Hacking risks soar as more connected cars hit the highways

By Nancy Doniger

As the tech revolution marches on unstoppably in the real and virtual world, driverless cars are the future, and the future is now. Although the number of semi- or fully autonomous cars on the roads is still extremely small, drivers of traditional vehicles don’t know whether other vehicles sharing the road have a fully engaged driver or not.

So it behooves everyone to be fully aware of the situation and to demand safeguards from automakers and government regulators before these vehicles become ubiquitous. Fatal crashes in recent months involving semi-autonomous cars have drawn sharp rebuke from consumer advocacy groups and cybersecurity professionals demanding fixes.

Consumers Union, the advocacy division of Consumer Reports, called on Tesla to improve its “Autopilot” driver-assist system and release the data behind the company’s safety claims following the fatal crash of a 2017 Model X on March 23 in California.

The National Transportation Safety Board determined driver inattention due to over-reliance on vehicle automation as a probable cause in the fatal crash of a Tesla Model S sedan that plowed into a truck in May 2015 in Florida.

The drivers of both cars perished. Both were using Tesla’s “Autopilot” system, which the Center for Auto Safety and Consumer Watchdog criticized for giving drivers a false belief that the vehicle is capable of self-driving when it is not. They asked the Federal Trade Commission to investigate.

Uber removed its self-driving cars from the roads after a self-driving Uber SUV struck and killed a woman as she walked her bicycle across a street in Tempe, Arizona in March. Uber is conducting tests of autonomous vehicles in Arizona, Pittsburgh, Toronto and other areas.

Pamela Gupta, an artificial intelligence, security and governance strategist, calls on manufactures to install safeguards before putting these vehicles on the road. But even without autonomous functionality, a large surface area for vulnerabilities is growing as the lines between traditional car manufacturing and the cyber world merge, Gupta said.

Gupta seeks to raise awareness of the threats interconnected products, the “Internet of Things,” bring to modern life along with convenience. The Internet of Things is made up of billions of everyday devices, including car navigation and entertainment systems. Manufacturers need to collaborate between industries to assure system-wide security for devices such as connected cars, smart TVs, fitness trackers, and other common household items, she said. In the auto world, any product that talks to the outside world, including entertainment and navigation systems, music and mapping apps, and CD drives could be vulnerable.

Consumers, for their part, must demand safety and security protections in all of the connected products they buy and use. Gupta believes automakers and manufacturers will comply if consumers demand it. The government is the other leg of the security triad.

“The risks are not well understood, let alone addressed,” she said. “Cars have become akin to data centers without the accompanying security and safety.”

Modern-day cars have tens to hundreds of microprocessor-controlled interconnected electronic control units that are potentially capable of being hacked, Gupta said. Data centers have preventative and detective security technology such as authentication mechanisms, firewalls, encryption and Intrusion detection systems.

But these preventative measures don’t exist or are not fully mature in the automotive space, she said. Interconnectedness has resulted in an attack surface that is broad, touching most in-vehicle systems and an increasingly wide range of external networks, from Wi-Fi, cellular networks, Internet-to-service garages, toll roads, drive-through windows, gas stations, and a rapidly growing list of automotive and aftermarket applications, Gupta said.

The CERT Division of the Software Engineering institute (SEI) at Carnegie Mellon University in April issued an alert on an aftermarket product for vehicles in which a vulnerability can expose drivers to potentially life-threatening wireless attacks. BlueDriver, which sells on Amazon.com and other sites for around $100, is one of a number of aftermarket products that allow owners to access diagnostic and performance data from older model vehicles.

CERT partners with government, industry, law enforcement, and academia to improve the security and resilience of computer systems and networks.

“These are some of the challenges facing traditional cars,” Gupta said. “As we move toward automation, the risks increase and the cybersecurity requirements of networks.”

The average lines of software code in a modern luxury vehicle is greater than 100 million lines of code. A Boeing 787 Dreamliner has 6.5 million lines of code. Gupta supplied an example of why this is a problem.

“Software code supports both core-driving functions, such as braking and steering, and advanced safety and convenience features, such as built-in navigation and Bluetooth systems,” she said. “In July 2015, two researchers exploited software vulnerabilities in a Jeep Cherokee’s ‘telematics’ unit to remotely take control of safety-critical systems — including manipulating the brakes — without prior physical access to the target vehicle.”

This resulted in three Jeep Cherokee owners filing a complaint against both Fiat Chrysler Automobiles and Harman International, the maker of the Uconnect dashboard computer in millions of Chrysler vehicles, Gupta said. A security flaw in that cellular-connected computer served as the entry point for security.

The small group of plaintiffs was hoping to invite anyone with those vulnerable Uconnect systems in their car or truck to join them in their litigation. If their complaint gets certified by a court as a class action, the broad spectrum of affected Chrysler vehicles means it could snowball into a case with more than a million potential plaintiffs and turn into a potentially massive lawsuit, Gupta said.

With regard to the Tesla crash in Florida, the Autopilot system failed to differentiate the white side of a tractor trailer that was crossing in front of the vehicle from the bright sky behind it, and neither the self-driving system nor the driver who got killed attempted to brake, according to Gupta.

“Tesla did not take a strategic approach to identify an accurate threat model given its technology, radar, sensors, cameras, Mobileye, etc. for its Autopilot feature,” Gupta said. “Elon Musk said that radar ‘tunes out’ objects like an overhead road sign to avoid stopping the car for no reason.”

Experts say this means that the radar likely overlooked the tractor-trailer in the Florida crash. “I disagree,” Gupta said. “Radar will see when all the optical sensors fail. Secondly, it sees other cars quite well, and each radar hit returns not just a distance, but how fast the obstacle is moving, thanks to Doppler. That’s even more than what LIDAR gives — a single radar capture shows all the moving obstacles and their speeds.The detection of the object plus the speed of the object is the condition that should have been included in their design to avoid the crash.”

(Doppler is a specialized radar that produces velocity data about objects at a distance. LIDAR is a surveying method that measures distance to a target by illuminating the target with pulsed laser light and measuring the reflected pulses with a sensor. The technology is also used in control and navigation for some autonomous cars.)

Tesla acknowledged that the Autopilot technology was engaged at the time of the March fatal crash in California, and it was reported that the company commented directly on the safety of its system and what it described as “moral and legal liability” in the crash, Gupta said.

The recently enacted European Union General Data Protection Regulation imposes strict data protection requirements and penalties on companies for security failures, including data breaches in EU countries. It hasn’t been adopted in the United States. American companies are required to adhere to the regulation for work they do in Europe and could decide to extend the protection in the U.S., particularly if consumers and manufactures demand that they do so.

Someday, all the cars on the road may be controlled by artificial intelligence. Humans will be free to work, read, talk, entertain themselves, eat and even sleep. Now is the time to take the right road to a safe, private and hack-free future.

Pamela Gupta regularly shares her tech knowledge as part of her community outreach as CEO and president of OutSecure Inc., the cybersecurity strategy firm she founded. She built a global security program for risk management at the business and technical levels and created oversight for a multi-million dollar sales marketing project involving Internet, mobile and cloud technologies, e-commerce and digital asset management. Read more about cybersecurity threats and solutions at outsecure.com. Feel free to send Gupta a LinkedIn invitation and connect on Twitter at @pamegup.

Nancy Doniger is a self-employed writer and editor, specializing in public relations and grant writing. She previously worked for three decades as a journalist. Feel free to send Doniger a LinkedIn invitation.