What are the dangers when talking about autonomous driving cybersecurity?

Cars play a vital role in daily commuting and cargo transportation, and smart cars are beginning to play an important role in our daily lives. Semi-automatic and fully automatic cars have become a hot topic, and the UK, France and Switzerland have already tested self-driving cars on the road. Gartner, an information technology research and analysis company, believes that by 2030, driverless cars will account for 25% of the automotive market share.

Imagine a highway full of driverless cars, but such a beautiful future also brings opportunities for cyber hackers. Given the increasing number of illegal cyber attacks and data theft in the past few years, ensuring that drivers are protected from cyber threats has become a development focus and challenge for the automotive security industry.

Self-driving cars may not even have steering wheels, they have more electronic components than "traditional" cars, and rely on sensors, radar, GPS and various artificial intelligence to make autonomous driving possible. These new electronic components and safety systems must be integrated into the vehicle's electronic system, connected to the manufacturer through a wireless network, and even provided by third-party services through the Internet.

This is the origin of the cyber threat problem. Hackers can remotely access the vehicle and control a certain on-board electronic system, which leads to a series of risks, including stealing user privacy and business data, and posing actual threats to personal safety and property.

Here are some of the cyber threats that self-driving cars may face:

Improve access rights and interdependencies between systems: Not all in-vehicle systems and networks are built according to the same architecture. Attackers will look for vulnerabilities in the least-defended services in the system, such as the entertainment system. And try to reach more sensitive and advanced locations in the in-vehicle system through the in-vehicle network. For example, there are a few communication signals between the engine management system and the entertainment system that can be used to display alarms (such as "engine failure" or "active cruise starting" and other information).

System stability and predictability: Traditional automotive systems tend to be independent and usually come from a single manufacturer. Autonomous vehicle systems are scalable and will likely need to work with a variety of software vendors (including open source software). Information technology is different from industrial control systems and is not very predictable. In fact, information technology often fails in unpredictable ways. For a website, a downtime due to restarting the server is still tolerable, but if it happens in a car, the consequences are often more serious and difficult to accept.

Just as known cyber threats adapt to new platforms, known cyber threats scale from ordinary laptops and smartphones to smart, connected, self-driving cars. For example:

Ransomware: Ransomware is prevalent on both computers and mobile phones, but a self-driving car is a more ideal target. Imagine a scenario where a hacker notifies the owner through the car's display that his car has been locked and can only be restored to normal use by paying a ransom. This threat can be easily recovered with laptops and mobile phones without much loss, but it is a different story for cars, and the owner may suffer greater losses.

Of course, some auto repair shops are familiar with solving such problems and can reset the affected components with the help of experts. The repair price is not cheap, and the car may be towed away. Although the ransom is higher than traditional computer ransomware, it is cheaper than the related repair costs. What will the car owner choose at this time?

Spyware: Perhaps more appealing to hackers is the ability to collect information about you through your car. This includes your favorite destinations, travel routes, where you live, and even who you're with. Imagine if hackers knew you were far from home and sold that information to criminal gangs, they could break into your home or use your online accounts to empty your bank account.

There is also a risk that your driverless connected car could become a gateway for electronic transactions, such as paying for your daily coffee or parking fees, or even paying for vehicle maintenance. Sensitive personal information will be stored in the car, and the car will become another carrier that can obtain your personal information. As RFIDs (radio frequency identification technology) and NFC (near field communication technology) mature, hackers can use these technologies to obtain personal information data of you and your passengers.

The last point is the question of legality and reliability. Will we use the location information recorded by the vehicle as an accurate reference? In other words, if the vehicle record reports that you opened the door, got into the car, and drove to a certain location on a certain day, will we completely imagine everything based on this record? This issue needs to be taken seriously.

Similarly, if the software of a car is provided by several different suppliers, if a safety accident occurs, who should be held responsible for the accident? Is it a software defect? ​​Or is it the fault of network management? Or is it the fault of the lack of training of the personnel on the car?

Ultimately, the question is: How to make self-driving cars safer?

The first step must be to make manufacturers more aware of potential cyber threats. Although manufacturers have extensive experience in automotive security, they still have no experience in dealing with cyber hackers. Cooperation between manufacturers and the Internet security industry can be a win-win situation, and ISAC (Information Sharing and Analysis Center) is a precedent.

The second step is to weigh the risks and threats when integrating more and more technologies into the car, whether it is to enhance the user's driving experience or improve the performance of the car. Even if there are no regulations yet, it is also necessary to ensure that these technologies are correctly and compulsorily applied to the corresponding systems.

In addition, there is a growing problem in many IoT devices: many devices use a common set of communication procedures that have no built-in security. As a direct result, device data is extremely insecure. We need to establish more robust network standards for self-driving cars than the current IoT.

At the same time, manufacturers must work with various technology and communications suppliers to clarify where vehicles are sold and ensure that network connections to vehicles are stable and secure.

Automotive safety can be divided into three distinct “domains” that can, in some cases, employ similar technologies.

Internal communication, smart cars will have several different on-board control systems, such as vehicle control systems, entertainment systems, passenger networks, and third-party systems loaded by the owner's personal needs. To some extent, these systems need to "communicate with each other" to provide new services, but these "communications" need to be based on close monitoring and control. The software responsible for detection and control includes firewalls and intrusion prevention systems, which can distinguish whether the "communication" is normal and legal.

External communication: Most vehicle systems require Internet-based service communication, such as maintenance, software updates, passenger networking, navigation, service requests, shopping, and data backup. External communication is two-way, which means that all data entering and leaving the vehicle needs to be checked and managed securely, and illegal activities must be intercepted.

The communication between vehicles and service infrastructure will most likely use cellular networks, such as 3G and 4G data services. Although these data services have provided Internet services to billions of smartphones and other devices in the world, it is still difficult to avoid network hazards. Obviously, self-driving cars need a more complete cellular network. Otherwise, using the current cellular network for data transmission, once attacked by the network, it may cause accidents to tens of thousands of cars. Therefore, it is necessary to ensure that the cellular network used for vehicle communication is secure enough to avoid potential risks.

Finally, a highly secure identity recognition and access control system needs to be designed for the machine. The vehicle itself will monitor and screen the information entering and leaving the vehicle's key systems, and requests to log into the cloud or transmit (such as refueling or payment) must be verified by the owner's identity.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.