Digital security
What happens when the problems caused by autonomous vehicles are not the result of errors, but the result of deliberate attacks?
November 21, 2023
•
,
7 minutes. read
Robo-taxi fleets have hit the brakes, citing the need to “rebuild public trust”. This story has been brewing for a while.
At first it seemed rather inconsequential, or at least it wasn’t the start of a big security story: video shared on the social networking site Reddit showing a group of robotaxis in Austin, Texas, arriving on a central thoroughfare and stopping en masse, causing an ad hoc traffic jam scene, which is becoming more and more frequent.too common given the growing popularity of the platform. A quick search found This article dealing with the event, which is by no means unique. Fleets of driverless or autonomous vehicles are currently operating in San Francisco and Las Vegas, with pilot programs in a dozen other cities. across the United States, from Seattle to Miami. And in case you’re wondering, this isn’t just an American problem: driverless vehicles are also being developed and tested around the world. Europe And Asia Also.
Currently, the problems caused by autonomous vehicles, such as traffic jams, traffic jams in wet concrete, and emergency service vehicles getting stuck, are real. They are also the result of non-malicious errors on the part of driverless car manufacturers. But what happens when these are not the result of errors, but the result of deliberate attacks?
If there is one What we’ve learned over decades of computer security is that any successful technology will attract entrepreneurs, looking to make money – both legally and illegally. For cybercriminals, the appeal of autonomous vehicles must seem particularly bright. In addition to more well-known criminal activities that occur entirely in the cyber domain, such as account theft targeting consumers and ransomware targeting businesseshaving vehicles in play in the physical world also offers interesting opportunities:
- Extort customers about their travel history. Have you been to a shady place that you’d rather not share? It’s the automotive equivalent of revenge porn.
- Remote Vehicle Control, a.k.a. readersomware
- Stopping some (or all) autonomous vehicles in their tracks could become a new model of ransomware extortion.
- Threatening to wipe the vehicles’ local storage or overwrite their firmware so that they can no longer function would generate significant costs for the vehicle fleet owner, who would not only have to recover each vehicle, but also restore the firmware and everyone’s software while hoping to fix vulnerabilities. this allowed them to be exploited in the first place.
- Vehicle theft (whole or parts) – stop at the (hash) store on the way home and lighten the car’s load of salable items, a car diet on the go.
- Removing passengers – even the threat of not letting them out and making them pay will work for some: after all, they have a digital payment method in their pocket or purse, which gives them a great opportunity to get a ransom. Do you think they should pay more? Take them to a remote location straight out of a bad TV show with ropes and dim lights before you can call the police. Besides, extort the fleet operator so he doesn’t kidnap his passengers, a 21st a century-old twist on old protective rackets.
- Send vehicles to a specific location to cause a traffic jam. Think of it as TJaaS – Traffic Jam as a Service; think DDoS with cars.
- Target busy intersections or highways during rush hour. For already congested roads conventionally driven vehicles, creating even greater traffic jams for slow down traffic and then disperse vehicles; Who would know what was really happening?
- Airports, train stations, or bus stations congested with traffic can provide a security barrier for bad actors looking to keep law enforcement away while they engage in dirty deeds. A traffic jam caused by autonomous vehicles could even prevent police from going to a bank that is being robbed.
- Blocking Emergency Services – a variation of SWATting where you hold off law enforcement farFor a price, of course.
- Cover for other organized criminal activities, e.g. Flash mob thefts committed by criminal gangs; use of vehicles to move illegal goods. How would the car know she was dealing drugs using “left luggage”?
- Disable safety features/cause accidents. Accidents among autonomous vehicles are big news anyway, so if a bad actor shorting the company’s stock and then deploying malware on vehicles could create a hard-to-detect stock sell-off in the form of “insider trading.”
It should be noted that robo-taxis are not the only vehicles that could be used for such attacks. There are an ever-increasing number of private vehicles on the road with autonomous driving capabilities and remote anti-theft/locking features that can be triggered.
In case this all sounds… well, fantastical, for lack of a better term… we would like to point out that runaway vehicles are no longer a fiction, but a reality: in October 2023, A electric vehicle in Scotland lost all control and the driver had to crash him into a police van to stop him. Although it was not a fully autonomous vehicle, it had a sophisticated driver assistance system that appeared to have failed, leaving the vehicle unable to slow down or turn off the engine. While this may not appear to be the result of malicious activity, it clearly shows how dependent vehicles are becoming on their computer systems.
Another possible concern regarding automated vehicles is commercial trucks. A self-driving truck carrying valuable cargo could be stopped or diverted to a location of the criminals’ choosing and have its cargo stolen before police arrive. Trucks could also be used to block transit centers, such as docks where goods are unloaded from ships.
Additionally, they could also be used as rams to gain access to restricted areas separated by doors, bollards or other obstacles. It reminds us of the heady days of impromptu steel-clad armored vehicles, hastily manufactured and created by A team but run by computer programmers with bad intentions.
Autonomous vehicles appear widely susceptible to falling victim to more widely available GPS jamming techniques that can be tracked to intercept and “retrain” vehicles to respond to an attacker’s commands. A botnet of cars driving at the behest of its shepherds can deliver a powerful video that is sure to go viral, regardless of the technical details.
To be honest, any new technology, especially during its nascent rise in the zeitgeist, shakes the imagination and certainly presents obstacles. But the growing fame is also attracting technofanatics who might be able to help shore up digital defenses so that herds of robotaxis don’t become the subject of B-movie plots without expensive actors, or many of them.
Autonomous vehicles, in the form of automobiles capable of driving on the same roads as traditional human-operated cars, represent one of the most significant changes to automotive technology in recent decades. It seems that some basic precautions learned over more than a century of transportation engineering should not be forgotten:
- Autonomous vehicles owned by individuals or businesses should have controls that can be operated by a human in an emergency. As good as AI is at driving, it may never be able to anticipate and respond to every situation that a human driver can. Providing steering, acceleration and braking mechanisms that can disable AI “autopilot” could mean the difference between saving lives and “merely” being involved in an accident. Machines are able to navigate known patterns, but humans can handle generic events that could not reasonably be covered by automated training sets. A child dressed as a ghost rushing to scare you? You would know what to do, but your car might not.
- For vehicles intended to operate as taxi or shuttle services, A emergency braking system should be accessible to passengers, a bit like those emergency lanyards or buttons used in passenger and subway train cars. Although technically it should work differently since railways operate differently than roads, the desired outcome would be to stop the self-driving car safely, in a way that does not endanger its passengers, other nearby vehicles, or others. pedestrians nearby. .
- Whether it’s a human taking full control of an autonomous vehicle or simply an emergency brake, these actions should automatically notify fleet operations and emergency services when activated , just like existing services provided by General Motors. OnStarSubaru STARLINKand other AACN (Advanced Automatic Collision Notification) are doing it today.
Autonomous vehicles have the potential to create a safer future for all road users. However, safety should be the primary concern for autonomous vehicle manufacturers and fleet operators (which sometimes are the same thing, and sometimes not). This can only happen if these vehicles are designed in a way that prioritizes safety.