Do autonomous cars address security threats? The more automated your car is the more vulnerable it is to security threats

In the race to the autonomous car, more functionality starting to move from humans to machines. Off course, the shift is made step by step, and there are many standards. You can get more information by looking, for example, at J3016_202104 standard (https://www.sae.org/standards/content/j3016_202104/).



The below picture illustrates the evolution of the autonomous cars:

SAE J3016

Source : https://www.sae.org/binaries/content/assets/cm/content/blog/sae-j3016-visual-chart_5.3.21.pdf

Definition of the six layers: 


Level 0: No Driving Automation

Level 1: Driver Assistance

Level 2: Partial Driving Automation

Level 3: Conditional Driving Automation

Level 4: High Driving Automation

Level 5: Full Driving Automation


As per above, as the level of autonomy goes up, the driver does less and the automation responsibility increases.



The idea is clear, a machine can do more calculations, more operations and be based on a massive amount of data. Although it looks tempting, it requires a lot of Security considerations. Cybersecurity attacks on autonomous cars can be risky and can cause massive damage.



The surface attacks on cars are rising, specifically for autonomous cars requiring data access and powerful processing capability. Consequently, autonomous cars require continuous connection to the Cloud.


For example, an autonomous car is connected to Cloud of the Car provider to store the data, update its software and get remote commands.


Let's look at some potential security risks that come with moving to autonomous cars (note, some of


the risks are also relevant to the very low levels of the automotive models).

figure1 Risks

Many of the risks fall into the category of "Missing human discretion".
The autonomous vehicle is based on algorithms and AI/ML to make decisions.
What will happen if the algorithm encounters a scenario it is not familiar with? In this case, human discretion can be more effective.

For example, let's say the car is driven on an intercity road, of course, no algorithms can think about what would happen if the car drives at 75 miles per hour, and suddenly, in the middle of the road, there is a baby carriage and no time to stop. Does the car get off the road and endanger the driver? It is hard to know, right? And what if someone manipulates the algorithm to make a wrong decision on purpose? Can we trust the "common sense" of a machine?

As a security persona, we always define the human factor as the weakest link in the chain, but autonomous has its weakness points.

The security world should change the way we think about security as autonomous cars become more and more independent. The attack surface is changing, and accordingly, so are the threats.


I will present a scenario that illustrates how the development of autonomous increases the security risk.

The threat: Criminals want to harm eye witnesses, to prevent them testifying at trial

.


Level 0 ( No Driving Automation) & Level 1 (Driver Assistance)

Attack: No cyber activity is required. The criminals need to do "old fashion" tracking and harm the eye witnesses


Level 2 (Partial Driving Automation) 

Attack: Criminals can use hackers to activate and deactivate driving support systems.  

Driver remediation: The driver fully controls the driving. He notices the "mistake" and continues to drive as regular.


Level 3 (Conditional Driving Automation) 

Attack: Criminals can use hackers to interfere with the automated driving system and navigate the car to the trap location. Or hackers can also deviate intentionally by changing the wheel to off-road direction.

Driver remediation: The driver can cancel the autonomous driving and drive to the right location. The driver can resume control of the wheel, direct the car and press the brakes.


Level 4 High Driving Automation and Level 5 Full Driving Automation

Attack Criminals can use hackers to interfere with the automated driving system and navigate the car to the trap location. Or hackers can also deviate intentionally by changing the wheel to off-road direction.

Driver remediation: The driver doesn't have control over the car. He may not even sit in the driver seat, so he can't fix the issue.



To summarize:

The development of the Automobile Industry from "No Driving Automation" to "Full Driving Automation" is important and blessed.

However, the Automobile Industry must remember that security needs to be improved and evolved with technology.


As Uncle Ben from Spiderman once said: "With great power comes great responsibility"


I say, "With great technology comes great (security) responsibility".


Stay Safe,
Tomer