The evolution of connected cars has meant that it is now easier than ever for hackers to find a vulnerability and steal personal data directly via remote access from a vehicle.
According to a new study by Uswitch ““Cyber-attacks on connected cars have increased by 99% in the last year alone”, and this figure is only going to increase, as 67% of new cars that are registered in the UK are now ‘connected’, with projections showing this will rise to 100% by 2026.
While it certainly makes life easier, increased connectivity comes at a price. This blog will discuss the features of connected cars and the potential threats and vulnerabilities that they pose.
As humans we use our sensory functions to operate a vehicle. We look where we are going and listen for other cars and pedestrians to ensure we are always safe. Years of driving experience engrained into our memory allows us to react and make decisions based on past experiences. These are the characteristics that car manufacturers must recreate in order for the vehicle to execute driving in the same way a human does. Therefore, they need to provide the vehicle with not only sensory functions but cognitive functions (logical thinking, decision-making, memory, and learning) as well.
One of the methods for this is the AI Perception Action Cycle in Autonomous Cars. There are 3 aspects to this cycle:
- In-vehicle collection and communication systems. This is the equivalent to our sensory system, known as the Digital Sensorium. Using cameras, radars and sensors the vehicle can build a picture of its environment enabling it to assess all aspects of its surroundings just like we would. The sensors usually compile of three types all with separate responsibilities.
- Mid-range is mainly covered by lidar and video cameras to provide an immediate picture of the surrounding area.
- Finally, ultrasonic sensors and short-range cameras are primarily used for close proximity work, an example of this is parallel parking assistance seen in Chrysler’s ‘magic parking’ or VAGs ‘park sssist’. In-real time this data is then collected and passed through data communication systems into the super-computers, where all of the data is processed, and the valuable attributes are added to the autonomous Cloud platform.
Autonomous driving platform
An ‘Autonomous Driving Platform’ is a Cloud-based intelligent agent which, with the collected data makes use of AI algorithms enabling a vehicle to make its key decisions. If this stage in the cycle were to be tampered with, the actions of the vehicle could be altered to crash the car, or even target certain object fields such as pedestrians.
In essence, the brain of a car builds an immediate picture of its surroundings whilst processing data logs and actioning driving the car. The decision-making aspect of this component has been a hot topic for a long time. How can a car make life/death decisions on behalf of a human? An example of this would be if a car has crashed in front of you, and the stopping distance is too short for you to break to avoid impact. At the same time there is a person on a bike on the pavement next to the road you are on and oncoming traffic on the other side of the road. In this scenario, it would be an almost impossible situation for a human to decide, as in every possible outcome there will be casualties. As humans, we would assess the outcomes and consider our own personal choices, as these are conscious choices we make, however an AI agent can’t make that decision on our behalf.
Another component to the AI Perception cycle is the AI-based functions. Based on decisions made by the AI, the vehicle can detect and track objects while manoeuvring through traffic without any input from the human driver. Evolving technology means there are now further features being applied including; voice recognition, gesture controls and eye tracking which is used to assess the drivers movements and attention to the road, allowing further autonomous features to be enabled in BMWs. All of these additional features create data which allows the cycle to repeat, and therefore enabling the vehicle to become more intelligent and accurate.
Due to the innovative nature of autonomous vehicles, there is an obvious lack of historical data meaning that some traditional risk assessment methods are now deemed ineffective, leading to potential vulnerabilities and threats further down the line.
There have been numerous proposed frameworks specifically for autonomous and connected vehicles that update their interface over network connections. For example, the Bayesian Network model which pulls its foundations from the ‘Common Vulnerability Scoring Scheme’ which offers a representation of the probability structure and what parameters are to be considered when talking about mitigation of autonomous Cyber-Risk. This framework has been tested with the GPS systems of the vehicles both with and without cryptography authentication.
When considering the potential flaws in these vehicles, there is a vast amount to consider; security keys that are situated within the ECUs, wireless key fobs which are now able to unlock and start the car without any physical entry of the key, and even the tyre pressure monitoring systems. All of these examples could have damaging effects on the owner and the immediate environment around the vehicle if it was to be exploited.
As we know, there are many forms of cyber-attacks that are presented within static sites, but one of the main differences between an office and a vehicle is that it is constantly in the open. In the past, a car-jacker may bring a crowbar to pop the door by putting it down the window then hotwire the vehicle. However, these days, a car jacker could intercept your locking signal and copy it before using it to gain physical access to your vehicle, a crime that is increasingly becoming more common.
Tesla are a great example of a manufacturer that have taken this a step further and are now researching a system that connects all Tesla drivers in a live chat in the local area. If a hacker were to breach this system once in the car, they have the potential to take over all the Tesla’s interfaces in the area.
So to summarise, compared to the conventional CPU Units that have the staple components, each ‘car connected’ vehicle is equipped with its own unique challenges, which in-turn will offer specific vulnerabilities and weaknesses.
The way in which vehicles evolve will continue to become more complex and there will be an ever-greater importance in the use of AI in the Automotive industry for years to come. We predict there will certainly be more successes from the Autonomous Vehicle sphere but equally learning opportunities, either way it is an exciting time for the Automotive Industry.
It would be great to speak to any of you with an interest in this subject to hear your thoughts on this topic.
Alternatively, whether you’re a client looking to build out your security team or a candidate looking to get into the industry, we have some exciting roles on at the moment within the Offensive Security arena which we’d love to talk to you about. For more information or to speak to a member of the team directly, please contact us here.