Two former hackers hired by Cruise spoke recently on autonomous vehicle security.
Last week at a Black Hat USA security conference, two well known automotive hackers presented their plan for improving security of the autonomous Bolt EV. Bluetooth connections, 4G internet, wi fi hotspots and other wireless connectivity features are all potential access points for hackers. Charlie Miller and Chris Valasek, security architects at General Motors' Cruise Automation, used their presentation to make their point that more tech leads to less security.
From Yahoo! Finance:
* In 2011, researchers at the University of Washington and the University of CaliforniaSan Diego took over a Chevy Impala, first by exploiting a vulnerability in its Bluetooth software and then by calling its OnStar cellular radio and playing a special sequence of tones.
* In 2015, Miller and Valasek gained control of a Jeep Cherokee by reprogramming its vehicle-control systems over the internet. This attack could have been written to spread from vehicle to vehicle — a possibility that led Miller and Valasek to not-so-humble-brag, “Damn, that was baller,” in the report they posted after their talk. Fiat Chrysler wound up recalling 1.4 million vehicles to fix the flaw.
* In 2016, the Chinese software giant Tencent’s Keen Security Lab hacked into a Tesla (TSLA) Model S by exploiting vulnerabilities in its dashboard web browser and onboard WiFi. In 2018, the same lab showed how to compromise a BMW i3 through such routes as its cellular connection.
An autonomous vehicle is potentially more vulnerable than the average car on the road today. Automakers are taking this risk quite seriously. The system of cameras, radar and LIDAR sensors is incredibly complex. In order to process inputs from all of these components, a powerful computer is required. Any external connection that is not controlled is a potential vulnerability.
In self driving vehicles, software safety is a priority for Cruise Automation.
Miller and Valasek have a relatively straightforward guiding principle. Remove unnecessary systems that open vehicles up to remote attacks. "If you don’t need something, take it out ," Valasek told the attendees.
Bluetooth, satellite radio, and other insecure connections should not have direct interaction with the vehicle. All of these niceties are unnecessary in a self driving car. Freed of the need to drive, Cruise passengers can spend their travel time reading, talking, watching movies, or checking social on their own phone or tablet. In the car, passengers will only be able to interact via a separate stripped down tablet disconnected from the rest of the vehicle.
Unlike a garden variety Bolt EV, the Cruise autonomous fleet will not receive 'over the air' updates. Software updates will be done only with physical media. Cruise wants the car to refuse any inbound connection unless the vehicle requests it first. Even connections between vehicle components must be encrypted if possible. Of course, no automaker has built their existing cars with this in mind. "The components in cars are just so far behind," stated Miller.
So what is their ultimate goal with cutting the AV Bolt EV off from the connected car future? Miller explained during a Q&A following the talk: "We’re going to make it so hard that they’re going to want to hack something else."
Source: Yahoo News