Connected Cars: Looking Under the Hood at Cybersecurity Risks

Published On January 24, 2018 | By Jill Guidera Brown and Anna Hsia | Data Security, General

Knight Rider fans, rejoice! Soon, you can have your own automated vehicle. While the arrival of connected cars and autonomous vehicles (“AV”) bring a potential increase in efficiency, safety, and mobility, they also present unique cybersecurity risks. In a recent global study, more than half of corporate risk managers expressed concern about cybersecurity in AV, but felt unprepared to address these issues. Amid the uncertainty, Mcity, a University of Michigan research center, released a white paper introducing a tool to identify and analyze potential cybersecurity threats to self-driving cars.

Background: The Tech and the Risk

As with other products in the IoT, connected cars generate large amounts of data and may be attractive targets for cyber-attacks.

In 2015, researchers simulated a hack into the operating system of an Internet-connected vehicle. Along with remotely manipulating the car’s radio and air conditioning, the white-hat hackers also disabled the car’s brakes and altered steering controls. In 2016, high-tech thieves in Texas stole more than 100 cars by accessing keycode databases that allowed them to reprogram keyless entry and ignition systems. In 2017, researchers bypassed anti-hacking mechanisms and exploited vulnerabilities in vehicular internal networks to send commands to shut-off automated features like airbags and door locks.

One can imagine similar attacks on AV. For example, a ransomware attack could remotely reroute a car and require a payment of ransom to regain control of the operating system. Jamming or spoofing attacks might target data integrity by interfering with signaling mechanisms, for example, causing GPS navigation systems to send a vehicle off a cliff. Cybersecurity vulnerabilities in traffic systems that rely on data to avoid crashes may be particularly dangerous. It can be an issue of life and death, for example, if a vehicle platooning closely behind another sends a false signal that it is braking, when in fact it is accelerating. In addition to the risk of physical harm, vulnerable cars can require burdensome software updates or costly recalls.

Analysis: U.S. Regulatory and Industry Frameworks and Guidance

Though designed for researchers, Mcity’s threat identification model provides a helpful framework for auto manufacturers, local governments, tech lawyers, or anyone analyzing the cybersecurity risks of AV and connected cars. The proposed model assesses the likelihood of a successful attack on AV based on the following considerations:

  • Identity, motivations, and capabilities of the attacker (i.e. is the attacker an auto mechanic, car thief, or hacktivist);
  • Vulnerabilities in all components of the technology, including sensors, GPS systems, and databases;
  • Method of attack, such as spoofing identity, tampering with data, repudiation, information disclosures, denial of service, and elevation of privilege;
  • Difference between the attacker’s ability to execute a successful attack, and the system’s potential to withstand the attack; and
  • Impact of the attack on various stakeholders, measured by financial loss, privacy, and safety.

Each consideration is applied to an attack scenario and then calculated in a weighted scale to evaluate potential cybersecurity threats. Mcity’s model provides a valuable step in identifying and analyzing risk, but how do legal frameworks help companies prevent an attack, respond to a breach, or navigate the unique ethical considerations raised by AV?

Currently in the United States, no federal legislation directly governs the cybersecurity of connected cars, and although twenty-one states have passed legislation related to AV, only four address cybersecurity issues. Conflicts in laws between various jurisdictions also create uncertainty.

Several federal agencies have issued non-binding guidance for the connected car and AV industry. The Department of Homeland Security’s Cyber Physical Systems Security project brings together industry, academic, and government stakeholders to increase cybersecurity in vehicles. The National Highway Traffic Safety Association (“NHTSA”) has proposed a layered approach to cybersecurity: implement preventative measures, isolate vulnerable systems, detect and respond to intrusion in real time, and assess solutions based on previous successful and thwarted hacks. In its non-regulatory 2017 Automated Driving Systems policy framework, the NHTSA encouraged the auto industry to collaborate to develop unified security systems, adopt a standard vulnerability reporting/disclosure policy, and share information to prevent repeat attacks across different stakeholders. Similarly, the FTC recently issued a staff perspective urging the industry to take steps to reduce risk of hacking and other attacks on connected cars. Such recommendations include the sharing of information among those in the connected car ecosystem, designing networks to reduce risk (such as segregating safety-critical functions from other functions), engaging in privacy-by-design risk assessment and mitigation, and participating in industry self-regulation.

Connected cars and AV present complex questions at the intersection of technology, law, and policy. As the technology grows more prevalent, the industry and lawmakers will work in parallel to regulate this technology and mitigate cybersecurity risk.

 

About The Authors

Jill Guidera Brown works with ZwillGen attorneys on a variety of privacy and technology related legal matters. Prior to joining ZwillGen, Jill interned at the Berkman Klein Center for Internet and Society at Harvard University, where she focused on education technology platforms and data sharing partnerships. She also served as a legal intern with the U.S. Senate Committee for Commerce, Science, and Transportation, and provided research for the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security. Prior to law school, Jill was a community organizer for New York City’s leading transportation advocacy organization, and also an educator with non-profit service providers to New York City public schools.

Anna Hsia maintains a diverse practice litigating complex business disputes and counseling clients on privacy issues. With broad litigation experience in unfair competition, false advertising, class actions, and other complex litigation, Anna guides clients through disputes in federal and state courts. As a Certified Information Privacy Professional, Anna has assisted clients with product development and compliance with privacy regulations such as the TCPA, HIPAA, COPPA, state-specific privacy regulations, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.

Comments