Recently an autonomous car company highlighted some plans to keep their vehicles safe from hacking. Yet their plans won’t actually make them secure. Such gaffs highlight issues across many different industries where cybersecurity is not sufficiently understood by manufacturers to deliver products hardened against attack. The result, in the case of autonomous vehicles, could be catastrophic.
In the article Why Some Autonomous Cars Are Going to Avoid the Internet, the CEO of the company told the Financial Times (paywall) “Our cars communicate with the outside world only when they need to, so there isn’t a continuous line that’s able to be hacked, going into the car”. They are choosing to operate the cars in a mostly offline manner to protect against cyber threats.
At first glance, this would seem to be a worthwhile protection mechanism against hackers. It is not. The ‘control’ is to reduce connectivity to the Internet, which does provide some security value for the time it is not connected. But that is where the logic falls apart and in the end, it does not significantly reduce the chances of being attacked.
It seems logical, that by reducing the overall vulnerability of the system it will improve the security. But that is not always the case. Just because you remove 50% of the vulnerabilities, it does not mean you reduced the chances of being victimized by half. It is more complex as other dependencies are at work. This mistake is even common among entry level security professionals who are taught to think of risk as a pure equation (R=T x V x I). The Risk equals the Threat times the Vulnerability multiplied by the Impact, which is a fine equation when used properly for a specific purpose. Reduce any amount of vulnerability and the resulting risk is also reduced. However, this equation is not applicable to every problem or discussion.
Back to the autonomous vehicle security problem. Intermittent connectivity is a reduced availability tactic. To the attackers, it is simply a network latency problem and can be easily overcome. There is a great deal of precedent and history proving this, which I won’t get into. Instead, let’s think about the problem in a different way by using an analogy.
Building a Wall
Imaging you were tasked with protecting your village from marauders. You employed a security specialist to greatly reduce the risks of bandits getting into your hamlet and causing havoc. A wall is built halfway around your town, visible to all. The security specialist then confidently announces he has reduced the vulnerabilities by half, therefore significantly reduced the chances of a successful attack by 50%. Nope. The marauders simply need walk around the wall to get into the town. It might slow them down, as they are laughing and walking around the defenses, but it will not deter or prevent an attack.
The same is being proposed here, which is why reducing the Internet connectivity of autonomous vehicles, is an ineffective security control. Such tactics have proven futile in the past.
The root of the logic problem is in thinking about security in terms of equal vulnerabilities. Not all weaknesses are the same. There may be a hundred vulnerabilities but only 5 are being used to compromise a system. Only the efforts to close those 5 (the ones being exploited) will be important, while the other 95 are meaningless to the immediate goal of being secure.
Cyberattackers will wait for connectivity to compromise devices, just like thieves will bypass the locked door to enter via the open window, and bandits will walk around a wall to enter a village unimpeded. The chances of attack are not significantly reduced, just the timeliness of when it will occur.
In this case, the car company is promoting a security design feature which really is ineffective. Yet, they don’t even realize it. As consumers, we must hold manufacturers accountable for the security, safety, and privacy of the products they produce. This is especially true of devices that hold the potential for life-safety risks. It should draw concern when in marketing and public communications, companies are showing a lack of cybersecurity knowledge and experience, likely as a result of improper skill-sets or executive prioritization, while at the same time exhibiting confidence in the security of their products. It is a dangerous combination.
Getting Security Right
It is important to institute optimal security capabilities as part of the design and core functions (Hardware, Firmware, OS/RTOS, software, endpoints, networks, etc.) to protect passengers and pedestrians from potentially catastrophic accidents resulting from digital compromises. Security must be effective, economical, and not undermine usability.
Understanding cybersecurity can be challenging, but many car companies are investing heavily in autonomous vehicles to make it a reality. As part of that investment, they must employ the right caliber of cybersecurity professionals to develop a proper strategy, architecture, and capabilities. Thankfully, I do know many in the field who are working on more comprehensive solutions, beyond reducing internet connectivity, to manage the broad range of risks that could impact us all. I believe it is time for all the automakers to work together and develop cohesive capabilities that meet the growing expectation of security, privacy, and safety.