An article in The Washington Post today presented some scary but unsurprising news about recent advances in hacking into automobiles to take control of them remotely. From several miles away, an attacker could break into the computer system of a car and take over its various systems, including, most alarmingly, the drivetrain. Attacks have been most successful thus far against autos that use Chrysler’s uConnect system, but all vehicles equipped with wireless communication features incur potential risk. The susceptibility of Internet-connected cars to cyber attack gives serious pause to those of us who are anxious to usher in the era of driverless vehicles. We have to put on the brakes.
Setting aside the driverless vehicle prospect for a moment, there is a relatively foolproof way to ensure that an automobile doesn’t start driving erratically under the control of a hacker. Simply, critical subsystems, such as the drivetrain, must remain physically separated from non-critical systems, such as the auto’s entertainment system. Computer security experts describe such physical separation as an air gap. Designing a vehicle with an air gap separating the driving controls from the car’s media controls, comfort systems, and mobile hotspot networks would seem a no-brainer. Unfortunately, the added cost of doing so makes such design decisions more difficult than the slam dunk they should be. Consider, for example, the recent hack of an airplane mid-flight. If vehicle manufactures won’t take this simple step of building air gaps voluntarily, government must step in to force the issue.
Driverless cars pose another challenge. An autonomous vehicle depends on communications with roadside sensors and other automobiles to follow a route safely. Data collected from this network of sensors, as well as data the car itself reports to them, serve as vital inputs to the drive control system. Separating the critical drive control system from the communications network isn’t possible for a driverless car, because, without the communicated data, the vehicle would have to run blind. Instead, the data exchanged between the sensor network and the automobile must be rigorously examined and sanitized in real time, with numerous checks put in place to prevent sabotage. Hardened systems such as what this application demands are not known for their speed and extensive feature list. They also aren’t patched easily, because the patching process itself requires opening the system up to the outside world. As described in The Washington Post article, the very tools mechanics use to diagnose and upgrade the computer components of a vehicle also present an attack vector for hackers, because they could be modified to inject vulnerabilities. And yet, all software systems must be patched, because no software system works entirely flawlessly under all conditions. So, we’re stuck as surely as a pickup in a snow bank. There will most definitely be some level of vulnerability to cyber attack for driverless cars, and it is unclear how that level of risk could be verifiably reduced to consistently acceptable levels.
Stories like these should remind us to proceed with caution. Security isn’t something that can be grafted into a design later. Security has to be designed into the system from the start. Cutting corners by not air-gapping critical and non-critical systems, for example, should never be allowed. When a new technology is so blindingly cool that we think we have to bring it to market now, that is when we most need to consider very seriously whether we have paid the necessarily excruciating level of attention to keeping the technology beyond the reach of those who want to break it. Clearly, auto companies and airplane manufacturers have placed “cool” over “safe” so far. That’s going to lead to a pile-up.