Abstract — For many years it has been a cat and mouse race as cybersecurity experts pursue marauding computer hackers, closing security loopholes they identified. If driverless cars are to be secure, cybersecurity experts must come up with a formula to shut out hackers, something that has eluded them over the years. It is feared that complicated wireless road network systems may lead to road disasters. There are also ethical and moral questions that may not have answers now, as the world put full trust in artificial intelligence controlled vehicles. Despite all these fears, it is a matter of time before our roads are flooded by driverless cars. This document discusses driverless cars, possible risks, and threats that the security fraternity is facing as driverless cars are on course to be a reality.
Keywords-component; driverless cars; cybersecurity; hackers; internet; vanet
The recent revolution in Artificial Intelligence (AI) algorithms has opened doors to many software possibilities. A decade ago, self-driving cars were only a possibility in Hollywood futuristic movies such as Knight Rider. Now it has become a reality. The United States government recently passed laws paving way for driverless cars use in the main highways. Philip Hammond, the UK Chancellor of the Exchequer has just said by 2021, the UK will have “Fully Driverless Cars” on the roads . What exactly does it mean for you and me? Let us look at how we got here!
Years ago, designing and implementing a driverless car was a challenge. A programmer needed to think of all road scenarios a car would face and all the algorithms needed to be hand-coded . That would be impossible because road driving environments are not always the same. A driver needs to be alert always to make decisions and take appropriate actions on the go. Deep Learning (DL), a branch of Artificial Intelligence has brought a new approach. Computer systems using computer vision algorithms can now learn and train themselves. Driverless cars must have a system that can learn, analyze and make quick decisions in a road where there are many hazards . The rapid growth in computing power and internet speeds have set the stage for the dream drive off.
These developments in technology have been received with both hands by many technology companies. Google, Tesla Motors, GM Cruise, BMW, Apple, Uber are among many driverless cars pioneering these experiments. The Google autonomous driverless cars drove 424000 and 636000 miles in 2015 and 2016 respectively with no problems at all [2, 3, 4]. Google has at least 100 driverless cars on the road. Uber has similar numbers and Ford with more 30 cars . BMW’s iNext model will be on the road by 2021. iNext gives a driver the privilege to be a passenger while the car drives itself . Many road accidents are caused by human error. Every year, at least 1.3 million people die from road accidents. As high as 94% of these accidents is attributed to human error [6, 7]. The fact that computers do not drink and drive, they do not get tired, they do not sleep on the wheel and they do not talk on the phone while driving, those who argue for driverless cars may have a point.
Cyber-attacks are an absolute reality. If we cannot totally eradicate them from the internet, there are always questions with no answers. The interconnectivity of computers on the internet means that any computer on the internet is susceptible to cyber-attacks . Cyber-attacks are not new. The UK Department for Culture Media & Sport, in its annual cybersecurity survey, reported at least 12144 business system breaches were made in 2016. One large wholesale business reported receiving approximately 340,000 fishing emails in the same period . The survey also revealed that 70% of large organizations were attacked in 2016 through one way or another. Financial Fraud Action UK (FFA UK) in the 2016 report noted losses of £755 million in 2015, a 26% financial crime rise from 2014 through cyber-attacks. In the same period, banks prevented possible internet fraud losses of £1.75 billion . Earlier in 2017, there were cyber-attacks across the globe widely reported in the media. These raise questions on the security and safety of self-driving cars.
II. Related Work
A. Car evolution
In 1968 Volkswagen introduced embedded systems to automobiles . Slowly computers started taking over some functions — from an automatic transmission, anti-lock brakes systems (ABS), climate control systems, airbag controls, cruise control, navigation systems, parking aid, lane-keeping systems and more [3, 12]. Cars have proved they can take us where we want. What has not been proven is their decision-making abilities when confronted with an unfamiliar situation. It is also not clear how safe and secure the cars will be.
B. Driverless cars basic functions
Many cars today are autonomous, but they need a driver to perform certain tasks when the car is not too sure what to do next. To simplify autonomous classification, the UK’s Centre for Connected and Autonomous Vehicles defined 5 car autonomous levels. In level 0 there is no automation at all. Level 1 has basic embedded software. In level 5 human involvement is not required; a car is fully automated . In three years’ time, these will be on the road, according to the Chancellor.
A level 5 autonomous car is truly driverless and can travel on its own. A driverless car needs a brain of its own. It needs a decision control center. Some call it System Control Unit (SCU). Such cars are fitted with sophisticated decision-making algorithms. They manage an array of ultrasonic sensors, GPS Systems, and video cameras. The sensors and cameras scan the surroundings, identifying potential hazards and surrounding features. They build a 3D mapping of the surrounding, covering a distance as wide as two football pitches [14, 15]. This information is fed into the control center as messages. The messages include information such as pre-collision warnings, blind spots, road edges, road markings, road signs, pedestrians and other road hazards . Every time the car uses the same road, any new features are updated to the internal map, training and updating the AI Deep Learning algorithms.
In retrospect, these embedded systems create a conducive environment for cyber-attacks as the attack interface is broadened by many communicating devices. Figure 1 shows some important features of driverless cars.
C. Vehicle Interconnectivity
One big disadvantage of human drivers is that no one knows what the other driver is thinking of. Humans can be so unpredictable. You only know their intentions when they indicate. Computers can communicate and pass messages easily. Presently, it is not clear how driverless cars will communicate on the roads. There are many theories around. Maarten Sierhuis, a director at the Nissan Research Center said Nissan is developing a Seamless Autonomous Mobility (SAM) system . With SAM, a human being constantly monitors a fleet of cars on the road remotely. Where a vehicle faces challenges, the fleet manager remotely solves the problem.
There are suggestions of wireless Car-to-Car Communication systems or Vehicle-to-Vehicle (V2V) systems that allow cars to talk to each other [19, 20, 21]. Others call this VANET (Vehicular Ad hoc Network). At its’ best VANET is a dedicated short-range network of networks that manages information being shared by vehicles in the same topology [16, 22, 23, 24, 25]. Only vehicles within a specific range share the information. Cars move from one fixed-location transceiver also known as Road Side Unit (RSU) to another. Cars can be platooned, driving closely at the same speed in an orderly manner, reducing congestion .
III. Security Issues
With many security concerns lingering about, it is the security of autonomous cars many people are concerned about. This is because from the time computers became interconnected on the internet, computer networks have been deluged by cyber-attacks. Computer hackers always seem to be ahead of their game. Banks are losing billions of pounds every year through internet fraud . In a borderless world where one can attack any computer anywhere in the comfort of their home and cover their tracks easily, it is difficult to trust decisions made a by a computer since we do not know if it is maliciously controlled or not.
In May of this year, the UK National Health Service (NHS) services were crippled by WannaCry, a malware that was unleashed and affected more than 230,000 computers in over 150 countries . With the advancement in computer security, software companies develop security updates daily to patch up holes in their systems. This still is not enough. The UK Department for Culture Media & Sport reported that 7 in 10 security systems of large UK organizations were breached in 2016 . In 2014, there were 42.8 million malicious attempts around the world, a rise of 48% according to Price Waterhouse Coopers in The Global State of Information Security survey 2015. In 2009 there were only 3.4 million such attempts, the report says [28, 24]. Several large companies including Yahoo, Sony, Target and others were cyber-attacked recently. Admiral Michael S. Rogers, who is the head of USA security organization National Security Agency and United States Cyber Command, when testifying before USA Congress said erecting very digital fences is not enough .
B. System Remote Control Attack
In its 2017 report Price Waterhouse Coopers said, and I quote, “Risks of future compromises will very likely increase as connected devices proliferate” . The same report said researchers proved that smart hackers are able to remotely hijack a driverless car. A hacker can take full control of a car — accelerate at will, apply brakes or even stop the car in the middle of the road! How safe will be country leaders such as presidents in a world where an unseen criminal can control one’s car and one is powerless to do anything about it? Recently Chinese researchers hacked a Tesla Model S P85 remotely. They gained access to the central control unit. The researchers moved seats of the car and turned lights on. They reported these vulnerabilities to Tesla .
C. Network Attack
In a VANET scenario, cars communicate with each other through the passing of messages. Each car is identified through a unique address or certificate. The other cars in the same area are then able to respond positively by enabling a function called Cooperative Adaptive Cruise Control. Cars in a motorway can drive at high speeds in a seamless manner because they communicate their actions . Each car knows what the other cars are doing. When one car brakes, a message is sent through the VANET to other cars to adjust accordingly. Figure 3 shows how VANET system works.
The system works well until a cybercriminal hijacks the system. An attacker can send false information through the network fooling cars to believe non-existent information . For example, a car can be fooled to believe traffic lights are green and yet they are red. This can cause fatal accidents or even paralyze the whole system.
A. Denial-of-Service (DoS) Attack
An attacker can cause a VANET system to crush by randomizing the internal Information Systems and then flood the whole network with non-existent traffic. Cars fail to communicate with each and the whole system comes to a screeching halt !
It is common for hackers to break into a system and plant a piece of code that keeps the door open for them. The code can send the hacker information. A hacker can monitor a victim’s movements . Cyber-Attackers can even take video footage of the victim using onboard cameras and track the victim’s movements. This creates all kinds of problems including theft and blackmail .
C. Data Modification
A cybercriminal can modify critical data used for security and safety in a car. A car can produce incorrect information. If this happens in a VANET system, information sent to other cars can be wrong leading to accidents [33, 21].
D. Software Glitches
An autonomous car has hundreds of millions of lines of code . The chance that there will be no errors in the car are slim. It is also worrying that applications that run in a car are from different companies. Anyone who has been using a computer for a while knows that computer updates are a necessity. After installing updates some functions may not function properly. We have no problems with computers if this happens because we can uninstall the update or remove the device that causes problems. The risk is minimal. How does a passenger deal with a software malfunction at night in the middle of nowhere? How about if a car accelerates where it’s supposed to stop? What does a passenger do? A Tesla X car crashed earlier this year and the driver attributed the blame to autopilot software [34, 31, 35, 11]. Another Tesla had a fatal accident when it rammed into a crossing 18-wheel truck trailer killing the driver on the spot. According to Tesla, the car’s sensor system failed to distinguish between the sky and the white trailer . The car was self-driving.
E. Loss of Control
The joy of driving is in control. Drivers enjoy accelerating and overtaking other vehicles when necessary. Sitting as a passenger in your own car is not something other people want. Many drivers feel safe when they are driving, not when someone else is driving them. Trusting a machine may not go down well with other people too. Already 10% of Uber users under the age of 30 have indicated they will not buy driverless cars .
II. Security Mitigation
Below are some of the solutions proposed by some researchers:
A. Digital Certificates
The writers of a research paper titled “A Security Credential Management System for V2V Communications” propose the use of Digital Certificates (DC) . A government controlled platform called Security Credential Management System (SCMS) produces a Public-Key Infrastructure (PKI). Each car through a PKI produces a DC. The certificate is attached to all messages sent to other cars and can be accepted by other cars under the same scheme. Any message that is sent through a VANET with a bona fide digital certificate is known to be genuine. Since the government is the producer of the certificate, the certificates cannot be faked therefore communication between cars is always safe .
B. Cooperative Intelligent Transport Systems
Aymen Boudguiga and others wrote a paper about a system they call Cooperative Intelligent Transport System (CITS). In a research paper titled RACE: Risk Analysis for Cooperative Engines, they discuss CITS. CITS relies heavily on Road Side Units (RSU). RSU are a series of base stations or fixed-location transceivers (FLT). They read information sent from a car’s transmitter if the car is within a range of the RSU. The car’s information should be consistent with the information being read by the RSU. If a car sends wrong information to other cars, the RSU overrides the information .
C. Intrusion Detection Systems
Khattab M. Ali Alheeti and company developed an Intrusion Detection System (IDS) using Artificial Neural Networks. They define three communication systems on the road, a) Vehicle to Vehicle (V2V), b) Vehicle to Infrastructure (V2I) and Infrastructure to Infrastructure (I2I) [15, 37]. Infrastructure in this case refers to RSU so this can be called RSU to RSU communication. Driverless cars generate a lot of information. Some of this information is not needed by other cars but can be detrimental if acquired by hackers. IDS hides away information not required by other cars from potential attackers, using what they call Proportional Overlapping Scores (POS) and only expose a trace file. In this case they only expose minimal information necessary for effective road communication. IDS also prevents DoS attacks. The system reads cars behavior from a trace file produced by an IDS . Any other data that does not comply with the trace file information is discarded.
D. Message Authentication in Driverless Cars
In a research paper titled “Message Authentication in Driverless Cars” the authors propose a car messaging system. Messages sent include pedestrian hazards, pre-collision warnings, acceleration and deceleration, braking, on-coming traffic, blind-spots and more . The information is sent both to RSU and other vehicles. Police, breakdown companies and ambulances receive information directly from the car. RSU can use short-range frequencies and wireless communication systems for communication between nodes .
A VANET system sounds very good. There are however security and privacy issues that require close attention. It is not clear what information will be shared with other cars. If a female driver is driving alone at night, what information do other people receive about her? Would people know where she is going? How secure is the system? All these are questions that need answers.
Privacy and security concerns are the main issues with driverless cars. We discussed these issues considering what other researchers are saying. It is apparent that a lot of work still needs to be done before drivers can have faith in driverless cars. All the ideas discussed in this paper can form a foundation towards a lasting solution.
 BBC Business, “Hammond: Driverless cars will be on UK roads by 2021,” BBC News, 19 November 2017. [Online]. Available: http://www.bbc.co.uk/news/business-42040856. [Accessed 19 November 2017].
 C. Reiley, “Deep Driving,” MIT Technology Review, 18 October 2016. [Online]. Available: https://www.technologyreview.com/s/602600/deep-driving/. [Accessed 18 August 2017].
 B. News, “Google’s driverless cars make progress,” BBC News, 2 February 2017. [Online]. Available: http://www.bbc.co.uk/news/technology-38839071. [Accessed 23 August 2017].
 The Economist, “How does a self-driving car work?,” The Economist, 12 May 2015. [Online]. Available: https://www.economist.com/blogs/economist-explains/2013/04/economist-explains-how-self-driving-car-works-driverless. [Accessed 19 August 2017].
 R. Medford, “Report on Autonomous Mode Disengagements,” Department of Motor Vehicles, USA, California, 2016.
 Jimi Beckwith, “BMW confirms fully autonomous iNext for 2021,” Autocar, 30 May 2017. [Online]. Available: https://www.autocar.co.uk/car-news/new-cars/bmw-confirms-fully-autonomous-inext-2021. [Accessed 23 August 2017].
 J. L. Kitman, Are Driverless Cars a good idea?, New York: Automobile Magazine, 2017.
 K. Kirkpatrick, “The Moral Challenges of Driverless Cars,” Society, vol. 58, no. 8, pp. 19–20, 2015.
 A. Boudguiga, A. Boulanger and P. Chiron, “RACE: Risk analysis for cooperative engines,” in New Technologies, Mobility and Security (NTMS), 2015 7th International Conference on, Paris, France, 2015.
 UK Government, “Cyber Security Breaches Survey 2017,” Department for Culture Media & Sport, London, 2017.
 K. Worobec, “FRAUD THE FACTS 2016,” Financial Fraud Action UK (FFA UK) , London, 2016.
 P. G. Neumann, Automated Car Woes — Whoa There!, California, USA: Ubiquity, an ACM publication, 2016.
 BBC News Magazine, “How computers took over our cars,” British Broadcasting Corporation (BBC), 2 February 2010. [Online]. Available: http://news.bbc.co.uk/go/pr/fr/-/1/hi/magazine/8510228.stm. [Accessed 19 August 2017].
 MIKE HAWES, “Connected and Autonomous Vehicles — The UK Economic Opportunity,” KPMG, London, 2015.
 L. Jones, Driverless When and, London: The Institution of Engineering and Technology, 2017.
 K. M, A. Alheeti, A. Gruebler and K. D. McDonald-Maier, “An Intrusion Detection System Against Black Hole Attacks on the Communication Network of Self-Driving Cars,” in Sixth International Conference on Emerging Security Technologies, Braunschweig, Germany, 2015 .
 Y. J. Abueh and H. Liu, “Message Authentication in Driverless Cars,” in Technologies for Homeland Security (HST), 2016 IEEE Symposium on, Waltham, MA, USA, 2016.
 A. Bielsa, “Smart Cars: a practical implementation of M2M communications is becoming a reality ever closer,” Libelium World, 16 October 2012. [Online]. Available: http://www.libelium.com/smart_cars_m2m_accident_prevention/. [Accessed 21 August 2017].
 Alex Davis, “NISSAN’S PATH TO SELF-DRIVING CARS? HUMANS IN CALL CENTERS,” Wired, 5 January 2017. [Online]. Available: https://www.wired.com/2017/01/nissans-self-driving-teleoperation/. [Accessed 24 August 2017].
 Dirk Wollschlaeger, “What’s Next? V2V (Vehicle-to-Vehicle) Communication With Connected Cars,” IBM’s Global Automotive Industry., 10 September 2014. [Online]. Available: https://www.wired.com/insights/2014/09/connected-cars/. [Accessed 20 August 2017].
 W. Knight, “Car-to-Car Communication,” MIT Technology Review, 1 March 2015. [Online]. Available: https://www.technologyreview.com/s/534981/car-to-car-communication/. [Accessed 20 August 2017].
 L. Bariah, D. Shehada and E. Salahat, “Recent Advances in VANET Security: A Survey,” in Vehicular Technology Conference (VTC Fall), 2015 IEEE 82nd, Boston, MA, USA, 2015.
 M. Amoozadeh, A. Raghuramu, C.-N. Chuah, D. Ghosal, H. M. Zhang, J. Rowe and K. Levitt, “Security Vulnerabilities of Connected Vehicle Streams and Their Impact on Cooperative Driving,” IEEE Communications Magazine, vol. 53, no. 6, pp. 126–127, 2015.
 L. Bariah, D. Shehada, E. Salahat and C. Y. Yeun, “Recent Advances in VANET Security: A Survey,” in Vehicular Technology Conference (VTC Fall), 2015 IEEE 82nd,, Boston, MA, 2015.
 Price Waterhouse Coopers, “Managing cyber risks in an interconnected world,” International Data Group Inc., London, 2015.
 W. Whyte, A. Weimerskirch, V. Kumar and T. Hehn, “A Security Credential Management System for V2V Communications,” in 2013 IEEE Vehicular Networking Conference, Boston, MA, USA, 2013.
 S. Dadras, R. M. Gerdes and R. Sharma, “Vehicular Platooning in an Adversarial Environment,” in ACM Symposium on Information, Computer and Communications Security, Singapore, 2015.
 Cybercrime Reporter, “‘Petya’ ransomware attack: what is it and how can it be stopped?,” The Guardian, 28 June 2017. [Online]. Available: https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how. [Accessed 20 August 2017].
 V. Greiman, “Cyber Attacks: The Fog ofIdentity,” in Cyber Conflict (CyCon U.S.), International Conference on, Washington, DC, USA, 2016.
 DAVID E. SANGER, “U.S. Must Step Up Capacity for Cyberattacks, Chief Argues,” The New York Times, 19 March 2015. [Online]. Available: https://www.nytimes.com/2015/03/20/us/us-must-step-up-capacity-for-cyberattacks-chief-argues.html?mcubz=1. [Accessed 20 August 2017].
 Price Waterhouse Coopers, “Uncovering the Potential of Internet of Things,” International Data Group Inc, London, 2017.
 The Guardian Reporter, “Team of hackers take remote control of Tesla Model S from 12 miles away,” The Guardian, 20 September 2016. [Online]. Available: https://www.theguardian.com/technology/2016/sep/20/tesla-model-s-chinese-hack-remote-control-brakes. [Accessed 21 August 2017].
 A. Reeba, “Vehicular Ad-hoc Network,” Research directions of Vehicular Network, 21 August 2013. [Online]. Available: http://vehicularcommunication.blogspot.co.uk/. [Accessed 21 August 2017].
 Technet, “Common Types of Network Attacks,” Microsoft Inc, 2017. [Online]. Available: https://technet.microsoft.com/en-us/library/cc959354.aspx. [Accessed 24 August 2017].
 F. Lambert, “Tesla Model X owner claims Autopilot caused crash with a semi truck, but ‘safety rating saved his life’,” Electrek, 27 March 2017. [Online]. Available: https://electrek.co/2017/03/27/tesla-model-x-autopilot-crash-semi/. [Accessed 21 August 2017].
 The Guardian Reporter, “Tesla driver killed while using autopilot was watching Harry Potter, witness says,” The Guardian, 1 July 2016. [Online]. Available: https://www.theguardian.com/technology/2016/jul/01/tesla-driver-killed-autopilot-self-driving-car-harry-potter. [Accessed 21 August 2017].
 W. Whyte, A. W. t, V. Kumar and T. Hehn, “A Security Credential Management System for V2V Communications,” in IEEE Vehicular Networking Conference, Boston, MA, USA, 2013.
 K. M, A. Alheeti, A. Gruebler, and K. D. McDonald-Maier, “An Intrusion Detection System Against Malicious Attacks on the Communication Network of Driverless Cars,” in Consumer Communications and Networking Conference (CCNC), 2015 12th Annual IEEE, Las Vegas, NV, USA, 2015.