Hacking cars : Cyber security for autonomous vehicles — are we there yet ?

When I worked at an automotive company 6 years ago, our major issue was car theft (physical) and our solution was to immobilize the car via remote communication with the car and locate it’s whereabouts by GPS coordinates.
Nowadays thieves are increasingly sophisticated and will develop new techniques as technology allows it.
For example in August last year, hackers were arrested for stealing more than 100 cars in Texas simply by using a computer to unlock and start the vehicles.
Stealing cars is an issue, but a more major problem is if someone else controls your car (more scary — if you are in it!).
This brings me to my topic today — cyber war for self-driving cars.
I recently got a to see an amazing video about 2 guys(Charlie Miller & Chris Valasek) hacking a car (Willingly) and to see how this is not to be taken lightly:

Is it that easy to hack a car?
Even now ‘regular’ cars rely on Bluetooth and wireless technology so that they can wirelessly monitor efficiency, update a vehicle’s systems, and even shut down the cars.
But it’s completely different for self-driving cars that rely 100% on software and thus have more potential weaknesses. Like any other software, you need to secure it from hacks.

How is it done? Here are some way hackers may access and control a car:

1.OBD II port
One particularly sensitive entry point for hacking is the legally required OBD II port, which is basically “the Ethernet jack for your car,” said Stefan Savage, a University of California, San Diego professor of computer science and engineering. It is typically located under the dashboard on the driver’s side.
This port acts as the car’s command center that connects to all of the different computers systems.

I remember I used to connect my laptop to it and get all the data I needed, moreover control the car commands with it.
However, hackers who directly connect their laptops to the port through an intermediary device can basically plug into car’s control system and have access to everything!

2. Wireless networks
With cars containing multiple computers coupled together through a maze of networks, it’s also possible to break into the car’s command center without having to physically plug something into the port.
While connectivity can be (and already is being) used to make us safer, more productive and entertained while in transit, it creates an attack surface through which to access the vehicle’s delicate controller area network (CAN) bus. Once inside, hackers may be able to send commands to the vehicle from a remote location in order to, inter alia, steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions — imagine losing the ability to steer or brake while speeding down a highway!
Hackers just have to find a hole somewhere within one of the networks to sneak in.

3.Access the cloud / Internet
Devices linked through the cloud, i.e. the Internet. Most wireless devices that speak to each other are cloud-connected — sending information wirelessly to the Internet, which then another device reads by connecting wirelessly to the Internet to read.
That is why Google’s self-driving cars will remain unplugged from the internet most of the time to prevent them from being hacked, the chief executive of Waymo, its driverless vehicle programmer, has revealed.
Because components in a vehicle communicate with each other across a central system, there is a potential for hackers to gain access to a car through one channel, such as an internet connection, and then once inside the car, take control of critical functions such as steering and braking.

4.Tricking the car’s sensors
One of the first researchers to show how easy it is to hack self-driving cars’ sensors was Dr. Jonathan Petit. He was able to trick a sensor into thinking objects were there when they weren’t, and vice versa.
He also was able to blind the cameras they rely on by using different LED lights. If the car feels it can no longer operate safely because its cameras have been disabled, it could stop entirely.
A road sign that looks like a stop sign to a human might be constructed to look like a different sign to the car. In fact, more and more research papers have been appearing lately that are demonstrating such tricks against machine learning systems.

The good news
There are guidelines for autonomous vehicles -one of them is cybersecurity safety.

One of the leading companies in that field is “Aragus”(An Israeli company) which aims to protect connected cars and commercial vehicles from hacking.

Some of the features this company supplies are:
Connectivity protection
Defends the infotainment or telematics units by preventing malware installation, detecting operating system (OS) anomalies, isolating suspicious applications and stopping attacks spreading to the in-vehicle network. In addition, secures the two-way communication channel with the outside world.

Network Protection
Provides in-vehicle network-wide security by detecting attacks, suspicious activity and changes in standard in-vehicle network behavior. Deployed centrally, examines entire network communication and stops attacks advancing in the network. Supporting a wide array of network protocols — CAN and CAN-FD, FlexRay, Ethernet (with SOME/IP, DoIP etc.) and more — this suite is well positioned to defend current and future vehicle architectures.

ECU protection
Electronic control units (ECUs), such as brakes, advanced driver assistance systems (ADAS), door control units or any other units deemed critical, from attacks originating inside and outside of the ECU. Detects and prevents incoming attacks as well as neutralizes malware resulting from supply chain attacks or other attack vectors.

Are we there yet?

Every major automotive manufacturer knows that security is the most important factor, hence they have the top talent researchers in the field to be one step ahead of the hackers.

In other words — this will be a continues struggle, without a clear ending point.

While the future is unclear, one thing is for sure — There are always going to be “Bad” guys and “Good” guys, just need to be in the right team and fight the cybersecurity war.