The hunt for security flaws in self-driving cars steps up a gear
Last week, seven projects in the UK dedicated to developing tools that will improve cybersecurity in self-driving vehicles received a grand total of £1.2 million ($1.56 million), or about £171,500 ($222,847) each, to boost their research – a sum partly funded by the government’s Centre for Connected and Autonomous Vehicles (CCAV).
Speaking at a conference in London, the deputy head at CCAV Catherine Lovell pointed to the recent investment as an example of the government’s renewed efforts to deliver on the UK’s vision for the future of mobility: to have roads populated by connected, autonomous and reliable vehicles – and, crucially, vehicles that are safe from the growing threat of cyberattacks.
“When we talk about safety,” she told ZDNet, “we need to think about the new types of risks involved as well. Cyberattacks caused by vulnerabilities or unreliability are part of security as a whole, and are a key priority for us.”
SEE: 10 tips for new cybersecurity pros (free PDF)
The cyber risk that comes with connecting cars to the internet has long been identified as a threat that shouldn’t be underestimated. From remote hacking to disabling or controlling a vehicle, to the risk of companies or nation states surveying our every move, cyberattacks on autonomous cars could have disastrous consequences.
As early as 2015, researchers figured out that they could compromise a connected-car system to remotely control a Jeep and send it off the road. That was just before car hackers, the following year, managed to take control of the car’s brakes. Then researchers found that bugs in some vehicle systems would let them disable security features, and in some cases access the vehicle’s location and user information.
A recent study from consulting firm Zenzic, in fact, showed that cyber resilience would be the most significant technical challenge that needs to be solved if the UK is to successfully deploy self-driving cars on roads by 2030.
For all these reasons, a few years ago, the UK government published a set of guidelines for car manufacturers, designed to ensure cybersecurity standards in the automotive sector. They included recommendations ranging from how to store and transmit data, to the need to create resilient systems that would respond appropriately in the case of sensor failure.
Those guidelines are also part of the government’s latest code of practice for autonomous vehicle trialling, which states that manufacturers are responsible for managing “data security” as well as “the risk of unauthorised data access”.
In other words, the importance of protecting future connected cars from hackers and cyberattacks is well-known already. The question is, is enough being done to tackle the problem?
“Ministers understand that this is an important topic,” Robert Piechocki, professor of wireless systems at the University of Bristol, told ZDNet. “But in short, we need more money. New ideas are being introduced all the time, and there might be additional vulnerabilities that we don’t know of.”
But grants in the UK are being measured in millions, he continued, while across the pond, in the US, funds come in billions. “That is absolutely the way forward,” he said. He pointed, as an example, to a recent bill put forward by the US Senate, which proposed a $1.25 billion (£1 billion) investment towards strengthening the security of 5G networks.
That is not to say that the UK is not making any progress. Last year, a multi-sector consortium led by consulting services company Atkins completed a three-year research project on connected vehicles, and presented new ideas to improve the resilience of future vehicles.
The researchers came up with an incident-response framework, for example, which assesses the level of threat posed by various types of incidents and informs users on the reliability of their car’s wireless communication.
In a recent survey published by British motoring association AA, an overwhelming 87% of UK drivers expressed their concern at the possibility of incidents happening that were not anticipated by software programmers when developing autonomous technology.
Although the survey only polled about 20,000 drivers, it did highlight that security is not only about hacking. Preventing cyber threats, and ensuring overall security, is also about convincing the public to take up the technology so that connected cars, and the £62 billion ($80.5 billion) they are expected to generate for the UK economy by 2030, actually hit the country’s roads.
It doesn’t seem that autonomous cars are quite there yet. Piechocki, for his part, believes that “we are entering a sort of connected cars winter” after a few years of upbeat announcements, and that deploying the technology will be a lot slower than initially thought.
Speaking at the same conference as Catherine Lovell, Richard Rosser, the shadow spokesperson for transport, seemed to agree: “The extent of the inevitable problems that have to be resolved, including public confidence in safety, was not initially fully appreciated by some,” he said.
Connected cars have a bright future; but how close that future is, is still hard to gauge.