Self-Driving Attacks

The NHTSA has recently published their guidance on vehicle to vehicle communication.

The promises of vehicle to vehicle communication include the improvement of safety by enabling vehicles to communicate with the infrastructure (e.g., traffic signals) and with other vehicles (e.g., speed, braking). Instant and direct communication (without reaching back to a centralised service) would be impactful for helping to reduce collisions and near-collisions.

However, radio frequency signals are notoriously easy to hack and spoof.

From having your car stolen while you eat breakfast in your home, due to ability to easily amplify your wireless key signal to unlock the door.

From spoofing GPS, as to date GPS remains as vulnerable to spoofing attacks as ever.

The question then who and how will the vehicle security be certified? Ultimately, who is responsible? The car manufacturer who integrates the components? The v2v component manufacturer? The standards body?

Security is a constant struggle between providing secure protections and keeping up with the latest threats and attacks. The era of connected devices of worms, botnets, and hidden persistent threats will only be amplified by the emerge of the coming vehicular cloud.

Suppose a manufacturer knows there is a vulnerability. What is the disclosure responsibility? Patches can sometimes take weeks or months to properly deploy to consumers. Should manufacturers recall or request consumers to stop driving vulnerable vehicles?

There are a lot of questions still to be answered.