Self-Driving Cars are Here—But Can We Keep Them Secure?
As automated cars’ functionality increases exponentially, so too do the number of threat points where a hacker could take control.
This program was produced by the Marketing Department of WIRED and Ars in collaboration with CA Technologies.
Calling them automated—or self-driving—cars doesn’t quite capture the security implications. Crucially, they are also connected cars. With a vast number of online touch points to keep the radio, GPS, engine and everything in between updated and running, connected vehicles have a startling number of potential security vulnerabilities.
“The security risk is not so much on the vehicle itself, but on the entire network around it,” says David Chiu, Director of Product Marketing for CA Technologies’ API Management team. “Therein lies the problem.”
APIs allow the car’s applications to communicate with their developers, and that layer, or “surface” in industry parlance, represents a crucial security barrier. Smartphones and laptops have managed security in this way for years, but only as cars have come online has the auto industry started thinking in such terms. The more functionality a car has, the larger the surface for outside attacks.
A Network of Security Concerns
Researchers have been demonstrating how to hack cars for half a decade, since companies starting installing on-board computing systems like GM’s OnStar, Ford’s Sync and Bluetooth connections for hands-free phone calls. Last summer, WIRED worked with Charlie Miller and Chris Valasek, two white hat hackers, to demonstrate a connected car’s security risks. The hackers were able to take control, from a house 10 miles away, of an SUV as the vehicle sped down a St. Louis highway.
In February, a security researcher exploited an API to take control of a Nissan LEAF's A/C from halfway around the world using only a VIN and a basic web request. The findings led Nissan to take the vehicle’s companion app offline.
“Each connection is a potential threat point. Each one could potentially be hacked, or have scale or failure problems.”
— David Chiu, Director of Product Marketing, CA Technologies’ API Management team
This attack was confined to making the car cold, not to controlling the car’s acceleration or steering, but it demonstrates a security challenge for engineers. If, say, the radio and the transmission both touch the same system, and the APIs between them aren’t secure, pathways could exist to bridge the two: a hacker could conceivably take control of the engine via a music app.
“Each connection is a potential threat point,” Chiu says. “Each one could potentially be hacked, or have scale or failure problems.”
Mitigating the Risk
“It is impossible to eliminate cyber security attacks [so the auto industry] must shift its focus to managing them,” said Jan Mohr, who recently authored a self-driving technology report for Boston Consulting Group (BCG) and the World Economic Forum.
The management challenges are all the more pressing since the connected vehicle market shows no signs of slowing. A 2015 report forecasts it skyrocketing to $100 billion by 2018. And since those cars will be logging people’s every movement—a requirement for autonomous cars to function—the automakers and technology firms pushing the technology will need to deploy secure APIs that protect data histories.
But with traffic and navigation systems, geo-locating satellites, in-car apps for music, games and entertainment, plus regular software updates to the interconnected systems, security developers will continue to grapple with internet-connected vehicles' weak points before software takes the wheel for good.
“It's really an ecosystem concept,” Chiu says.