The UK’s new Automated Vehicles (AV) Bill seeks to establish the most comprehensive legal framework of its kind anywhere in the world on automated vehicle technology. Announced during the king’s speech on 8 November 2023, the legislation aims to position the UK as a world-leader of this new, £42bn (US$53bn) industry.
The idea is that AVs can help reduce deaths and injuries from drink driving, speeding and driver tiredness. Any vehicles designed for use will have to meet or exceed rigorous new safety requirements, set out in law. The associated safety framework will ensure clear liability for the user and set the safety threshold for legal self-driving. This bill seeks to put in place an in-use regulatory scheme to monitor the ongoing safety of these vehicles.
There are however some important cyber security considerations to keep in mind when thinking about the development of automated vehicles.
With new technology comes new risk
The automotive industry has a rich history of embracing innovation and new technology in all areas from engine management through to in-car entertainment. Manufacturers are always keen to ensure their vehicles incorporate cutting edge tech to outperform those of their competitors. This technology, however, increases areas of vulnerability.
Cyber criminals are adept at leveraging and adapting their skills to take advantage of new developments. When electronic keys were first developed for cars in the 2000s, for instance, criminals quickly developed methods of overcoming the embedded security measures to steal or gain entry to vehicles using scanning technology and simple, low cost, smart phone emitters. The industry could see similar behaviour patterns with criminals looking to illegally access automated vehicles.
There has also long been debate in the industry around the concept of the connected car, and the leading companies in the industry have been aware of the potential security implications for some time. Starting with the vehicle production lines themselves all the way through to everyday use by customers, there are several areas of concern. With a dramatic increase in the use of 5G sensors expected and the exponential increase in the transmission of data between vehicles and road infrastructure that this will entail, the potential cyber-attack surface and opportunities for criminals and malicious actors will also increase.
The risk for car manufacturers
During the production of automated vehicles, protection of core safety system infrastructure and code will be primary concerns. Many high-profile ransomware attacks are designed to utilise Industrial Control Systems (ICS) and Operational Technology (OT) as ways of accessing sensitive systems. Manufacturers will need to be conscious of the ability of malicious actors to use production systems to access and inject code into software systems during assembly and manufacture.
This attack vector has been seen in the past, with routers manufactured in hostile states being produced with intentional software ‘backdoors’ embedded for possible future use. The highly networked vehicle production operating model employed by most manufacturers, where many components of vehicles are manufactured by specialised producers further down the supply chain, makes this area even more vulnerable, with additional opportunities to inject ‘sleeper’ code which will only be activated when the component is switched on after the completed vehicle has been powered up.
Further cyber security threats
Another primary area of concern is the cyber risk with software and software updates. Attacking the central OEM or large-scale dealerships presents an opportunity to inject malicious software, either during updates or during standard vehicle servicing when systems are connected to scanning systems to check vehicle health. This vulnerability also exists on the hardware used to scan vehicle health itself and during its production as well.
This provides threat actors with multiple opportunities to inject malicious software centrally into vehicles to source, or to infect large numbers of vehicles over time. This can be done to cause damage to vehicles by disabling safety sensors, to impact steering or navigation, or to cause mechanical issues. It creates a significant ransomware threat for criminal entities to utilise.
A further cyber security threat to consider is the opportunity for malicious actors to infect road management systems or infrastructure. AVs rely on a mass of inputs from external sensors to travel safely. The ability to tamper with the signals from these critical external systems presents both criminal and state actors the opportunity to cause significant issues, the impact of which may not be immediately apparent.
One of the most significant concerns on a larger scale is the ability of threat actors to impact safety protocols of large numbers of vehicles simultaneously, such as vehicle speed, navigation, or road usage announcements. This provides the opportunity to cause congestion by changing traffic updates, cause accidents (or mass accidents), or to disable vehicle steering or engine management at critical moments. Even a short-lived time of malicious control could have grave consequences.
Cyber espionage is also a serious threat that must be considered. State actors have previously employed techniques to track vehicles of interest—or to bug vehicles which may be carrying people of interest—to ascertain their movements or gain access to discussions taking place in such cars. Previously those with hostile intent needed to gain physical access to these vehicles to plant devices to do this, but now all the hardware required is available to them as a standard fit in most vehicles (tracking devices, communications antennas, and microphones). This allows threat actors to gain access to vehicles of interest from anywhere in the world.
Even a short-lived time of malicious control could have grave consequences
The vehicles themselves also present individual areas of threat. By drivers connecting their phones to in-car entertainment systems, threat actors have another way of potentially placing malicious code on smartphones or accessing information which they may hold through pairing with in-car systems.
The ability of criminals to steal automated vehicles also has the potential to increase. Vehicles designed to carry out software updates when static will remain online even when powered down, allowing individuals the ability to access systems even when apparently dormant. This makes it possible to steal vehicles from car parks, the street or driveways without the criminal even needing to be present. As with most modern car thefts, once in the criminal’s hands all sensors can be disabled, and the vehicle stripped to be sold as separate component parts.
There are other future concerns which are worthy of discussion. The rise of artificial intelligence (AI) and its potential to be used by malicious actors to target critical systems or groups of systems connected with AVs is one which will complicate the landscape. The data heavy nature of these vehicles, combined with their reliance on external sensors/systems to function, make them vulnerable to external attack or to ransomware style targeting. This is a threat vector which will continue to play out and develop in years to come as autonomous systems start to be deployed. Ensuring that attacks are detected and mitigated as quickly and efficiently as possible is a key challenge for automated car producers.
About the author: Lorenzo Grillo is Managing Director with Alvarez & Marsal Disputes and Investigations and leader of the firm’s European and Middle East Global Cyber Risk Services
