Is your machine protected from hackers? It was this question that prompted the researchers to remotely attack a 2014 Jeep Cherokee, driving down a freeway at 70 mph, killing its engine and leaving the driver in real danger. The attack was intended to demonstrate to the driver (Wired author Andy Greenberg) how vulnerable modern cars are.

This demonstration is gruesome and raises serious questions about the safety of cars — both today’s internet-connected cars and future autonomous vehicles.

How to hack a car

The attack was carried out using a car entertainment system that connects to the Internet via a cellular network. The attack does not require physical access to the vehicle — or even physical proximity. An attacker can cripple a machine from anywhere in the world at any time.

Over a million vehicles have been recalled as a result of this article and will receive updates to improve protection against this type of attack.

The freeway show was risky and the internet couldn’t handle the unnecessary risk anymore, but that’s not what we’re looking at here. It is true that the researchers were wrong to unnecessarily endanger human life. However, we must not let this distract us from the bigger issue here. Namely, it is urgent to secure our machines from such attacks.

In the case of vehicles such as the Jeep Cherokee, this problem could have been avoided simply by not linking the vehicle’s internal computer (which performs basic functions such as braking) to an internet-enabled entertainment center. Making a computer secure when it is not physically connected to the outside world is quite simple.

However, with the advent of autonomous vehicles, having these main computers connected to the internet will be more and more necessary.

Which can be a really big problem.

Who’s afraid of a two-ton killer robot?

The concern here is pretty obvious. Google’s robotic car may look cute, but it’s still an industrial robot at the end of the day — a big, heavy, dangerous machine that can travel at high speeds. In the hands of Google’s carefully crafted software, these cars are safer than human drivers. This is a testament to the vast amount of development, research and testing that Google has done on this issue. However, this does not mean that the car will remain safe under the control of a hacker.

A robot car under malicious control can be used for kidnapping and murder. You can steal a car on the way and deliver it to a new destination. You could drive him off the bridge. You can use an empty car to deliver a car bomb, or send multiple cars to physically crash into people or buildings. This is an intimidating range of possibilities, especially since computer security is so complex. If we can’t protect 95% of Android phones how can we secure robotic cars?

This threat is so obvious that even politicians have noticed it. West Virginia Senator Jay Rockefeller said that

“And as our cars become more and more connected – to the Internet, wireless networks, to each other and to our infrastructure – are they at risk of catastrophic cyberattacks? […] In other words, can any 14 year old from Indonesia figure out how to do this and just turn off their car…because everything is connected now? »

Good news

Fortunately, there are some reasons not to get bogged down in scenarios of doom and gloom. For starters, we can make autonomous cars much safer than smartphones or PCs.

Smartphones face the need to allow users to run arbitrary applications, endless reshuffling of hardware and software, and the complexity inherent in any general-purpose operating system. Self-driving cars can be more locked down, with much smaller attack surfaces This allows them to be designed for greater security.

It’s also worth noting that Google takes these threats seriously, not just the obvious ones. According to Chris Urmson, Google SDC Project Lead,

“There is no silver bullet for security and we are taking a layered approach […] Obviously there is encryption and very narrow interfaces or no interfaces at all. You do your best to protect the outer layer and then make the inner layer safer.”

This means that Google uses the concept of defense in depth — dividing the work of the machine into separate layers. Critical components are isolated from less critical components, making it difficult to compromise the entire vehicle in a single hack. To speculate a bit, critical functions such as braking when an object is detected in front of the car can be handled by a completely isolated processor — meaning that no software change can cause the car to crash into a person or object.

Google is also looking into less traditional threats that only affect robotic vehicles and is proposing countermeasures. As Urmson says, «If you just look at traditional computer threats, you’ll be missing out on much more serious threats.» For example, the cars themselves are predictable enough that Urmson can point to a number of scenarios. where it can be used.

  • “What happens when you have two advanced cruise controls and the one in front starts to speed up and break down, so the one in the back starts doing the same thing in a more forced way?”
  • “We are looking at collision avoidance systems. They rely on radar. We think we can manipulate radar sensors to some extent. Is it easy for an attacker to create an obstacle out of thin air?
  • “Car manufacturers always maintain the proper interval in adaptive cruise control. You can get interesting effects if [кто-то] processed certain inputs or misbehaved to create a very large traffic jam.»
  • “If I’m a transportation company and I want to slow down the competition… I can use their sensors and keep making their cars slow down and accelerate. We have already demonstrated in theory that this is possible.”

These scenarios may seem paranoid until you realize that these cars are likely to be very common in the future. Attacks that seem pointless or stupid become much more frightening when you imagine that more than half of the cars on the road are fully autonomous robots. Self-driving cars could be as ubiquitous a form of infrastructure as the electric grid. And, inevitably, people will try to find ways to use them for personal gain.

The conclusion is that Google is well aware of the security threat and is prepared to deal with it. The reason existing cars are unsafe is not because they are extremely difficult to keep safe. This is because automakers are incompetent in computer security and have never faced such threats before. They don’t hire experts to design a secure system — or even warn them that security is needed.

In contrast, Google faces these threats on a daily basis and has a much higher level of security than almost any other company. They will be much better prepared for these difficult tasks.

Safety by Design

All this does not mean that we can rest in peace. Google is probably on top of the safety issues for self-driving cars. However, many people develop these things. Google is ahead by a huge margin — despite marketing claims to the contrary — but companies like Baidu, Uber and Tesla are desperate to fill the gap. Will they be as careful as Google? Will they let security concerns slip out of their race to market? This is out of the question.

As consumers, we must be vigilant in this matter. Make security a priority when choosing which services to use going forward. It’s important that robot cars show up quickly — the human cost of drunk and distracted driving requires quick action — but it’s important that this happens without sacrificing safety.

Are you excited about the potential of autonomous vehicles? Worried about security issues? Let us know about it in the comments!

Похожие записи