Dubai: Cars are an essential part of our everyday life and are crucial to transporting thousands of commuters on a daily basis through busy towns and cities, and from one country to another.
|
|
Alain Penel |
With “smart” vehicles playing such a major role in our day-to-day lives, it’s no surprise that semi- and fully-autonomous transportation and the potential for driverless cars have become hot topics.
Countries such as the UK, France, and Switzerland are already testing forms of autonomous cars on public roads.
The Singapore government has given permission to nuTonomy to test self-driving cars in a small area of the town. It’s begun testing taxis with passengers. Most of the major car manufacturers expect autonomous cars to be deployed by 2020 or sooner.
Market research company Business Insider projects that the self-driving car market will grow at an annual rate of 134 per cent between 2015 and 2020.
According to Gartner, driverless vehicles will represent approximately 25 per cent of the passenger vehicle production in use in mature markets by 2030.
While highways full of driverless cars may be a shining vision of the future for some, from a hacker’s perspective, they represent yet another opportunity to wreak havoc.
Driven home by the rise in increasingly sophisticated cyberattacks and data breaches over the past several years, ensuring driver safety from cyberthreats has become a major development focus and challenge in the automotive and security industries.
Alain Penel, Vice-President at Fortinet Middle East, told Gulf News, that a driverless car is a very advanced mode of transportation, possibly even without a readily available steering wheel. They have considerably more electronic components than ‘traditional’ cars and rely on sensors, radar, GPS mapping, and a variety of artificial intelligence to enable self-driving.
“These new guidance and safety systems must be integrated into the electronic on-board systems already present in modern day vehicles, connect wirelessly to the manufacturer, and probably even offer third-party services via the internet. And that’s where the problems begin: with hackers remotely accessing a vehicle and compromising one of its on-board systems, resulting in a range of risks from privacy and commercial data theft, to actual physical risks to people and property,” he said.
Not all systems and in-car networks will be created the same. Attackers will seek “vulnerabilities are less-defended services”, such as entertainment systems, and try to leap across intra-car networks to more sensitive systems through the integrated car communications systems.
For instance, he said a limited amount of communication is typically allowed between an engine management system and an entertainment system to display alerts (“Engine fault!” or “Cruise Control is Active”) that can potentially be exploited.
Conventional, legacy car systems were self-contained and usually came from a single manufacturer. As new autonomous cars are developed, they will very likely need to include software provided by a variety of vendors — including open source software.
“Information technology, unlike industrial controls systems such as legacy car systems, is not known for predictability. IT systems, in fact, tend to fail in unpredictable manners. This may be tolerable if it is just a matter of a website going down until a server reboots. It is less acceptable in the event of guidance systems being degraded even slightly when an adjacent entertainment or in-car WiFi systems crashes or hangs,” he said.
However, he expects to see known threats be adapted to this new target, expanding from common internet platforms like laptops and smartphones and the internet of things (IoT) like an autonomous car.
Three distinct domains of automotive security:
1. Intra-vehicle communications: Smart vehicles will have several distinct on-board systems, such as vehicle controls systems, entertainment systems, passenger networking, and even third-party systems loaded on-demand by owners. To a certain extent, these systems will need to engage in “cross-talk” to bring new services to life, but this cross-talk needs to be closely monitored and managed by systems such as firewalls and Intrusion Prevention Systems (IPS) that can distinguish between legitimate and normal communications and illicit activity in the car’s area network.
2. External communications: Many, if not all on-board systems will have reasons to communicate to internet-based services: for manufacturer maintenance, for software updates, for passenger internet access, for travel and driving instructions, for service requests, to purchase items or services, or to backup data. External communications will very likely be both “push” and “pull” — they may be initiated either from inside the vehicle or to the vehicle from a manufacturer or the internet. This also means that traffic to and from the vehicle will need to be inspected and managed for threats and illicit, defective, or unauthorised communications using firewalls and IPS-like capabilities.
3. Connectivity infrastructure: The infrastructure used by a vehicle will likely be based on well-established cellular networks, but with a twist. These cellular services also suffer from inconsistent security. Smart, driver-assisted, or even driverless vehicles will raise the stakes significantly. A directed attack on or through the cellular network could trigger significant, safety-critical failures on literally thousands of moving vehicles at the same time. Securing cellular networks and providing critical vehicle connectivity will require a thorough review in light of such potential catastrophe.
— N.K.C.
