Missteps in Securing Autonomous Vehicles
Recently an autonomous car company highlighted some plans to keep their vehicles safe from hacking. Yet their plans won’t actually make them secure. Such gaffs highlight issues across many different industries where cybersecurity is not sufficiently understood by manufacturers to deliver products hardened against attack. The result, in the case of autonomous vehicles, could be catastrophic.
In the article Why Some Autonomous Cars Are Going to Avoid the Internet, the CEO of the company told the Financial Times (paywall) “Our cars communicate with the outside world only when they need to, so there isn’t a continuous line that’s able to be hacked, going into the car”. They are choosing to operate the cars in a mostly offline manner to protect against cyber threats.
Sounds Effective
At first glance, this would seem to be a worthwhile protection mechanism against hackers. It is not. The ‘control’ is to reduce connectivity to the Internet, which does provide some security value for the time it is not connected. But that is where the logic falls apart and in the end, it does not significantly reduce the chances of being attacked.
It seems logical, that by reducing the overall vulnerability of the system it will improve the security. But that is not always the case. Just because you remove 50% of the vulnerabilities, it does not mean you reduced the chances of being victimized by half. It is more complex as other dependencies are at work. This mistake is even common among entry level security professionals who are taught to think of risk as a pure equation (R=T x V x I). The Risk equals the Threat times the Vulnerability multiplied by the Impact, which is a fine equation when used properly for a specific purpose. Reduce any amount of vulnerability and the resulting risk is also reduced. However, this equation is not applicable to every problem or discussion.
Back to the autonomous vehicle security problem. Intermittent connectivity is a reduced availability tactic. To the attackers, it is simply a network latency problem and can be easily overcome. There is a great deal of precedent and history proving this, which I won’t get into. Instead, let’s think about the problem in a different way by using an analogy.
Building a Wall
Imaging you were tasked with protecting your village from marauders. You employed a security specialist to greatly reduce the risks of bandits getting into your hamlet and causing havoc. A wall is built halfway around your town, visible to all. The security specialist then confidently announces he has reduced the vulnerabilities by half, therefore significantly reduced the chances of a successful attack by 50%. Nope. The marauders simply need walk around the wall to get into the town. It might slow them down, as they are laughing and walking around the defenses, but it will not deter or prevent an attack.
The same is being proposed here, which is why reducing the Internet connectivity of autonomous vehicles, is an ineffective security control. Such tactics have proven futile in the past.
Exploitation
The root of the logic problem is in thinking about security in terms of equal vulnerabilities. Not all weaknesses are the same. There may be a hundred vulnerabilities but only 5 are being used to compromise a system. Only the efforts to close those 5 (the ones being exploited) will be important, while the other 95 are meaningless to the immediate goal of being secure.
Cyberattackers will wait for connectivity to compromise devices, just like thieves will bypass the locked door to enter via the open window, and bandits will walk around a wall to enter a village unimpeded. The chances of attack are not significantly reduced, just the timeliness of when it will occur.
Accountability
In this case, the car company is promoting a security design feature which really is ineffective. Yet, they don’t even realize it. As consumers, we must hold manufacturers accountable for the security, safety, and privacy of the products they produce. This is especially true of devices that hold the potential for life-safety risks. It should draw concern when in marketing and public communications, companies are showing a lack of cybersecurity knowledge and experience, likely as a result of improper skill-sets or executive prioritization, while at the same time exhibiting confidence in the security of their products. It is a dangerous combination.
Getting Security Right
It is important to institute optimal security capabilities as part of the design and core functions (Hardware, Firmware, OS/RTOS, software, endpoints, networks, etc.) to protect passengers and pedestrians from potentially catastrophic accidents resulting from digital compromises. Security must be effective, economical, and not undermine usability.
Understanding cybersecurity can be challenging, but many car companies are investing heavily in autonomous vehicles to make it a reality. As part of that investment, they must employ the right caliber of cybersecurity professionals to develop a proper strategy, architecture, and capabilities. Thankfully, I do know many in the field who are working on more comprehensive solutions, beyond reducing internet connectivity, to manage the broad range of risks that could impact us all. I believe it is time for all the automakers to work together and develop cohesive capabilities that meet the growing expectation of security, privacy, and safety.
Interested in more? Follow me on Twitter (@Matt_Rosenquist), Steemit, and LinkedIn to hear insights and what is going on in cybersecurity.
Great article about something I was only partly aware of. Thanks for the awareness raised through education. All for one and one for all!!! Namaste :)
Glad you read it! It was a bit long, but I have a hard time stopping when I get going. I like this stuff way too much.
They should assume it will be attacked and design in such a way that recovery from attack is nearly instantaneous while damage from an attack is controlled. Self healing basically is what is needed.
The Internet is only one attack vector. So how can the damage of an attack be controlled? First you need a way to easily and quickly detect an attack. Then you need counter measures for any possible attack scenario.
Manual override for example, or the ability to reconstruct critical software that has been damaged, or the ability to have artificial diversity so every vehicle is slightly different so that one attack method doesn't work on every model.
I don't think Internet connectivity by itself is the problem or the solution. I think whatever flaws a remote attacker can exploit via Internet connectivity can be exploited in other settings provided there is the possibility of input in general. This could be locally or remotely exploited and the same problems would remain, but a lot can be done.
Formal verification of the code to the critical portions of the vehicle.
Artificial diversity so that each vehicle has a slightly different protocol arrangement yet can accomplish the same tasks.
Validation and security on all inputs.
Tamper resistance and detection.
Manual override.
Self healing or recovery where a vehicle can reconstruct it's firmware or securely update it by connecting to other vehicles or to the Internet depending on the set up.
These are just some ideas off the top of my head. Bug free code is difficult to write but not impossible. NASA manages to do it so it would require a similar effort. Artificial diversity has been shown already by DARPA. Self healing networks or disruption tolerant networks are both possible as well.
You bring up a number of good ideas. But remember it is not simple. Autonomous cars are electronic ecosystems unto themselves, with processors, storage, interfaces, networks, and users. The same issue we deal with daily to protect servers, data centers, networks, the Interent, PC's and phones apply to autonomous vehicles. There are no simple answers or solutions (else the rest of computing would be secure by now).
Smart minds are working the problems, both on the good as well as attacker side.