Data-driven vehicles: The next security challenge
Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one.
Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats against you or the vehicle.
This isn’t entirely new territory. Manufacturers and their software development partners have been developing, implementing and evolving their security practices and threat detection techniques for the past 20 years. The knowledge and awareness gained from these experiences will be essential as vehicles become more autonomous and new vehicle-related risks to personal security emerge. But as manufacturers ramp up their efforts to get autonomous vehicles in the hands of consumers and on the road, there must be a radical shift in how they think about securing them.
Today, many new vehicles are based on older designs that have been retrofitted with “smart” technology (e.g., sensors, Wi-Fi, Bluetooth, etc.). With an urgency to get cars that enhance the driver and passenger experience, the industry has, to date, been comfortable using COTS (commercial/consumer off-the-shelf) technology for things like sound systems, navigation systems, tablet-based console controls, etc. In retrofitting vehicle designs and systems, however, some manufacturers may have unintentionally exposed security vulnerabilities. For instance, the addition of a tablet-based control console can create a new attack vector for hackers to use against a vehicle.
To their credit, automotive OEMs have recognized the challenges posed by smarter, more connected vehicle platforms and have made security a focus. As a result, your next car may have more in common with a military fighter jet.
Just as a fighter has many levels of security, threat detection and threat deterrents built into it, so will your vehicle. Your next vehicle will likely recognize you via facial recognition, bio-patterns, touch or some combination of those. These techniques will enable the vehicle to know you and other authorized drivers and possibly even recognize unknown passengers and seek your approval of them.
Likewise, the vehicle will likely observe and learn your patterns of behavior and check in with you if it detects something odd or abnormal. When a person is perceived as a “stranger,” your vehicle will watch how you react, seek confirmation and then “decide” how to behave.
Also, despite various recent examples of them getting hacked, individual vehicles will rarely be the focus of bad actors. They will likely focus on the bigger “opportunity” posed by large numbers of connected vehicles. Once a vehicle is part of a network, the vehicle becomes vulnerable to many of the same exploits that are used against e-commerce sites and enterprises.
Your next vehicle will be part of a network. It will talk with satellites for positioning (via GPS). It will talk wirelessly to the manufacturer for updates. It will likely wirelessly network with other vehicles on the road in an attempt to understand and react to traffic patterns, road closures, hazards, and other information vehicles ahead or behind it might share in an attempt to optimize your commute.
Many of these technologies are already being used in commercial vehicles such as long-haul trucks and delivery vans, agricultural vehicles and industrial equipment. For instance, John Deere has been selling satellite guided, self-driving tractors for years, and is building completely driverless prototypes. A self-driving 18-wheeler recently completed a 3-day, cross country delivery of butter using technology from a company called Plus.ai. Volvo’s autonomous trucks will soon begin hauling limestone from a quarry to a port in Sweden, while the US Postal Service is testing self-driving trucks running from Phoenix to Dallas.
There are several reasons why the momentum towards autonomy in this segment is already so strong. The size of the vehicles and driving patterns make them ideal for testing and perfecting the craft of autonomy. They typically travel on uncomplicated highways and farmland, which offers a lower complexity environment than urban roads (i.e., fewer obstacles). Plus, large trucks and farm equipment provide much more space for the sensors and the compute power that autonomy requires and are not as constrained by the aesthetic design requirements of passenger vehicles. Obvious antennas and sensor equipment are no big deal on an 18-wheeler or tractor.
But these vehicles also have a higher risk profile. Commercial vehicles carrying valuable cargo will present a tempting target for thieves and hijackers. Imagine, for instance, trucks carrying expensive electronics being diverted so their contents can be stolen. The ultimate risk is a fleet of vehicles being commandeered remotely to create mischief like gridlocking cities or, worse, used by terrorists or other bad actors to cause real damage and even loss of life.
The data security problem for autonomous vehicles extends beyond communications. Manufacturers and fleet operators will also need to think about which data they need to store and for how long, what data will be exclusive and proprietary to the vehicle vs. the fleet, and how personal data will be handled. Data collected by vehicles during normal operation could be proprietary or, in the case of passenger vehicles, covered by emerging laws that regulate data privacy.
While much of the focus when it comes to solving the autonomous vehicle challenge has been on advancements in sensors, AI, machine learning, and so on, network and data security will also be a significant and necessary part of any eventual solution. This need for connectivity creates a more complex security challenge for autonomous vehicles.
While the promise of autonomous vehicles is enormous, the challenge is in making them safe and protecting them (and you) from attack. The good news is that this problem is solvable.