Like an unstoppable incoming tide, connectivity has quietly inundated the automobiles we so love to drive.
In less than a decade, amazing driver-assist mechanisms and must-have infotainment systems have swept into the dashboards of many popular car models for sale today. And we’re just at the start of this trend. Connectivity, apps, smartphone integration and autonomous driving are on an upward sweep taking us toward widespread public use of driverless vehicles, just a few years away.
As these developments unfold, the auto and tech industries – as well as state and federal regulators – are scrambling to fully understand and address newfound safety and privacy concerns. “The threats to the connected cars of today, and to the autonomous cars of the future, include not only the vehicles, but also the ecosystem they operate in,” said Stacy Janes, chief security architect of the connected transport division of Irdeto, a supplier of software anti-piracy systems.
Going forward, connected cars will increasingly make life-or-death decisions about physical objects and other digital systems they can sense nearby, while at the same time collecting and storing troves of monetizable operational and personal data.
“The high-level challenge is, how do you get all of these systems traveling at high speed to work safely together,” said Bryson Bort, chief executive officer of Scythe, an Arlington, Virginia–based supplier of pen testing tools. “The hidden risk is that a system doesn’t need to be directly compromised to affect its decision-making. It’s possible to influence the data the vehicle is collecting.”
As the saying goes: garbage in, garbage out. In the context of data continuity and smart cars, it is the passengers’ safety on the line.
The core security and privacy challenges are daunting. A viable level of trust must be established between multiple connected systems intensively collecting a tsunami of sensitive data. Interestingly, it is the same threshold of trust that must be met to bring the budding Internet of Things economy to full fruition.
Remember when wrenching on a hot rod was a pastime accessible to the average teenager? No longer. Modern cars rely on a growing bank of computing devices called electronic control units, or ECUs, linked together to control braking, acceleration, steering, engine performance, door locks, climate control, navigation and infotainment.
In 2003, a model of the Toyota Prius came along that featured automatic parallel parking assistance. It took Ford and BMW six years to come up with something similar. And then the pace of innovation shifted into high gear. Today, parking-assist, lane-guidance and collision-avoidance systems are commonplace.
Car models are rising steadily up the Society of Automotive Engineers’ zero-to-five scale of vehicle autonomy. Most cars today are at level 0 – equipped with automated systems that can send warnings and temporarily intervene but cannot control the vehicle on their own. But more and more models are being delivered at level 2, where automated systems can sometimes take over steering, accelerating and braking, though the driver must stay ready to intervene.
The 2019 Audi A8 has reached level 3, at which the driver can divert his or her attention to a non-driving task under certain circumstances; for example, when snaking through a highway jam. The A8 comes equipped with 24 video, radar, sonic and laser sensors that work together to steer the car autonomously, at low speeds, on roadways with physical barriers separating the oncoming traffic.
Level 5 vehicles – in which human driving is completely eliminated – may arrive as soon as 2020. In the meantime, computer-assisted controls are becoming more pervasive even as infotainment systems are being continually upgraded. As the connectedness of cars deepens, the line between autonomous driving systems and in-car infotainment services is rapidly blurring, and we see all-too-familiar trade-offs – security and privacy versus functionality and convenience – being made, industry experts told Threatpost.
“As the number of systems increases without significant evolution of the underlying architecture, vulnerabilities can be expected to grow exponentially,” said Rusty Carter, vice president of product management at Arxan Technologies, a San Francisco–based supplier of application security systems that’s working closely with the auto industry.
Safety First and Foremost
It has been more than three years since researchers Charlie Miller and Chris Valasek remotely hacked their Jeep Cherokee as an experiment. Using a laptop and sitting 10 miles distant, the duo took control of the digital display screen, engaged the brakes, cut the transmission and killed the engine.
Since the Jeep hack, there have been a number of instances of hackers overcoming the electronic door locks of parked cars. But hacks of moving vehicles has mainly been done by researchers in controlled settings. Meanwhile, a cottage industry of startups and established tech security vendors has cropped up to focus on securing the expanding ECU platforms governing modern vehicles. These include Irdeto, Arxan, Scythe and Thinci, an El Dorado Hills, California–based startup developing next-generation vehicle control platforms.
Thinci president Dinakar Munagala anticipates that connected vehicles will increasingly tap into over-the-air maintenance updates, as well as relay information about road infrastructure and nearby vehicles to after-market service providers. Munagala said the auto and tech industries realize they must achieve certain benchmarks of security and privacy to fully monetize this wellspring of operational and personal data, collected in real time.
“As software complexity rises, the attack surface extends beyond the vehicle,” Munagala said. “Use of autonomous systems can dramatically increase the consequences of any attack, so security has to extend beyond just protecting the vehicle.”
Safety is paramount, of course, and it comes down to whether any electronic component can fail on its own – or at the behest of a malicious hacker – in a potentially catastrophic way. Given the rising complexity of connected systems, the solution won’t be as straightforward as, say, mandating seat belts or airbags.
“Functional safety and overall security cannot be addressed by the addition of one or two components to the system,” Munagala told Threatpost. “It must be considered, analyzed and implemented throughout the development process with a systems-engineering approach.”
Authorities responsible for public safety are cognizant of these budding concerns.
Initial discussions about specific safety rules have commenced within the National Highway Traffic Safety Administration, the National Telecommunications and Information Administration and the Federal Trade Commission. Law enforcement is paying close attention, too. Two cases were recently argued before the U.S. Supreme Court probing the definition of vehicle privacy, when it comes to unreasonable searches and seizures. More such cases are sure to come.
Meanwhile, 17 states, as well as the District of Columbia, have enacted statutes limiting the use of information collected by event-data recorders, or EDRs, the “black boxes” installed on all vehicles since 2013 that capture operational data at the time of a crash. Between the auto and tech industries embracing self-regulation, and state lawmakers defending consumers’ interest, a mix of engineering breakthroughs and government requirements is likely to take shape, said Elizabeth Rogers, a privacy and data security partner at Michael Best and Friedrich.
“A variety of data is necessary to engineer this technology, and there will also be a variety of sensitivities to the types of data collected,” Rogers elaborates. “Varying levels of consent should be incorporated into the design, with express consent being required before sharing a consumer’s unique and individualized driver data.”
Although engineering prowess can be expected to ultimately make connected cars as safe as they need to be, resolving mushrooming privacy concerns will be much more problematic. The lure of monetizing machine and human data sets gushing from connected vehicles is already driving some stakeholders to behave in ways likely to stir Congressional intervention.
USA Today, for example, disclosed that rental-car companies routinely fail to delete personally identifiable information that renters type into infotainment systems. And CBS News recently reported that carmakers have experimented with reselling blocks of location data to mapping vendors, stoking privacy advocates’ concerns about third parties moving to auction information collected from onboard cameras and sensors to the highest bidders.
Already, the move by 17 states to restrict use of EDR-collected data is reinforcing criticism about the insurance industry leveraging data collected by connected vehicles in ways that might be unfair to individual citizens. Arsan’s Carter observes: “Collection, storage, usage and third-party party access to information about the vehicle’s operation and performance will pose privacy concerns rivaling those of any social network or financial account usage.”