network), OBDs (Onboard Devices), Sensors, Phone-to-Car Layer 2 – Vehicle Communication Security – V2V, V2I, V2Person Layer 3 – ITS Infrastructure Security: Vehicular cloud, Data analytics, Data storage.
- Participate in training and education on autonomous vehicle technology for both cybersecurity professionals and consumers.
Since the first solid-state circuit boards were installed into cars, the inevitable union/integration of automobiles and information technology was set into motion. From those early days of basic On-Board Diagnostics (OBD) systems, we have gradually evolved to the cusp of widespread autonomous vehicle adoption globally. Nevertheless, safety and security concerns are paramount. These concerns must be properly addressed and managed for autonomous vehicle adoption to be successful.
In short, the three key areas for enabling safe and secure autonomous vehicle adoption are:
- Fundamental – Basic cybersecurity techniques are foundational to a cybersecurity program.
- Repeatable – Use of standards and frameworks to support consistent and repeatable deployments.
- Innovative – Develop new technologies and methodologies to address security needs in a dynamic AV ecosystem.
Having knowledge and skills in multiple disciplines is necessary to deal with the complexities of autonomous vehicles. Cybrary is a go-to source to provide technical training in numerous areas related to autonomous vehicles and their supporting infrastructure. Some of these related courses and topics include:
- Cloud Architecture Foundations
- Infrastructure Security
- Fundamentals of Cybersecurity Architecture
- ISO 27001:2013 - Information Security Management Systems
- Penetration Testing and Ethical Hacking
25 Astonishing Self-Driving Car Statistics for 2020 https://policyadvice.net/insurance/insights/self-driving-car-statistics/
Auto Industry Says Cybersecurity is a Significant Concern as Cars Become More Automated https://www.washingtonpost.com/transportation/2019/04/30/auto-industry-says-cybersecurity-is-significant-concern-cars-become-more-automated/
Cybersecurity is Imperative for Connected Cars https://www.electronicdesign.com/markets/automotive/article/21143151/cybersecurity-is-imperative-for-connected-cars
Evolution of Intelligent and Autonomous Vehicles https://iln.ieee.org/ContentDetails.aspx?id=5D551F77FF61408D96390B0302CD033F
Future of Cyber Security for Connected and Autonomous Vehicles https://towardsdatascience.com/future-of-cyber-security-for-connected-and-autonomous-vehicles-4c553def6d50
IEEE Innovation at Work - How Can Autonomous Vehicles Be Protected Against Cyber Security Threats? https://innovationatwork.ieee.org/how-can-autonomous-vehicles-be-protected-against-cyber-security-threats/
IEEE Innovation at Work - UN Announces New Cyber Security Regulation for Connected Vehicles https://innovationatwork.ieee.org/un-announces-new-cyber-security-regulation-for-connected-vehicles/
IEEE Innovation at Work - Six Ways to Protect Against Autonomous Vehicle Cyber Attacks https://innovationatwork.ieee.org/six-ways-to-protect-against-autonomous-vehicle-cyber-attacks/
It Still Runs – Car Computer History https://itstillruns.com/car-computer-history-5082250.html
NHTSA - Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/readiness-of-v2v-technology-for-application-812014.pdf
Physics World – How to Hack a Self-driving Car https://physicsworld.com/a/how-to-hack-a-self-driving-car/
SAE International "Levels of Driving Automation" Standard for Self-Driving Vehicles https://www.sae.org/news/press-room/2018/12/sae-international-releases-updated-visual-chart-for-its-%E2%80%9Clevels-of-driving-automation%E2%80%9D-standard-for-self-driving-vehicles
Society of Motor Manufacturers and Traders – Connected and Autonomous Vehicles 2019 Report https://www.smmt.co.uk/wp-content/uploads/sites/2/SMMT-CONNECTED-REPORT-2019.pdf