Self-parking cars which also stop you from crashing are now commonplace in Australia’s new vehicle market; but with this rise in automation comes an increased risk of being car-hacked – with potentially disastrous consequences.
“Automobiles have a lot of security weaknesses in them that currently aren’t really being addressed properly by car manufacturers,” says security expert John Baird, who consults to the Optus Macquarie University Cyber Security hub.
He says that governments need to set stronger security standards and a forensics framework so that computer-related faults can be identified and future problems averted.
Advances in computer vision, real-world sensing, processing and control systems have revolutionised the car industry and fully autonomous vehicles are being trialled worldwide.
Some new cars now contain 100 million lines of software code which operate via dozens of embedded computers networked across the vehicle.
In 2010, researchers from the University of Washington reported that they could make physical changes to a car like changing the speedometer reading, adjusting braking and killing the engine.
A 2012 DARPA-funded report showed that steering could be remotely hacked, and researchers Miller and Valasek then hacked into a 2014 Jeep Cherokee using its radio, and showed they could affect the tyre pressure monitoring system, forcing the car to stop. They could also apply the brakes, affect steering and cut the engine.
As more cases come to light, demands for stronger security are rising.
Despite their heavy reliance on computer systems for most essential vehicle operations, in-car computers are largely built by car manufacturers to focus on issues like operations, fault diagnosis and repair – with very little thought to security, Baird says.
“We’ve got a fundamental problem in the way these systems are engineered from the start,” he says.
He’s calling for state governments to set strict standards on cyber security for vehicles coming into Australia.
“Governments set performance, safety and environmental standards, but there’s nothing yet about cyber security - which affects all of us.”
Baird has a Masters of Computer Forensics degree from Macquarie University and spent more than 20 years working in cyber security in the financial services industry before founding security consultancy Revio to help senior executives address the cultural issues around security.
“I do some work with start-ups too,” he says, adding that the obvious gaps in automotive security systems worldwide offer a huge opportunity for Australian start-ups to develop security products such as secured automotive communication hubs.
His financial industry background gave Baird extensive experience in cyber security, but it’s a field that is relatively new to the automotive industry.
That’s not to say crime isn’t a focus; a recent survey found Australia ranks 7th in the world for vehicle crime, with 212.5 vehicle thefts per 100,000 of the population.
Security of physical access has been a focus for manufacturers. Keyless entry systems have been increasingly vulnerable and some manufacturers are replacing key systems with biometric vehicle access so drivers can unlock and start a car with a fingerprint or retinal scan.
“They haven’t addressed the fundamental problem, which is the ease of access into the car communication systems,” Baird says.
Cars take control
Driver override systems are built so that a car can actively disregard the driver and make its own decisions. Some cars will already stop if you don’t apply the brakes before an impending impact. New developments will see cars applying brakes even when the driver is trying to accelerate.
Rapid increases in sensor technology are forcing a shift in priority, so that the car, not the driver, has ultimate authority.
Remote vehicle shutdown technology is already out there, and widely used by car loan companies in the US. But Baird says these systems may be vulnerable to remote access by unauthorised people.
Another major problem is that cars are not accurately recording safety violations in restraint systems despite requirements to do so.
“In many cases the code hasn’t been written to the standards required for a real time safety-critical system,” he says.
“The internal communications systems in many cars are not secure, and they should be.”