Self-driving cars are much closer to becoming an everyday reality than many people think. The problem, though, is securing them to a proper degree. On that front, researchers in the automotive security field offer good news and bad news.
Manufacturers of autonomous (driverless) vehicles have started this year to test their products in real-world traffic conditions, paving the road for the technology to become available for purchase in a few years. Consumers will soon be able to ride on approved roads in cars with no driver behind the wheel.
At the Black Hat security conference this year, Charlie Miller and Chris Valasek talked about securing self-driving cars in a corporate-owned fleet. The two are well-known for their car-hacking research and for demonstrating three years ago a remote control attack on a Jeep Cherokee.
Autonomous cars are essentially computers on wheels, with an attack surface consisting of software, firmware and the hardware available under the hood. Technology standards in car manufacturing are not aligned to current security practices, making the end product vulnerable to exploitation techniques that are common, and easy to defend against these days.
The use of outdated, insecure technology is one problem in developing cars of the near future. Although in themselves they constitute cutting-edge technology, the various sensors, microcontrollers and actuators that dictate their responses are from an earlier generation, unfamiliar with modern security issues, yet highly susceptible to them.
For internal communication between components, for instance, autonomous vehicles use Ethernet, which comes with an authentication mechanism for the devices that want to connect to the network. However, not all devices support this feature. Many Ethernet-based cameras, essential for mapping the surroundings and feeding the input to the computers in the car, “aren’t too concerned with device authentication at that layer,” the researchers explain.
The good news is that the security hurdles are surmountable, at least to a degree that covers realistic and likely threat models, such as remote attacks, physical access, and attacking individual parts of the vehicle. This is achievable through trusted execution at boot time, cryptographic identities, code and data signing, encryption, and network segregation.
Furthermore, companies that use autonomous vehicles for different types of transportation services can keep them under constant supervision and run diagnosis and install corrective updates when the cars return to the garage at the end of their shift.
For the moment, driverless vehicles produced and tested by notable players on the market are for ride-sharing purposes. The researchers did not consider cars owned by consumers in their paper.
Image credit: Open Motors
tags
November 14, 2024
September 06, 2024