How quickly self-driving cars roll out is dependent on the industry addressing some very serious cyber security issues with smart cars and IoT devices in general.
Self-driving cars are what everyone is talking about, but many people question whether the machine learning and artificial intelligence that power these cars have advanced enough for the vehicles to truly drive themselves, or if Lyft’s prediction that it will roll out a self-driving fleet within the next few years is overly optimistic. However, the biggest stumbling block for the driverless car industry is not the artificial intelligence and machine learning technology that powers these vehicles but the cyber security issues that the car industry has yet to address.
Smart Cars Just as Hackable as Other Smart Devices
Although self-driving cars are still in beta testing, other Internet of Things (IoT) devices, including fitness wearables, smart thermostats, and smart medical devices, have been commonplace for several years, and newer model cars come with an abundance of smart technology. Cars can already park themselves; they just can’t drive themselves. However, once a device, any device, is connected to the internet, it immediately becomes a potential target for hackers. The cyber security issues that plague smart cars are the same as those that threaten desktop and laptop computers.
These threats are not just hypothetical. Chinese security researchers have uncovered multiple vulnerabilities that allowed them to hack into the controller area network (CAN) of a Tesla Model S, which gave them remote control of the vehicle’s sunroof, driver’s seat, windshield wipers, central display, door locks, brakes, and other computer-controlled systems – both when the car was parked and when it was in motion.
Tesla is considered one of the most cyber security-conscious car manufacturers in the world, yet one of their vehicles was hacked. Most organizations are not taking the threat to connected cars and other smart devices seriously, despite the gravity of the situation; 90% of organizations have no cyber security plan to address IoT cyber security specifically, and 68% have no testing strategy for IoT devices. In the wake of the Tesla hack, the U.S. Department of Transportation announced a series of guidelines for manufacturers to address cyber security issues in driverless cars. While these guidelines are voluntary, it’s reasonable to expect that the government will begin enacting legislation down the line, especially if a major hack happens.
Ransomware a Major Threat to Self-Driving Cars
In addition to hackers taking over a vehicle and remotely operating it, ransomware looms large as an IoT security issue. The healthcare industry, which is being plagued by ransomware attacks on electronic health records, is wringing its hands over the possibility of hackers holding IoT pacemakers and insulin pumps for ransom. Driverless car manufacturers should share their concerns.
Researchers at Intel Security discovered a vulnerability allowing them to install malware on a smart car’s infotainment system. In the experiment, the malware set the stereo to play the same song over and over, but what if a hacker found a way to use the infotainment system as a door into the rest of the car’s systems, installed ransomware, and rendered the car inoperable until the owner paid a ransom? Earlier this year, Hollywood Presbyterian Hospital paid $17,000.00 in Bitcoin to hackers who had locked down the facility’s electronic health records. A consumer who needs their car to get to work or drive their children to school may be willing to fork over several hundred dollars to a hacker, especially since trying to fix the car’s computer may cost that much or even more. If a hacker manages to disable a commercial fleet of self-driving vehicles, the stakes are even higher, and the targeted company may be willing to pay that much per car.
Most Consumers “Very Concerned” About IoT Cyber Security
Whether Uber’s trial works out or Lyft’s prediction comes true will not matter if consumers reject driverless cars; 58% of consumers report being “very concerned” or “highly concerned” about IoT cyber security. If consumers do not feel that autonomous cars are safe, they will refuse to buy them or even ride in them. Car manufacturers cannot afford to take a lackadaisical attitude toward cyber security. Autonomous vehicles should be subjected to a comprehensive security evaluation and testing process, and businesses that intend to purchase driverless cars should hold off on purchasing vehicles that haven’t been proven safe.
Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.
He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.
Post new comment
Please Register or Login to post new comment.