Knight Rider fans, rejoice! Soon, you can have your own automated vehicle. While the arrival of connected cars and autonomous vehicles (“AV”) bring a potential increase in efficiency, safety, and mobility, they also present unique cybersecurity risks. In a recent global study, more than half of corporate risk managers expressed concern about cybersecurity in AV, but felt unprepared to address these issues. Amid the uncertainty, Mcity, a University of Michigan research center, released a white paper introducing a tool to identify and analyze potential cybersecurity threats to self-driving cars.
Background: The Tech and the Risk
As with other products in the IoT, connected cars generate large amounts of data and may be attractive targets for cyber-attacks.
In 2015, researchers simulated a hack into the operating system of an Internet-connected vehicle. Along with remotely manipulating the car’s radio and air conditioning, the white-hat hackers also disabled the car’s brakes and altered steering controls. In 2016, high-tech thieves in Texas stole more than 100 cars by accessing keycode databases that allowed them to reprogram keyless entry and ignition systems. In 2017, researchers bypassed anti-hacking mechanisms and exploited vulnerabilities in vehicular internal networks to send commands to shut-off automated features like airbags and door locks.
One can imagine similar attacks on AV. For example, a ransomware attack could remotely reroute a car and require a payment of ransom to regain control of the operating system. Jamming or spoofing attacks might target data integrity by interfering with signaling mechanisms, for example, causing GPS navigation systems to send a vehicle off a cliff. Cybersecurity vulnerabilities in traffic systems that rely on data to avoid crashes may be particularly dangerous. It can be an issue of life and death, for example, if a vehicle platooning closely behind another sends a false signal that it is braking, when in fact it is accelerating. In addition to the risk of physical harm, vulnerable cars can require burdensome software updates or costly recalls.
Analysis: U.S. Regulatory and Industry Frameworks and Guidance
Though designed for researchers, Mcity’s threat identification model provides a helpful framework for auto manufacturers, local governments, tech lawyers, or anyone analyzing the cybersecurity risks of AV and connected cars. The proposed model assesses the likelihood of a successful attack on AV based on the following considerations:
- Identity, motivations, and capabilities of the attacker (i.e. is the attacker an auto mechanic, car thief, or hacktivist);
- Vulnerabilities in all components of the technology, including sensors, GPS systems, and databases;
- Method of attack, such as spoofing identity, tampering with data, repudiation, information disclosures, denial of service, and elevation of privilege;
- Difference between the attacker’s ability to execute a successful attack, and the system’s potential to withstand the attack; and
- Impact of the attack on various stakeholders, measured by financial loss, privacy, and safety.
Each consideration is applied to an attack scenario and then calculated in a weighted scale to evaluate potential cybersecurity threats. Mcity’s model provides a valuable step in identifying and analyzing risk, but how do legal frameworks help companies prevent an attack, respond to a breach, or navigate the unique ethical considerations raised by AV?
Currently in the United States, no federal legislation directly governs the cybersecurity of connected cars, and although twenty-one states have passed legislation related to AV, only four address cybersecurity issues. Conflicts in laws between various jurisdictions also create uncertainty.
Several federal agencies have issued non-binding guidance for the connected car and AV industry. The Department of Homeland Security’s Cyber Physical Systems Security project brings together industry, academic, and government stakeholders to increase cybersecurity in vehicles. The National Highway Traffic Safety Association (“NHTSA”) has proposed a layered approach to cybersecurity: implement preventative measures, isolate vulnerable systems, detect and respond to intrusion in real time, and assess solutions based on previous successful and thwarted hacks. In its non-regulatory 2017 Automated Driving Systems policy framework, the NHTSA encouraged the auto industry to collaborate to develop unified security systems, adopt a standard vulnerability reporting/disclosure policy, and share information to prevent repeat attacks across different stakeholders. Similarly, the FTC recently issued a staff perspective urging the industry to take steps to reduce risk of hacking and other attacks on connected cars. Such recommendations include the sharing of information among those in the connected car ecosystem, designing networks to reduce risk (such as segregating safety-critical functions from other functions), engaging in privacy-by-design risk assessment and mitigation, and participating in industry self-regulation.
Connected cars and AV present complex questions at the intersection of technology, law, and policy. As the technology grows more prevalent, the industry and lawmakers will work in parallel to regulate this technology and mitigate cybersecurity risk.