,

“Botnets on Wheels” – How Hackable Are Connected Autonomous Vehicles And What Are We Doing About It?

zack walker

Can you imagine the vehicle of the future? The vehicle of the future will not have a steering wheel, no pedals for acceleration and brakes – you will not be able to drive it at all! Most – if not all – of you will have heard a lot about autonomous vehicles by now. It is being talked about as the end goal for cars as we know them today and a lot of research is being committed towards this goal. But car companies are not about to release autonomous vehicles (AVs) upon the world overnight. It is an evolutionary process. The Society of Automation Engineers (SAE) has defined levels of autonomy, widely known as the SAE Levels of Driving Automation, which classify any given vehicle into one of six levels ranging from 0 (fully manual) to 5 (fully autonomous):

Level 0: No Automation
At this level, there are no automated functions in the vehicle. The human driver is responsible for all aspects of driving, with technology providing only warnings or alerts as support.

Level 1: Driver Assistance
Level 1 features individual automated functions, such as adaptive cruise control or lane-keeping assistance. These assist the driver but do not fully take over vehicle control. The human driver must remain engaged and can override the assisting functions when necessary.

Level 2: Partial Automation
At Level 2, the vehicle can simultaneously control steering, acceleration, and braking. However, the driver must remain actively attentive to the road and keep their hands on the steering wheel. It represents an advanced form of driver assistance but still requires human intervention.

Level 3: Conditional Automation
Level 3 allows the vehicle to take full control under certain conditions, without the need for constant human supervision. The driver can engage in other activities while the vehicle handles the situation independently. However, the driver must be prepared to take over when the system requests.

Level 4: High Automation
In Level 4, the vehicle can drive autonomously in most situations without human intervention. It can handle specific scenarios, such as highway driving or navigating within well-defined areas. Nonetheless, there are still environments where the vehicle cannot operate autonomously, and the driver must take control.

Level 5: Full Automation
Level 5 represents the highest level of autonomy. Vehicles at Level 5 do not require any human input and can operate autonomously in any situation, under all conditions, and in any environment. They have the potential to be completely driverless.

Most cars on the road today are Level 0 or 1. Some more advanced vehicles can already achieve Level 2, with the well-known Tesla models being one of them. In the coming years, vehicles that can achieve Level 3 autonomy will be brought to market with Mercedes Benz and BMW planning to release their first Level-3-cars in 2023 or 2024 [2], [3].

There are many  advantages that come with fully autonomous vehicles. They have the potential to dramatically reduce accidents and fatalities on the roads by eliminating human errors, such as distracted driving, fatigue, impairment and relatively slow reaction times.
Furthermore, AVs can be programmed to drive at optimal speeds, maintain safe distances from other vehicles and make coordinated decisions. As a result of this, traffic congestion will be reduced, and traffic flow will be enhanced.
Level 5 AVs also provide increased mobility options for individuals who are unable to drive, such as the elderly, disabled or visually impaired.
The time spent commuting can be much more productive. Instead of focusing on driving, occupants can use their travel time for work, relaxation or leisure activities.
A final big advantage of a world full of autonomous vehicles I would like to dive a bit deeper into is that of connected mobility.

Connected Mobility

Connected mobility refers to the integration of various technologies and communication systems to enhance the efficiency, safety and overall user experience in transportation. Basically, it involves connecting vehicles to each other, to infrastructure (like traffic lights, signs or even the roads) and to other devices and services, creating a network of interconnected smart transportation solutions (like an Internet of Things) [4].

So what are the advantages of this? Well, let me explain using a simple scenario. Imagine you are going on multi-hour journey in a fully autonomous car. You plan a route on your phone and send that route information to your AV. During your journey a severe thunderstorm along the route causes it to no longer be an efficient route due to congestion. AVs in the area will communicate the situation to your car and it will automatically find an alternative route around the storm. Additionally, it will communicate with other vehicles attempting to bypass the storm and together, the vehicles will evenly split themselves onto alternative routes (kind of like real-world load-balancing). Because your AV will execute this process autonomously, you will never know that you just bypassed a slow route.

So, connected mobility allows vehicles to access real-time data about traffic conditions, road closures, accidents, and weather updates. This information can be used to optimize routes and provide drivers with live navigation assistance, avoiding congested areas and reducing travel time.
By enabling vehicles to communicate with each other and with surrounding infrastructure, connected mobility can also significantly improve road safety. Vehicles can exchange information about their speed, location, and intentions, allowing them to anticipate potential collisions or hazards.

But you may wonder: With so many vehicles being in constant communication with each other, doesn’t this pose a threat to security?

Yes, absolutely. Connected mobility introduces significant cybersecurity vulnerabilities. The interconnected nature of vehicles and infrastructure creates more potential entry points for cyber attackers, leading to data breaches, privacy violations, and even the possibility of malicious control over vehicles. Cyber crime is abundant these days: according to statista, there were 15 million known instances of malware infections of PCs and mobile phones in Germany in 2022 [5] and 46% of companies in Germany were affected by at least one cyber-attack in 2022 [6].

It is one thing to lose sensitive data like credit-card details or passwords to banking accounts, but you do not want to be sitting in a two-ton steel box hurtling down the highway at 150 km/h while the vehicle downloads a malicious software update. So, let’s look at the challenges that AVs pose to cybersecurity in more detail.

Challenges to cybersecurity

In principle, software is what makes autonomous vehicles possible – good old lines of code. In today’s high-end cars, there are tens of thousands of lines of code controlling so-called Electronic Control Units (ECUs). In the context of automotive technology, Electronic Control Units (ECUs) are specialized microprocessors or electronic modules that are responsible for controlling and managing various electrical and electronic systems within a vehicle. ECUs are essentially small computers dedicated to specific functions, and modern vehicles can have numerous ECUs distributed throughout their different subsystems.

Examples for ECUs in modern day automobiles are the Steering and Braking Control Unit, Engine and Transmission Control Unit, Airbag Control Unit or the Vehicle Access System. Each of these ECUs are potential attack points and with autonomous vehicles and connected mobility, the amount of attack surfaces will only increase. AVs will include additional control units e.g. for communicating with infrastructure systems.

With this knowledge, it is possible to identify many threats to connected vehicles:

Cloud Service Providers: As connected vehicles, including AVs, rely heavily on cloud services to enable real-time data exchange and access to various functionalities, cloud service providers become critical points of vulnerability. A compromised cloud service provider could be exploited to access sensitive vehicle data, manipulate data flows, or even serve as an entry point to gain unauthorized access to the vehicle’s control systems. As AVs become part of larger fleets, a breach in a cloud service provider’s security could have severe consequences for the entire fleet, leading to widespread disruption or attacks on multiple vehicles simultaneously.

Denial of Service Attacks: AVs, being essentially “Botnets on wheels,” can be attractive targets for cyber attackers looking to launch Denial of Service (DoS) attacks. If a large number of AVs are compromised, they could be harnessed to flood networks or infrastructure systems with excessive data requests, overwhelming the systems and causing service disruptions. Such attacks could have serious implications, ranging from traffic congestion due to disrupted traffic management systems to more severe consequences if safety-critical systems are affected, potentially jeopardizing the safety of passengers and other road users.

Malware Injection and Code Manipulation: The multitude of ECUs in connected vehicles provides numerous entry points for cyber attackers to inject malware or manipulate the vehicle’s code. A successful attack could lead to unauthorized control over critical systems, such as braking or steering, jeopardizing the safety of the vehicle’s occupants and others on the road. Malicious code injection could also compromise the vehicle’s onboard diagnostics and lead to false readings, hindering proper vehicle maintenance and repair.

An example from a few years back that demonstrates the real-world risks of connected vehicle hacking occurred when cybersecurity researchers Charlie Miller and Chris Valasek successfully hacked a Jeep Cherokee in a controlled environment [7].
This incident highlighted the vulnerabilities present in modern connected vehicles and served as a wake-up call for the automotive industry regarding the importance of robust cybersecurity measures.

In July 2015, Miller and Valasek collaborated with Wired magazine to demonstrate how they remotely took control of a 2014 Jeep Cherokee’s critical systems through its Uconnect infotainment system, which was connected to the internet. The researchers exploited a vulnerability in the vehicle’s software, which allowed them to access the ECUs responsible for the engine, steering, brakes, and other safety-critical systems.

During the demonstration the two cybersecurity researchers started by taking over control of systems like the air conditioning and the radio systems before disabling the acceleration and brakes of the vehicle while it was driving on the highway – all from the comfort of their home.

While this took place quite a while ago, it underscores the urgent need for the automotive industry to implement robust measures to protect connected vehicles from potential attacks. It is an eye-opening experiment and I recommend watching the video about it: https://www.youtube.com/watch?v=MK0SrxBC1xs

In recent years there have been increasing reports of hackers taking control of a vehicles systems remotely with Tesla being featured in the media most often. An article from the Detroit Free Press reported that there were at least 150 automotive cybersecurity incidents in 2019, part of a 94% year-over-year increase since 2016 [8].
Most recently, in March of 2023 a group of security researchers were able to remotely gain access to multiple separate Tesla systems and render the vehicle unsafe to drive [9].

The numerous reports on vehicle hacking highlight the genuine threat posed to the future of connected vehicles. In a world where connected autonomous vehicles become ubiquitous, it is likely that incidents involving hacked vehicles will become more common – a seemingly inevitable scenario. Acknowledging this, the question arises: how can we proactively address the problem and strive for a secure world of mobility? What steps are being taken to prevent hackers from easily controlling AVs?

Solution approaches

There have been a significant number of publications made by leading automotive industry organizations, research institutions and government agencies.

These publications include:

  • “Automotive Cybersecurity Best Practices” by the Automotive Information Sharing and Analysis Center [10]
  • “Securing the Modern Vehicle” by the Society of Automation Engineers International [11]
  • “Automated Vehicles – Comprehensive Plan” by U.S. Department of Transportation (DOT) [12]
  • “Safety First for Automated Driving” by leading automakers BMW, Audi, and Mercedes-Benz [13]


While I cannot outline all the measures outlines in each of these publications in this blog post since would blow the scope of the blog, the above publications have a lot of things in common, which I will outline here (Again, I fully recommend checking out the full publications – they hold fascinating insights not only for the automotive industry, but for general cybersecurity issues, too).

  1. Secure Development Lifecycle (SDL)
    All of these papers emphasize the importance of implementing cybersecurity measures from the early stages of vehicle development. It’s all about having a game plan from the get-go. It doesn’t make sense to build a product and then slap the security measures on afterward. The SDL ensures that security is on the menu right from the start. The SDL splits its magic into three stages: Preliminaries, Development, and Sustainment. In the Preliminaries, the development team gets their training, learning all about the latest security trends and tricks. They create guidelines and rules, setting the stage for a secure development journey. The Development phase includes practices that are familiar in software engineering, such as security requirements definition, threat modeling, static and dynamic analysis, fuzzing, code review and penetration testing. Finally, sustainment includes incident response, update sign-off procedures and other practices that ensure the product continues to operate after release.

  2. Continuous Monitoring and Updates: The papers stress the need for continuous monitoring of connected vehicles and their systems to identify and address potential vulnerabilities. Regular software updates and security patches are essential to keep vehicles resilient to evolving cyber threats

  3. Secure Communication Protocols: Connected vehicles rely on various communication channels to exchange data with other vehicles, infrastructure, and cloud services. The papers advocate for the use of secure communication protocols, encryption methods, and authentication mechanisms to prevent unauthorized access and data manipulation.

  4. Collaboration and Industry Standards
    Finally, the papers bring forward a very important issue: the need for collaboration between automobile manufacturers. Today, if a car has a security vulnerability (like the Jeep Cherokee discussed earlier) it is limited to a specific model. But in the future, we are talking about a network of interconnected vehicles all communicating with one another. A security flaw in a Volkswagen for example can affect all other cars on the road, whether they are the same brand or a completely different one. Sharing knowledge and insights leads to collective improvements in vehicle security and benefits all!

Conclusion

In conclusion, the future of transportation holds incredible promise with the advent of autonomous vehicles and connected mobility. As we progress through the levels of driving automation, from Level 0 to Level 5, we can anticipate numerous benefits, such as increased road safety, reduced traffic congestion, and enhanced mobility for those who cannot drive.

While the potential advantages are substantial, we must also address the challenges posed by cybersecurity vulnerabilities. With connected vehicles relying heavily on cloud services and communication channels, the risk of cyber attacks increases significantly. Threats such as Denial of Service attacks, malware injection, and code manipulation highlight the urgent need for robust cybersecurity measures. As more and more connected vehicles fill our roads, we will hear more stories like the one of the Jeep Cherokee, but fortunately, the automotive industry is not turning a blind eye to these issues.

As we look forward to a future with autonomous vehicles and connected mobility, it is imperative that we embrace innovation while ensuring the safety and security of this transformative technology. By taking proactive measures and adopting robust cybersecurity practices, we can navigate the road ahead with confidence and embrace the full potential of this revolutionary transportation era.

References

[1]SAE International, “Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles,” 30 04 2021. [Online]. Available: https://www.sae.org/standards/content/j3016_202104/. [Accessed 15 07 2023].
[2]D. Fluhr, “Mercedes erhält Zulassung für Level 3 in Kalifornien,” 12 06 2023. [Online]. Available: https://www.autonomes-fahren.de/mercedes-erhaelt-zulassung-fuer-level-3-in-kalifornien/. [Accessed 15 07 2023].
[3]D. Fluhr, “BMW: 5er Serie erreicht Level 3,” 15 06 2023. [Online]. Available: https://www.autonomes-fahren.de/bmw-5er-serie-erreicht-level-3/. [Accessed 15 07 2023].
[4]“Intelligent mobility: connected cars and autonomous driving,” [Online]. Available: https://www.t-systems.com/de/en/industries/automotive/connected-mobility. [Accessed 16 07 2023].
[5]Statista, “Meldungen von Schadprogramm-Infektionen durch das Bundesamt für Sicherheit in der Informationstechnik (BSI) in den Jahren 2018 bis 2022,” 08 2022. [Online]. Available: https://de.statista.com/statistik/daten/studie/1230640/umfrage/meldungen-von-schadprogramm-infektionen-durch-das-bsi/. [Accessed 16 07 2023].
[6]Statista, “Anteil der Unternehmen, die in den letzten 12 Monaten eine Cyber-Attacke erlebt haben, in ausgewählten Ländern im Jahr 2022,” 05 2022. [Online]. Available: https://de.statista.com/statistik/daten/studie/1230157/umfrage/unternehmen-die-in-den-letzten-12-monaten-eine-cyber-attacke-erlebt-haben/. [Accessed 16 07 2023].
[7]A. Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me in It,” WIRED, 21 07 2015. [Online]. Available: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. [Accessed 18 07 2023].
[8]J. L. Lareau, “It’s easier for your car to be hacked than you might think: How to protect yourself,” Detroit Free Press, [Online]. Available: https://eu.freep.com/story/money/cars/2021/08/24/car-hack-vehicle-protection-cybersecurity/8218898002/. [Accessed 21 07 2023].
[9]L. Leffer, “Hackers Render Tesla Car Unsafe to Drive, Win Themselves a Model 3,” 24 03 2023. [Online]. Available: https://gizmodo.com/tesla-hack-hackers-model-3-elon-musk-hackathon-1850263319. [Accessed 21 07 2023].
[10]AUTO-ISAC, Automotive Cybersecurity Best Practices, AUTO-ISAC, 2019.
[11]Ponemon Institute, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, Synopsys Inc & SAE International, 2018.
[12]E. L. Chao, “Automated Vehicles – Comprehensive Plan,” 01 2021. [Online]. Available: https://www.transportation.gov/sites/dot.gov/files/2021-01/USDOT_AVCP.pdf. [Accessed 21 07 2023].
[13]M. W. e. al, Safety First For Automated Driving, 2019.

Posted

in

,

by

zack walker

Comments

Leave a Reply