Can Self-Driving Cars be Hacked?
Are self-driving cars secure? What happens if terrorists manage to hack one?
I am asked this question often when speaking eagerly about my belief that autonomous vehicles are the future. Especially after the tragic incident in Stockholm earlier this spring. Many people assume that cars cannot be hacked at present.
I recently listened to a talk by the American security expert Charlie Miller at the Norwegian conference Paranoia, where he spoke about his research into vehicle security. Charlie Miller is well known for remotely hacking a Jeep Cherokee a few years ago, gaining control of the acceleration, braking and steering systems (inside the vehicle at the time was a journalist from Wired, whose article on this nightmare scenario can be read here).
Charlie Miller has repeatedly demonstrated truly shocking security shortcomings in vehicles from Jeep. When asked if he believed that only Jeep had these bugs, he stated that that was highly unlikely, but that he did not have the funding to test cars from other manufacturers.
The most common picture of cars and how they work is one that has prevailed since the beginning of the millennium. At that time, they were completely isolated systems and the most advanced thing was connecting a CD player to listen to your music. It is a mystery how this picture has persisted up to now when we are used to connecting our smartphones to the speaker system while having Google Maps open on the instrument panel.
Although, I think the automotive industry is definitely starting to get a grip of the situation (thanks to individuals like Charlie Miller) and most manufacturers are consciously working to improve information security in their vehicles. But I would like to highlight a few good principles that will help this work significantly:
- Be cautious with rights – employ the principle of least privilege for any and all systems able to communicate with one another.
- Combine passenger safety with information security in your vehicles. These naturally influence each other but this also means that you don't have to start from scratch.
- Segregate networks in the vehicle and separate security-critical elements from the comfort elements. If communication between these is absolutely necessary, do this in a highly controlled manner by means of very restricted gateways or protocol converters.
- Recognise that every interface (yes, every, even the sensor that reads air pressure in tyres) is vulnerable to attack.
- Test the security.
But what if you're not a vehicle manufacturer (not everyone is) yet you are still concerned about your car being hacked? Firstly, we must concede that this is very uncommon – for the time being. For those who would still like to beef up security:
- Reduce the number of remote services. Not all of these can be switched off, but some can be and this is often a good idea. Remote services are actually the easiest way to exploit a vehicle.
- Never download or install programs if you're unsure whether they come from a trustworthy source.
- Do not use browsers. Several modern cars come with an internet browser, but rather use your smartphone to surf online. And, of course, never surf while driving – for obvious reasons!
- Keep apprised of information from the car's manufacturer regarding security. For example, Charlie Miller got Jeep to ask all their customers to update the infotainment system.
- Finally, if you're really concerned, I recommend purchasing a much older car. Either one that cannot be connected online or one that has been around for a few years, which increases the probability that the most severe security gaps have been identified and resolved.