Software Integrity

 

Autonomous vehicles: Security implications of Uber’s self-driving cars

Last year, Uber set up an Advanced Technologies Center in Pittsburgh, Pennsylvania and began work on their latest project (no, not puppy delivery). Earlier this month they debuted their new self-driving cars, inviting “yinzers” to experience their first self-driven ride around Steel City. With a long list of really cool benefits (road trip, anyone?) there are some serious security implications to discuss.

First: this is a huge technological accomplishment for Uber and the automotive industry as a whole. Unfortunately, the expression “drive off a bridge” has the potential to become a Pittsburgh reality if hackers have anything to say about it.

Remember the 2015 recall of nearly 1.4 million Chrysler vehicles?

If you’re unfamiliar, hackers Charlie Miller and Chris Valasek successfully manipulated the windshield wipers, radio, and even cut the transmission of a moving Jeep Grand Cherokee — all from the comfort of their living room couch. At this year’s BlackHat conference, they discussed in detail just how deadly attack could have been if they had chosen to exploit some of the Jeep’s other vulnerabilities. Luckily for Chrysler, Charlie and Chris are two of the few “good guys,” who believe in using their skills to teach companies and consumers a lesson about the importance of application security.

So, if hackers could wirelessly mess with a Jeep’s brakes and transmission, what kind of damage could they inflict on self-driving cars?

As we saw with the Jeep exploit, remote users have been successful in taking control of the mechanical components of vehicles using nothing but an internet connection. Expanding the computer system so that it no longer needs a driver at all exacerbates many of the risks already inherent to connected cars, but now offers hackers the opportunity to directly control and manipulate the operation of the vehicle. The consequences of an attack on these systems could be catastrophic: hackers could endanger human lives by dropping a logic bomb that steers the car into oncoming traffic, or simply by tampering with the communication signals between that car and other self-driving cars to cause an accident.

Luckily, Uber had similar concerns and took precautionary measures.

They decided to hire the infamous car hackers, Charlie and Chris, at their Advanced Technologies Center. The dynamic duo is working very closely with Chief Security Officer Joe Sullivan and Chief Information Security Officer John Flynn to protect the new fleet of self-driving cars, since they are quite familiar with the long list of threats this technological achievement brings with it.

As Stefan Savage, the University of California at San Diego computer science professor puts it: “Autonomous vehicles have broader attack surfaces, more sensors, and the computer has the ability to control the steering. It just makes the problem worse.” While Uber intends to make a significant, positive impact on transportation safety, they cannot afford to be naive to the likelihood of encountering ill-intentioned hackers who have more nefarious objectives.