How quickly self-driving cars roll out is dependent on the industry addressing some very serious IoT cyber security issues.
Now that Uber has commenced a pilot test of driverless vehicles in Pittsburgh, and competitor Lyft has predicted that most of its cars will be driverless by 2021, self-driving cars are what everyone is talking about. Many question whether the machine learning and artificial intelligence that power these cars have advanced enough for the vehicles to truly drive themselves, or if Lyft’s prediction is overly optimistic. However, the biggest stumbling block for the driverless car industry is not the artificial intelligence and machine learning technology that powers these vehicles but the IoT cyber security issues that the car industry has yet to address.
Smart Cars Just as Hackable as Other Smart Devices
Although self-driving cars are still in beta testing, other Internet of Things (IoT) devices, including fitness wearables, smart thermostats, and smart medical devices, have been commonplace for several years, and newer model cars come with an abundance of smart technology. Cars can already park themselves; they just can’t drive themselves. However, once a device, any device, is connected to the internet, it immediately becomes a potential target for hackers. IoT cyber security issues are the same as those that threaten desktop and laptop computers.
IoT cyber security threats are not just hypothetical. Recently, Chinese security researchers discovered multiple vulnerabilities that allowed them to hack into the controller area network (CAN) of a Tesla Model S, which gave them remote control of the vehicle’s sunroof, driver’s seat, windshield wipers, central display, door locks, brakes, and other computer-controlled systems – both when the car was parked and when it was in motion.
Tesla is considered one of the most cyber security-conscious car manufacturers in the world, yet one of their vehicles was hacked. Most organizations are not taking the threat to connected cars and other smart devices seriously, despite the gravity of the situation; 90% of organizations have no cyber security plan to address IoT cyber security specifically, and 68% have no testing strategy for IoT devices. In the wake of the Tesla hack, the U.S. Department of Transportation announced a series of guidelines for manufacturers to address cyber security issues in driverless cars. While these guidelines are voluntary, it’s reasonable to expect that the government will begin enacting legislation down the line, especially if a major hack happens.
Ransomware a Major Threat to Self-Driving Cars
In addition to hackers taking over a vehicle and remotely operating it, ransomware looms large as an IoT cyber security issue. The healthcare industry, which is being plagued by ransomware attacks on electronic health records, is wringing its hands over the possibility of hackers holding IoT pacemakers and insulin pumps for ransom. Driverless car manufacturers should share their concerns.
Researchers at Intel Security recently discovered a vulnerability allowing them to install malware on a smart car’s infotainment system. In the experiment, the malware set the stereo to play the same song over and over, but what if a hacker found a way to use the infotainment system as a door into the rest of the car’s systems, installed ransomware, and rendered the car inoperable until the owner paid a ransom? Earlier this year, Hollywood Presbyterian Hospital paid $17,000.00 in Bitcoin to hackers who had locked down the facility’s electronic health records. A consumer who needs their car to get to work or drive their children to school may be willing to fork over several hundred dollars to a hacker, especially since trying to fix the car’s computer may cost that much or even more. If a hacker manages to disable a commercial fleet of self-driving vehicles, the stakes are even higher, and the targeted company may be willing to pay that much per car.
Most Consumers “Very Concerned” About IoT Cyber Security
Whether Uber’s trial works out or Lyft’s prediction comes true will not matter if consumers reject driverless cars; 58% of consumers report being “very concerned” or “highly concerned” about IoT cyber security. If consumers do not feel that autonomous cars are safe, they will refuse to buy them or even ride in them. Car manufacturers cannot afford to take a lackadaisical attitude toward IoT cyber security. Autonomous vehicles should be subjected to a comprehensive security evaluation and testing process, and businesses that intend to purchase driverless cars should hold off on purchasing vehicles that haven’t been proven safe.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems and IoT devices and keep hackers out.