Friday 19 September 2014 – As driving becomes more computerised, what are the potential associated cyber vulnerabilities and how might they be exploited by hackers? (source: Lloyd’s of London)
The buzz surrounding driverless cars has continued to grow throughout 2014 with the UK government’s announcement that it will begin testing autonomous vehicles on public roads next year and Google’s unveiling of its prototype in May.
While fully-driverless cars may still be some way off, manufacturers are increasingly fitting autonomous features to new vehicles, including emergency braking systems, adaptive cruise control, lane keeping assist technology and automatic parking assistance.
While autonomous technology is credited with enhanced safety and reducing the number of accidents on the road, the vulnerability of the connected car to being hacked is a growing concern.
A recent rise in luxury car theft is just one example of how high-tech security can be breached by cyber criminals.
Modern cars are increasingly computerised, and in order to check for problems mechanics plug into the car’s on-board diagnostics (OBD) system. The system can also be used to encode new electronic fob keys, to open and start the car.
These computers, which are legitimately used by locksmiths and car dealers, are increasingly being used by criminals. In London in 2013, 39% of cars stolen were taken without the owners’ keys being present, according to the Metropolitan Police.
Expensive vehicles, including Range Rovers, Land Rovers and BMW X5 and X6 series in particular have been targeted.
The ability of such cars to be hacked, raises questions about the future security of semi or fully-autonomous vehicles.
In its recent report Autonomous Vehicle: Handing Over Control, Lloyd’s address some of the cyber risk implications for cars that are increasingly controlled by computers.
“This is a risk that is ever-growing in our increasingly digitising society, but maliciously interfering with a car could have serious implications for safety, ” it says. “To address cyber risks, high standards of system resilience, such as robust data encryption, will need to be engineered.”
The potential for cars to be hacked in order to commit theft, kidnap the driver or even use the vehicle as a weapon has been considered by organisations like the United States Federal Investigation Bureau. In an internal report, obtained by the Guardian in July this year, the FBI warns driverless cars could become “lethal weapons” in the wrong hands.
In its report, Lloyd’s notes that a large-scale immobilisation of cars on public roads could “throw a country into chaos” and highlights the importance of considering the security implications of networking with other cars, infrastructure and personal computers such as smartphones.
The report also considers the criminal use of personal data if a vehicle is hacked. By knowing where a person is at a particular time a burglar could know when a householder is not at home, for instance.
“How can you protect a vehicle fully if even the US military computers can be accessed, ” asks Peter Shaw, chief executive of Thatcham Research. “You can bet that it will be possible to hack into vehicles and then of course it brings other aspects to mind. How can you avoid the use of vehicles for terrorism purposes for example?
“It will be another one of those product liability issues that has to be considered going forward, ” he continues. “What it could lead to, for example, is regular updates of onboard systems when you have your car serviced to defend cars against theft. During normal services they would carry out those upgrades intended to protect the car against known cyber theft.”
Over the next couple of decades as more and more cars on the road have autonomous features the liability is expected to shift from the driver to the manufacturer and software provider.
“The insurance industry has got to go through a transition, ” says Stephen Jones, head of the UK P&C pricing practice at Towers Watson. “If there’s £100 of risk now on a typical policy, how much will remain when it’s fully driverless. This is assuming that cars are still owned by the consumer.
“Let’s suppose I still go and buy a car and it sits on my drive, ” he continues. “I will still retain something like 12% to 15% of the risk in case a tree falls on it or if there’s a load of rain and it floods, so there’s a residual own vehicle risk. But much of the risk from when it is moving will probably fall on product liability in relation to the guys who built the software or the guys who made the car.”
This movement away from personal motor insurance toward commercial product liability is also likely to include cyber and cyber terrorism exposures.
“Because potential losses may be high, a commercial market for autonomous and unmanned technology is unlikely to evolve unless insurance is available, ” states the Lloyd’s report.
It predicts cyber risk policies will be developed to suit the needs of stakeholders such as operators, systems designers, manufacturers and infrastructure providers. A focus on reputational risk is also likely to be a strong feature of any cyber products designed for autonomous vehicles.
“Cyber coverage could be a particular area of insurance growth with the development of increasingly computerised vehicles, ” predicts Lloyd’s.