Security risks and challenges of autonomous vehicles

I just purchased a new vehicle for the first time in about eight years, and it’s got some nice features:

- The front and rear sensors don’t just beep, they give approximate distance to the car in front of me.
- The rear camera will signal the brakes if I’m about to back into something, and the car will stop itself.
- The car even has a WiFi hotspot if I want to pay the monthly fee for data so my kids can stream Minecraft YouTube channels on their tablets.

Modern vehicles have so many electronic and computing systems baked into them that when I bought it in November 2022, the manufacturer was only distributing one key fob per vehicle because of supply issues (it would have been nice to know that before signing all the paperwork).

The point is that we used to think about a car’s computer as an embedded microcontroller that did very specific things like regulate fuel/air mix and control the transmission. Now a car is a collection of computers hermetically sealed around a steel frame that happens to have wheels and can take you places. The leading edge of these computers will even do some of the driving for you.

At some level, this evolution can’t come fast enough. The idea that we can work, read, or just rest and watch the scenery go by while our cars get us from point A to point B more safely and efficiently than we can do as humans sounds incredible. But we should ask questions about device security, data leakage and remote vehicle attacks against increasingly Internet-connected vehicles.

Unlike desktop or modern cloud computing, these systems have potentially many fewer tools to remedy the kinds of security problems we already face elsewhere. And these are problems we already contend with in modern automobiles. A recent article in The Drive discussed some security research that found that the shared telematics platform on some vehicle types connected the vehicle’s SiriusXM communications to features like a remote lock or remote start.

Further, a security researcher discovered that these commands were only authenticated with the vehicle identification number (VIN). Other research has found that attackers can:
- Replicate the radio signals between key fobs and vehicles to mimic unlock or start functions
- Spoof GPS signals to confuse the car’s position (potentially resulting in a self-driving vehicle striking an obstacle, pedestrian, or another vehicle)
- Deploy malicious apps to an infotainment system in a manner similar to malicious apps in a mobile device ecosystem

In nearly all these cases, providing updates to vehicles in the field to address any of the software deficiencies is exceedingly challenging, as it’s mostly governed by recall processes, and the threshold to clear to require a recall is both very high and not set up for these kinds of problems.

While the outcomes of these sorts of threats are new, the core weaknesses that give rise to them are not. In fact, security professionals have been identifying and working to correct these issues for decades. You’ve heard of these ideas before: authentication, strong encryption, integrity verification and software updates. These are all concepts the industry has incorporated, however imperfectly, into more conventional ideas of computing, but whenever modern computing and connectivity expand into a seemingly new area, that industry must relearn the lessons from 30 years ago.

While the outcomes of these sorts of threats are new, the core weaknesses that give rise to them are not. In fact, security professionals have been identifying and working to correct these issues for decades. You’ve heard of these ideas before: authentication, strong encryption, integrity verification and software updates. These are all concepts the industry has incorporated, however imperfectly, into more conventional ideas of computing, but whenever modern computing and connectivity expand into a seemingly new area, that industry must relearn the lessons from 30 years ago.

We saw this in the 2010s with the rise of the Internet of Things (IoT) devices:
- Minimal or no authentication
- Unencrypted communications
- Exposure of sensitive data
- Limited ability to deploy software fixes to devices in use
- Lack of ongoing support from the manufacturer

This ranged from security cameras to baby monitors to devices used to monitor industrial systems – and continues to represent a series of risks to the privacy and security of millions of people. Unfortunately, it appears that the product design efforts in vehicles incorporate too few security efforts too late in the process and leave consumers facing potential risks.

It's important not to overstate anything or spread needless fear. The linkage between SiriusXM and vehicular telematics would allow an attacker to unlock or start a vehicle simply by knowing the VIN, but driving off with it is less likely.

A self-driving situation in which the vehicle gets faulty GPS coordinates can be dangerous but is potentially mitigated either by other safety sensors or the driver assuming manual control. We shouldn’t regard the lack of security in automobiles as acceptable, but fears of a doomsday scenario where the machines have taken over are overblown.

When we look at information and systems security in other contexts (e.g., healthcare, payment cards), the most obvious way to improve security is regulation. Security frameworks with compliance mandates have moved the proverbial needle more than any other motivating factor, such as market incentives or appeals to adhere to best practices.

Regulation is imperfect: it’s costly, often subjective, and sometimes the incentives end up working against the overall purposes. But on balance, efforts like HIPAA, HITRUST, FedRAMP or PCI DSS have moved their industries significantly over the years they’ve been in effect.

It's time for government agencies in charge of vehicle safety to require as much of the computing and electronic systems that are, at this point, core components of modern vehicles.