Why driverless cars are a game changer for cybersecurity

Technology companies see big opportunities in the auto sector. But if they are to truly thrive in this market, they must first solve the challenge of cybersecurity

As technology companies search for new industries to disrupt, all eyes are on the global automotive industry – a sector which boasts annual sales of 90 million and has already won plaudits for innovation and technological leadership. Today’s most basic vehicles contain at least 30 electronic control units, while some luxury cars contain as many as 100. Bruce Emaus, chairman of the Society of Automotive Engineers International’s Embedded Software Standards Committee, told The New York Times: “it would be easy to say the modern car is a computer on wheels.” Yet while advanced technology has provided exciting new opportunities for drivers in navigation, communication and entertainment, it has also raised tricky questions around cybersecurity and data privacy.

A 21st century car often comprises the most refined technology that a consumer owns. It is now commonplace for in-car electronics to control the engine, transmission, chassis (including brakes and traction) and safety systems, such as airbags, diagnostics, navigation and climate, as well as communication and entertainment systems. Since 1999 the number of patents awarded to the automotive industry has increased by 10% and automakers are increasingly focused on developing autonomous vehicles and high-tech implementations for these.

Autonomous vehicles: driving innovation

An autonomous car is capable of sensing its environment and navigating without human input. The development of such technology has been a target for automakers and technology companies since the turn of the century, and has already resulted in significant advances.

While data communication technologies (eg, wireless transmission, video streaming and network capabilities) are new to the automotive industry, they are critical for assisted driving. Applications include monitoring vehicle performance and enabling vehicle diagnosis to be shared instantly with service and support partners, auto manufacturers and emergency services.

Data privacy in autonomous vehicles

Fully autonomous cars rely on sensors to identify their surroundings, as well as pedestrians, cyclists and other vehicles. They also recognise immobile objects, including road infrastructure and trees. The software which assists the sensors then decides on the speed and trajectory needed for the car to drive safely. However, the additional computers, sensors and improved internet connectivity necessary for a car to drive itself increase risk in other ways.

Autonomous vehicles trigger data-flow issues which are common in Internet of Things technologies. These result from constant real-time communication between users and their environments, and then between users and data collectors.

Data collected from autonomous vehicles can reveal intimate and commercially valuable personal details, including geolocation and driving habits, as well as in-car preferences, a driver’s daily routine – even his or her bank details. One example might be BMW’s sensors, which are supposedly capable of knowing when a child is on board – this information would be valuable for commercial entities which could target vehicles carrying children, encouraging cars to leave the road and enter their stores with kid-friendly offers.

As well as concerns around data privacy, autonomous vehicle controls are vulnerable to hacks. At Defcon 2015, the world’s largest hacking conference, Twitter’s Charlie Miller and IOActive’s Chris Valasek demonstrated how to take over a Jeep wirelessly. They used a laptop connected to the Internet miles from the vehicle to seize control of it, cutting the brakes and transmission at the flick of a switch.

Tesla – an industry leader in self-driving vehicle production – offers a bug bounty programme, rewarding experts between $100 and $10,000 for exposing and reporting its system’s vulnerabilities. In 2015 researchers Kevin Mahaffey and Marc Rogers were able to hack a Tesla Model S, revealing six vulnerabilities, including remotely opening and closing car doors, seizing control of the infotainment system and even starting the car. Then in 2016 Keen Security Lab, a unit of Chinese internet giant Tencent, announced that it had discovered “multiple security vulnerabilities” in the Model S which had enabled it to remotely control a car in both parking and driving mode. Thanks to its bug bounty programme, Tesla was able to fix these software vulnerabilities swiftly.

It is already possible to take control of conventional vehicles in various ways (eg, dialling into a car’s built-in mobile connection or giving a driver a CD which makes the car connect to an attacker’s computer). Once inside the system, hackers can take control of the brakes, engine or other components of the car remotely. In addition, car makers do not always know exactly what software is inside the vehicles they sell because third-party suppliers guard the details for reasons of competitive advantage.

Safe and secure with regulation?

In 2014 major automakers – including BMW, Chrysler, Ford, GM and Honda – voluntarily adopted the Fair Information Practice Principles, which include commitments to:

  • transparency;
  • consumer choice;
  • minimisation of data collection and retention; and
  • anonymity.

The principles require heightened protection for personally identifiable information, such as geolocation, driver behaviour and biometric data.

The Alliance of Automobile Manufacturers, which is made up of 12 automakers, and the Association of Global Automakers, which comprises 12 manufacturers and five suppliers, have also developed a framework for automotive cybersecurity best practices. Together, these groups are addressing potential cybersecurity challenges to produce safe vehicles which incorporate both modern and robust security protections.

The framework covers several areas, including vehicle security by design, risk assessment and management, threat detection and protection, incident response, and collaboration and engagement with appropriate third parties.

However, despite industry agreement on information privacy best practices, there is no regulation in place which addresses – or even acknowledges – the data privacy and security problems associated with the collection, use, storage and dissemination of data gathered from autonomous vehicles. Existing regulation largely deals with aspects of physical safety and fails to examine privacy and cybersecurity issues. In the United States, seven states and the District of Columbia have enacted laws which address autonomous vehicles, while many more states have laws in the pipeline. However, these still do not deal with data flows in connected cars. Instead, they typically prescribe registration and notice requirements for putting autonomous vehicles on the roads, and require a manual override and a licensed driver in a position to control the vehicle.

Until governing bodies establish a protocol applicable to all autonomous vehicles, cybersecurity progress is likely to be limited. However, once a protocol is established, this should prompt an increase in the number of patent filings addressing specific requirements. Certain factors which may govern such protocol include the user information which is required to operate an autonomous vehicle and which is also shared with car manufacturers, application developers and third parties, as well as the driver or vehicle information which is available to the government to enforce traffic laws.

Automakers and cybersecurity

Market pressures mean that manufacturers, software developers and other players in the value chain need to take data privacy and security seriously, as this is bound to have a direct impact on customer acceptance of this new technology. Drivers are likely to prefer vehicles which ensure that their personal data is respected; companies which integrate data privacy at all stages of design and operation will likely enjoy a significant competitive advantage.

CPA Global carried out in-depth patent analysis of automotive cybersecurity innovation to find out whether car manufacturers are working diligently to develop hack-proof vehicles. This research revealed that automotive cybersecurity innovation has increased by more than 400% since 2011 (see Figure 1).

Figure 1. Number of patent families in automotive cybersecurity innovation

Source: Innography

Figure 2. The year automotive cybersecurity patents were filed

Source: Innography

The 10 most innovative companies in the field comprise a mix of technology companies and automakers. Automotive companies are largely innovating in the overall system security space, whereas technology companies tend to focus on specific aspects of security, such as computer security and network security. Companies such as Ford, Avocado Systems and Amazon have all filed patent applications for technologies applicable to automotive cybersecurity systems.

The priority for companies operating in computer security technologies is to authenticate the data that is transmitted from an autonomous vehicle, controlling access to certain components of the vehicular system and providing application security. Amazon and Lockheed are working to secure the communication channel which carries data from a vehicle to the cloud or a server. While both companies are innovating to deliver improvements in the wider security space, the techniques they are developing are relevant to a number of applications.

Parallels can be drawn with the financial services space, where regulations restrict how data is communicated. Advanced security techniques such as quantum key distribution could be used in autonomous vehicles to ensure that personal data is protected through sophisticated encryption techniques.

Protecting personal data: technology companies

In the area of automotive cybersecurity there are 142 patent families, 92% of which have been filed since 2010. CPA Global’s research into patent trends within these families revealed 10 companies leading innovation in this area – as illustrated by Figure 3.

Surprisingly, the top portfolio holder in terms of total patent families is a drone company, Sz Dji Technology, known as Dji. Dji was granted a patent for “authentication systems for the vehicle itself and for the passengers/actors” in 2016. The patent claim specifically concerns unmanned aerial vehicles or drones. Drone security is surprisingly similar to autonomous vehicle security and the patent’s specification discloses that the authentication system can be applied to autonomous vehicles. For connected vehicles to operate successfully, they must interact with each other and conform to a central regulatory body – which is strikingly similar to an air traffic control management system.

Figure 3. Top 10 companies leading innovation in automotive cybersecurity

Source: Innography

In the same way, in 2015 Amazon was granted a patent for “authentication of message” technology, with an apparatus claim which was specific to drones, but had broader method claims. Amazon may not be innovating within the autonomous vehicle space in a traditional sense, but its applications remain strategically broad enough to apply. By working to a Trusted Computing Group Trusted Platform Module security standard, all Amazon technologies are developed with security in mind. Complying with the full specification – Version 1.2 and/or ISO/IEC 118813 – means that Amazon’s messaging technology could successfully protect a driver’s personal data should it be applied to vehicles in the future.

Avocado Systems – an emerging security company – was granted a patent in 2016 for “access management”. This technology aims to secure personal data and manage or restrict accessibility for third parties. Unlike the technology described in the Dji patent, Avocado Systems’ technology has not been developed for a particular industry. Instead, it applies to a number of types, from control applications to infotainment applications (see Figure 4).

Figure 4. Applications of Avocado Systems Management technology

Source: Innography

From CPA Global’s analysis, it is clear that data security is a consideration for a number of industries and this is where the most innovation is taking place. The companies with the most patent families are not innovating exclusively for autonomous vehicles, but in other applicable technology areas. Breakthroughs in data protection and cybersecurity can be shared and applied to new technologies, in the same way that flight regulation technology could be used in autonomous vehicles in the future.

Where safety and security meet

When it comes to autonomous vehicles, safety and security overlap. If a vehicle is hacked and a third party can manipulate controls, this could result in a collision or other accident. Autonomous vehicle security thus needs to cover a wide range of features for passenger safety. Implementing traditional security technologies may be the best way to ensure this.

In the 142 patent families investigated by CPA Global, multiple standards are mentioned. The main purpose of these is safety.

Defined by the International Organisation for Standardisation (ISO) in 2011, ISO 26262 – titled “Road vehicles – functional safety” – is an international standard for the functional safety of electrical or electronic systems in production automobiles. Automotive Safety Integrity Level (ASIL) is a risk classification scheme also defined by the ISO 26262 standard. This is an adaptation of the safety integrity level used in IEC 61508 for the automotive industry. This classification helps to define the safety requirements necessary to comply with the ISO 26262 standard. The ASIL is established by analysing the severity, exposure and controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

Many innovative companies which handle data – personal or otherwise – will work to standards such as these, regardless of the technologies or applications that they are developing.

IBM has an interesting hardware approach to security and protecting private data. Patent US8941405 cites physical unclonable function technology for data security. Chip over chip technology is deployed, so that even if the layout of the chip is reproduced, the set of codes for each chip is different from the original.

Cybersecurity and automaker innovation

Automotive companies are not in fact the most active innovators in autonomous vehicle technologies or cybersecurity systems. Instead, technology companies are receiving the most investment in these areas and will eventually supply automakers with the technologies needed to secure the autonomous vehicles they are looking to produce. Figure 5 illustrates the commercial dynamics and emerging entities in this area.

Among automotive companies, Ford, Audi and Toyota are the most active players in the cybersecurity area. Ford has the highest number of security solutions in place – covering secure access to vehicles, theft prevention, redundant security checks to enhance security and overall communications architecture.

Continental AG is a leading German automotive manufacturing company. It has been granted two German patents related to secure data transfer using public key infrastructure in vehicle-to-vehicle communications, using a video feed to enhance safety.

Figure 5. Business age versus investment and emerging innovation

Source: Innography

Safety practices are becoming more regulated as industries adopt standardised practices for designing and testing products. Similar to Amazon complying with a designated security standard for each new technological development, many automakers strive for comparable standards in the automotive industry.

ISO 26262 addresses the need for an automotive-specific international standard which focuses on safety critical components, where only certain tools, hardware and software can qualify. Audi has successfully qualified for this standard with two of its patented technologies. Patent DE102014014858 details a method to implement vehicle safety. Data collected from in-car sensors is used to evaluate safety function and there is a separate safety criteria calculation unit on board. Audi’s second patent in compliance with ISO is Patent DE102014011802A1, which focuses on initiating an autonomous/semi-autonomous function after an authorisation protocol. Should these technologies be introduced to autonomous vehicles in the future, they will have already been proven to be secure.

Non-traditional players enter cybersecurity race

In the future, it is expected that most autonomous vehicles will be hybrids or pure electric vehicles – existing examples include Ford Fusion, Chevrolet Bolt, Nissan Leaf, Toyota Prius and Tesla vehicles. Most hybrids and electric vehicles are configured for drive-by-wire, steering-by-wire and brake-by-wire systems which are structurally compatible with automated driving. The by-wire technology replaces traditional mechanical control systems with electronic control systems; this flexibility expands the number of options for vehicle design.

It is likely that all autonomous vehicles will use electric power in the future, but charging points could present new security concerns. Could data and in-car technology systems be vulnerable to hackers when power is being transferred?

WiTricity is a US engineering company which manufactures devices for wireless energy transfer. In 2009 the company was granted Patent US8912687 for “power grid level security” technology. The power transfer technology was developed for a number of applications – including use in medical devices and autonomous vehicles. WiTricity is a major player in the power transfer space and has a significant portfolio of secure energy transfer patents. Its technology is predicted to play an important role in the future of autonomous vehicle adoption and protection of in-car systems.

Time to protect personal data

Gartner predicts that by 2020, 250 million connected vehicles will be on the road, enabling new in-vehicle services, automating driving capabilities and paving the way for fully self-driving vehicles in the future.

Collaboration and the implementation of common standards are crucial to build a functioning autonomous vehicle which is secure from hackers and which uses personal data for customised driver experiences without sharing private information with third parties. As evidenced in CPA Global’s analysis of the current automotive cybersecurity patent landscape, automakers, technology companies and contributors to the electric vehicle industry are combining to provide the elements that will make self-driving a reality.

Connected vehicles are designed to improve road safety and reduce the number of traffic collisions. However, they also raise significant concerns about the privacy and security of drivers’ personal data. Society is often reactive rather than proactive when it comes to security issues, adopting serious preventive measures only after a major incident has occurred. Cyberattacks have proven to be a real threat during testing and this will continue to be a significant issue if the risk is not taken seriously.

As a major malicious attack has yet to take place, it is hard to know exactly who is most likely to perpetrate one, how it might happen and how much damage it might cause. Automakers and government regulators need to focus on the issue now and prove they can protect drivers’ personal data – before consumers decide that autonomous vehicles are not worth the hassle.

Action plan

With the most basic vehicles containing at least 30 electronic control units and luxury cars containing as many as 100, advanced technology is providing exciting new opportunities for drivers in navigation, communication and entertainment. However, it is also raising significant questions around cybersecurity and data privacy:

  • Reliable wireless communications technology can monitor vehicle performance and enable vehicle diagnosis to be instantly shared by service and support partners, auto manufacturers and emergency services.
  • However, data collected from autonomous vehicles could reveal intimate and commercially valuable personal details, and autonomous vehicle controls are vulnerable to hacks.
  • Despite an industry agreement on information privacy best practices, no regulations address data gathered from autonomous vehicles.
  • It is likely that all autonomous vehicles will use electric power in the future, but charging points could present new security concerns. Could data and in-car technology systems be vulnerable to hackers when power is being transferred?

Matt Luby is director of analytics, Asia-Pacific at CPA Global, Tokyo, Japan

Pramitha Krishnamurthyprakash is group lead of analytics, US and EMEA at CPA Global, Chicago, United States

Unlock unlimited access to all IAM content