Global expert warns over self-drive cars
Disruption is a wonderful form of progress, look at Uber and Air BnB, disruptive forces and great businesses. If you think these companies’ shake-up of the taxi business and the hospitality industry were disruptive wait for the self-drive car. But, according to a leading international security expert, the self-drive car risks introducing chaos rather than disruption, that mother of innovation.
Driver-less cars have enormous potential for positive change on the roads, with human behaviour being to blame for most problems – driving under the influence of drugs or alcohol, road rage and speeding to name but a few.
Imagine that it was just you and a lots of calm, efficient automatons doing the school-run in the mornings, no stressed mums pointing fingers at you or rushed dads cutting in front of you, no minibus taxi drivers making your life a misery. In fact, you might as well send your own little monsters to school in a driverless car too.
Sounds like positive change, progress even. Not so fast, says Jonathan Petit, a research fellow in the computer security group and the mobile and internet systems laboratory at Ireland’s University College in Cork, “Self-driving cars will enable a new range of (cyber) crimes.”
It is not just technical boffins who are imagining driver-less cars doing all the driving, even taking the kids to school. But, warns Petit, who is a principal scientist for Security Innovation Inc, a criminal could stop the car, kidnap your children and demand a ransom.
Imagine the struggle with your conscience: spend a fortune on a holiday or to get the kids back? You might fancy the holiday (you put them in a driver-less car after all), but society and/or grandparents might demand a different outcome.
Petit said hackers could also easily trick self-driving cars into thinking that another car, a wall or a person is in front of them, potentially paralysing it or forcing it to take evasive action.
He told African News Agency that criminals could hijack a self-drive car remotely, bypassing all safety systems designed to prevent a collision and make the car crash into a building or even run over a human target without having any casualties on the criminal side.
An attack could be launched remotely by hijacking the car’s computer or from metres away using a small, cheap laser and a computer. In a paper that Petit will be presenting at the Black Hat security conference, the world’s premier conference on information security, in November he will describe how he used a laser light and a Raspberry Pi, a low cost, credit-card sized computer, to spoof fake objects and cause the automated vehicle to trigger a “minimum risk condition”, which brings it to a graceful halt in the shoulder lane.
Automated cars use laser ranging systems known as lidar, which – much like radar – use spinning lasers usually mounted on top of a car to map surrounding areas. But, Petit’s paper shows, hackers can use a low-power laser to fool the lidar into detecting echoes of fake objects, such as pedestrians, cyclists, other cars, or buildings.
In his paper, Petit describes how he used easily available tools to trick the car from up to 100m. The automated cars can be brought to a halt or tricked into taking evasive action such as turning away from spoofed objects.
“I can spoof thousands of objects and basically carry out a denial-of-service attack on the tracking system so it’s not able to track real objects,” Petit said.
“I don’t think any of the lidar manufacturers have thought about this or tried this.”
The inherent connectivity in an automated vehicle adds other risks too. Connectivity will range from cellular connection to the cloud for remote diagnostics or software updates to vehicle-to-vehicle communication for safety-related applications such as collision avoidance or traffic efficiency applications.
These connections risk leaking sensitive and private information that can be monitored or collected for the purposes of blackmail or to track a vehicle and/or passenger’s movements.
So will mums and dads ever be able to sleep in on a school day, safe in the knowledge that the car is delivering the children safely to school? Petit will tell the Black Hat conference that his work has demonstrated the need for deeper research into security and privacy of automated and connected vehicles before their deployment on public roads is seriously considered.
We are not ready for automated automotives, it seems. But the truth is the motoring present, which increasingly combines human fallibility and computer ‘hackability’, is less than perfect too, even for those who don’t have to do the school run.
In February, Edward Markey, US Senator for Massachusetts released a report, Tracking and hacking: security and privacy gaps put American drivers at risk, revealing that many modern cars had integrated wireless technologies such as Bluetooth and even wireless internet access, yet the industry had not addressed the dangers of hacker infiltration into vehicle systems. The report also detailed the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” Markey, a member of the US Senate’s Commerce, Science and Transportation Committee, said at the time.
“Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
Markey took up the fight after studies, not unlike Petit’s recent research on driverless vehicles, showed how hackers could access the controls of vehicles and cause them to suddenly accelerate, turn, brake and so on. So the research must continue … as must the school run.