It started quietly and unexpectedly got louder and louder.
You see, I could hear the sounds of possums on my roof. Those irascible creatures were determined to break into my house. Seems like we have enough to worry about these days of cybercrooks breaking into your laptop or smartphone, yet here were these marsupials doing an old-fashion break-in.
Have you ever had a similar problem?
I was beset or in a siege by a seemingly endless supply of possums. I first discovered that they had opted to invade my domicile when I heard a scampering sound in the attic. Upon my daring to take a peek, I saw an adult-aged possum staring directly at me, doing so as I shone my bright flashlight at the creature that was using my attic as a veritable second home.
Rent-free, I might add.
I was luckily able to motivate the scampering beast to leave the attic. This wasn’t an easy task, let’s leave it at that. Anyway, the possum left the same way it got in. Turns out that one of my small screens that allowed ventilation into the attic had deteriorated and was easily pushed aside by the determined animal. I repaired the screen. In my mind, that was the last I would ever see of the possum.
I underestimated my crafty foe.
After having initially gotten into the attic, it is my guess that the possum sized up the situation and decided that this would be an ideal place to raise a family. The attic was normally relatively dark. There was plenty of cushy insulation for a comfortable form of bedding. The temperatures in the attic were usually not overly hot and nor overly cold. The attic provided protection from predators and was otherwise vacant, except for some boxes of old books and papers.
Seems like this Goldilocks-like possum had found the just-so-right locale to settle down.
I left for a few days on a business trip and when I returned to my home the possum was not at all on my mind. Well, until I heard noises once again in the attic. What the heck? I figured that maybe some other wild beast had decided to take a look around. Perhaps a skunk or a raccoon. Seemed like the possum might have left an odor behind that could allure other creatures to come and see what all the fun was about. I secretly hoped it was a squirrel. That would be generally okay with me, though I nonetheless would still shepherd it out of my attic.
As I slowly lifted up my attic door, I shined my flashlight into the darkness and saw not just one pair of eyes, but several pairs of eyes. The possum had returned with all the kids (can I refer to the offspring or joeys that way?). I assumed the ventilation screen had given way again. Nope, the possum had somehow pried loose a shingle on the roof and made a damaging hole directly into the attic.
A determined house crasher and party goer.
Over the course of several weeks, I went to battle with the possums.
I would manage to get them out of the attic. They would find some other means to get back in. At one point, they became outrageously courageous. For example, one evening I went outside to move a bicycle off my driveway and left the front door ajar as I did so. As I made my way back to the slightly open door, a possum was nearing the doorway and seemed to be thinking that it was nice of me to entirely leave a passageway open, reducing the otherwise burdensome chore of trying to find a feasible break-in spot.
If you had asked me beforehand about the sanctity of my house and its overall security, I would have readily asserted that my house was ostensibly secure. All the doors had locks and included deadbolt locks too. All the windows had locks and also had screens that were snug and well-fitting. There was a gated fence around the perimeter of the property. We were very careful to lock up whenever we were at home and when we left on trips. We didn’t even put in a doggie door for our beloved pooch, since we figured it might allow for a stranger to squeeze into the residence (maybe that was due to watching the movie Home Alone too many times).
It really got my goat that the possums turned upside down my perception of the successful lock-down of our treasured abode.
Why all this talk about possums and household security?
Because I want to bring up the topic of cybersecurity, especially as it pertains to AI-based true self-driving cars (for some of my ongoing coverage on the topic of self-driving cars and cybersecurity, see this link here and this link here).
It might seem puzzling that there is any semblance of a connection between those pesky possums and the topic of cybersecurity and self-driving cars. As will soon be apparent, the parade of possums that you could suggest “attacked” my house is somewhat analogous to those dastardly human hackers that try to break into computer systems. And when you give this matter some careful thought, it is relatively apparent that a self-driving car is really a computer on wheels.
Self-driving cars are chockfull of computers.
There are the computers that underpin the AI driving system. These are typically specialized processors that are especially souped-up to perform lots of computations, something sorely needed to sufficiently be able to autonomously drive a car. By and large, the computer processing onboard a self-driving car is awe-inspiring and rivals the kind of supercomputers that we used to call supercomputers back in the olden days (to clarify, today’s supercomputers are still many times faster than the computers put into a self-driving car, so my comparison is to the prior eras of supercomputers).
But the computers for self-driving purposes are just one instance of computing that is found inside a modern car.
You see, conventional cars are also chockful of computers. There are a whole bunch of other computers in contemporary cars regardless of whether they are yet capable to be a self-driving or driverless vehicle (also referred to as an AV or autonomous vehicle).
If you mindfully ponder the many ECUs (engine control units) and ECMs (engine control modules) that are jampacked into a car, you can find yourself quickly losing count of the number of computers involved. The number of microprocessors varies by brand and model of vehicle, though you could reasonably estimate that there are at least fifty to possibly one hundred processors thereabouts, and the count keeps going up as we expect our cars to do more and more fancy acts.
Your first thought might be that the more the merrier seems to be an appropriate mantra.
We all want our cars to get better at what they do. If it takes a bunch more computers to get there, so be it. Most of us only care about the potential cost involved. As long as automakers can ensure that cars are still affordable, toss as many processors into the vehicle as might be useful for assuring our enjoyable driving journeys. Go at it, we say, and boost the computing power as much as you want.
There is a rub.
In brief, for each computer that you decide to add to a car, you are essentially putting another possible window or door in place (not literally, that’s a metaphor). Each computer becomes a potential portal or invitation to hacking. The cybersecurity “threat surface” or exposure realm for cars is getting higher and higher. All those microprocessors become a tantalizing target. They increase the risk of cyberhacking.
In a sense, those possums (hackers) are delighted that there are more ways to get in.
I’m sure you are protesting that getting into a house is a lot easier than sneaking into a computer. Yes, perhaps, but this all depends upon how well protected those computers are. Similar to my story about the possum that found a deteriorating ventilation screen and easily popped it to get into the attic, there are some computers in a car that are akin to that kind of vulnerability.
Just as I thought that my home was a veritable Fort Knox, so too might you assume that your car is an impenetrable fortress. That assumption is full of holes.
Speaking of conventional cars, the future of cars consists of AI-based true self-driving cars. Debate ensues as to whether or not we will soon be able to achieve true self-driving cars. Some skeptics assert we might not ever attain the vaunted goal of fully autonomous self-driving cars.
Keep in mind that self-driving cars are driven via an AI driving system. There isn’t a need for a human driver at the wheel, and nor is there a provision for a human to drive the vehicle. For my extensive coverage of Autonomous Vehicles (AVs) and especially self-driving cars, see the link here.
Here’s an intriguing question that is worth pondering: What is the cybersecurity threat surface for modern computer-infused cars and especially for the emerging AI-based true self-driving cars?
Before jumping into the details, I’d like to further clarify what is meant when referring to true self-driving cars.
Understanding The Levels Of Self-Driving Cars
As a clarification, true self-driving cars are ones that the AI drives the car entirely on its own and there isn’t any human assistance during the driving task.
These driverless vehicles are considered Level 4 and Level 5 (see my explanation at this link here), while a car that requires a human driver to co-share the driving effort is usually considered at Level 2 or Level 3. The cars that co-share the driving task are described as being semi-autonomous, and typically contain a variety of automated add-on’s that are referred to as ADAS (Advanced Driver-Assistance Systems).
There is not yet a true self-driving car at Level 5, which we don’t yet even know if this will be possible to achieve, and nor how long it will take to get there.
Meanwhile, the Level 4 efforts are gradually trying to get some traction by undergoing very narrow and selective public roadway trials, though there is controversy over whether this testing should be allowed per se (we are all life-or-death guinea pigs in an experiment taking place on our highways and byways, some contend, see my coverage at this link here).
Since semi-autonomous cars require a human driver, the adoption of those types of cars won’t be markedly different than driving conventional vehicles, so there’s not much new per se to cover about them on this topic (though, as you’ll see in a moment, the points next made are generally applicable).
For semi-autonomous cars, it is important that the public needs to be forewarned about a disturbing aspect that’s been arising lately, namely that despite those human drivers that keep posting videos of themselves falling asleep at the wheel of a Level 2 or Level 3 car, we all need to avoid being misled into believing that the driver can take away their attention from the driving task while driving a semi-autonomous car.
You are the responsible party for the driving actions of the vehicle, regardless of how much automation might be tossed into a Level 2 or Level 3.
Self-Driving Cars And Cybersecurity Holes
For Level 4 and Level 5 true self-driving vehicles, there won’t be a human driver involved in the driving task.
All occupants will be passengers.
The AI is doing the driving.
One aspect to immediately discuss entails the fact that the AI involved in today’s AI driving systems is not sentient. In other words, the AI is altogether a collective of computer-based programming and algorithms, and most assuredly not able to reason in the same manner that humans can.
Why this added emphasis about the AI not being sentient?
Because I want to underscore that when discussing the role of the AI driving system, I am not ascribing human qualities to the AI. Please be aware that there is an ongoing and dangerous tendency these days to anthropomorphize AI. In essence, people are assigning human-like sentience to today’s AI, despite the undeniable and inarguable fact that no such AI exists as yet.
With that clarification, you can envision that the AI driving system won’t natively somehow “know” about the facets of driving. Driving and all that it entails will need to be programmed as part of the hardware and software of the self-driving car.
Let’s dive into the myriad of aspects that come to play on this topic.
Before I share some cybersecurity insights, allow me a moment to bring up some related points.
Whenever I write about cyber-security, there are some that right away complain that by doing so the indications proffered are allowing cyber-hackers to gauge what kinds of cyber protections are being devised and what kinds of cyber vulnerabilities exist.
The worry is that writing about these topics, helps the cyber-hackers, arming them accordingly.
Please realize that this is the now-classic head-in-the-sand posturing regarding discussing cyber-security and related matters. Some believe that we should not talk about, nor write about, and not in any manner even whisper the nature and avenues of cyber-security and cyber-hacking, since it tips a hand to the evildoers.
This is a misguided and ill-informed notion, though one can certainly sympathize with their logic.
Here’s the conundrum.
It is plainly the case that cyber-hackers are going to figure out these same facets, one way or another, and by trying to hide such discussions it does little good, including that it tends to undercut the preparations for and awareness about being on the hunt to stop and prevent cyber-hacking.
A head in the sand translates into getting kicked in the rear, as the old saying goes.
Meanwhile, there is another stated reason to not discuss such matters, namely that doing so, will cause mass hysteria. Again, the logic for this is certainly understandable.
When those writing about cyber-security and cyber-hacking do so irresponsibly, attempting merely to fan the flames of angst, there is no question that such shoddy and perhaps even iniquitous efforts are sad, hurtful, and do not advance sensibly the battle between cyber-security and cyber-hacking.
It is vital that discussions about cyber-crime be taken seriously, somberly, factually, and portray matters in a balanced and rational way. As an example of how these topics are indeed publicly being discussed, you might wish to refer to a handy U.S. Congressional Research Service (CRS) report labeled as R45985 and entitled “Issues in Autonomous Vehicle Testing and Deployment” written by Bill Canis.
Having covered the preceding caveats, let’s dive into some background and context of how cyber-security and cyber-hacking come to play related to AI-based true self-driving cars.
The OBD Portal
The first potential point of entry worthy of attention entails the OBD (on-board diagnostics) portal.
You might already vaguely be familiar with the OBD portal in your conventional car. This is the place that an electronic diagnostic code can be sourced about the vehicle status. If you’ve ever gotten the so-called “idiot light” or dashboard indicator telling you that something is amiss in your car, another means to find out the details of the problem consists of accessing the OBD portal. A handheld device can be used to plug into the OBD portal and there are smaller USB-memory sticks that are available to do likewise.
The OBD portal is usually just slightly under the dashboard, openly accessible, down kind of where you might see your parking brake release or hood release. It isn’t usually obvious to the eye and is purposely positioned somewhat out of view. You need to look for it. Any car mechanic or gearhead that tinkers with cars is certainly familiar with the OBD portal. This digital communications port can provide essential real-time data about internal issues of the vehicle, normally conveyed via a standardized set of DTCs (diagnostic trouble codes).
Okay, you might be pondering, so there is this OBD portal that allows you to read the car status. Not a big deal, it would seem.
Well, it is a big deal.
The OBD portal generally allows you to connect to a wide array of embedded systems within the vehicle. Furthermore, the OBD portal can be used to send instructions or data into the various connected systems and does not need to solely be acting on a read-only basis. In some cases, the OBD portal can be used to flash new firmware into the connected embedded systems, thus potentially allowing for reprogramming of what those systems are to do.
Anyone that knows anything about OBD knows that this is a vulnerability that is oftentimes treated as though it is inconsequential.
The logic seems to be that since you would need to get into the vehicle to access the OBD, this aspect alone is a sufficient form of protection. The thing is, if let’s say the car door is inadvertently left unlocked, a savvy thief can potentially start the vehicle via using the OBD portal and yet be absent of the car key (or take other untoward actions regarding the vehicle).
Another claim is that the OBD is relatively unknown among the masses and therefore is protected via the classic notion of security through obscurity. In short, if nobody particularly realizes that this exposed point of entry exists, it will silently sit there and remain unused for any nefarious purposes. That might be the case for the masses, but any savvy cybersecurity car thief or bad hacker would readily know about it.
From the perspective of AI-based true self-driving cars, the availability of the OBD portal presents qualms, that’s for sure.
A cyber hacker could try to use the OBD portal to confound or overtake the AI driving system. A counterargument is that the AI driving system is hopefully protected by its own layer of systems security and cannot be breached via the OBD pathway. That might or might not be the case, though this also tends to overlook the crucial aspect that the AI driving system relies upon the other vast number of connected embedded car subsystems, for which those might get cyber hijacked or distorted via a cybersecurity attack.
Probably the biggest saving grace about the OBD portal for self-driving cars is that it is a physical connection and pretty much requires physically being inside the car. The emphasis is that you would only be able to mess with one self-driving car at a time. This would limit how widespread you could carry out a dedicated cyberattack on an entire fleet of self-driving cars. As will next be discussed, there are much more pervasive ways to perform such evil deeds.
The Vaunted OTA
The most notable Achilles’ heel for self-driving cars is going to be the OTA (Over-The-Air) electronic communications capability.
Some consider the OTA to be the best thing since sliced bread. Self-driving cars will have a communications device that allows for making a connection to a cloud computing platform that is presumably maintained by a fleet operator or the automaker or similar. Patches and various software updates for the AI driving system can readily be downloaded and installed. This allows for rapid changes while self-driving cars are in the field and avoids having to bring the vehicle to a local dealer or repair shop to merely make system changes.
The OTA will also provide a means to upload data from the self-driving car. Self-driving cars will be collecting gobs of data via their onboard sensor suite. This data can be pushed up into the cloud. Some uses will be to improve the AI driving system capabilities by analyzing driving journeys. There is also the likely monetization that will be quite profitable for those operating a fleet. I’ve referred to this as the “roving eye” and indicated that though it has some goodness possibilities, it also portends for worries about privacy intrusion and like concerns (see my analyses at this link here).
It is perhaps plainly apparent that the OTA is a huge potential hole for any cyber hackers or possums that might want to make their way into the AI driving system. As an analogy to a house, you could suggest that this is the front door and is nearly begging to be usurped.
What makes the OTA especially beguiling is that a cyber crook could potentially do rather widespread damage via sending out say patches to an entire fleet of self-driving cars. Whereas the OBD portal was a one-at-a-time trick pony, the OTA is a salivating form of temptation because it holds forth the chance of intruding upon thousands, perhaps millions of deployed self-driving cars (when that day arrives).
Internet Of Things (IoT)
You use your smartphone while inside today’s conventional cars. The smartphone might be operated in a completely unconnected manner related to the vehicle. On the other hand, automobiles are gradually providing for smartphones to be connectable to the vehicle, usually doing so to make use of an in-car entertainment or infotainment system.
We are all aware that there are going to be a lot of devices with Internet connectivity, referred to as the Internet of Things (IoT). A smartwatch will make use of IoT. Jewelry is starting to make use of IoT. Soon enough, your clothing will make use of IoT, such as your shoes being able to connect to the Internet and retrieve and report data about your foot-related travails. And so on.
When a rider gets into a self-driving car, they are going to be wearing a plethora of IoT devices. Each of those IoT devices is potentially going to want to access something related to the vehicle. This is like inviting a herd of possums (known as a passel) into your yard. They are close enough to try and poke around, hoping to find a weakness to get into your home.
Those ECUs And Other
As earlier mentioned, there are many ECUs embedded within a modern vehicle, including for self-driving cars too.
There is likely to be an ECU for the engine, an ECU for the steering controls, an ECU for the braking capabilities, etc. You might be surprised to realize that there is likely an ECU for the airbags and the seatbelts, an ECU for the lighting system of the vehicle, an ECU for the power windows, and so on. Today’s cars also have allied systems such as a TPMS (tire pressure monitoring system).
All of these ECUs and other embedded subsystems present vulnerabilities.
One concern is that a cyber hacker could overtake a particular ECU and it would no longer respond as it would otherwise normally act. If the AI driving system was unaware that an ECU had been overtaken, you can imagine how the ECU could detrimentally affect the driving of the vehicle. The AI driving system might remain untouched, but a crucial element of operating the self-driving car is now a potential ticking time clock of danger.
An additional devious ploy would be to use the granted access of the ECU, which normally has relatively unfettered access to the rest of the vehicle, as a means of trying to carry out other assorted cyberattacks. This could be a divide and conquer tactic. Start with the most innocuous of ECUs and then gradually attempt to take over more and more of them. This includes ultimately aiming to overtake the AI driving system.
In my house, at one point a possum not only got into the attic, but this access was also then used to get into a closet that had a small ceiling-based hatchway of an auxiliary nature. The possum pushed down hard on the flimsy attic doorway and fell into the rest of the closet. I don’t think the possum knew beforehand where it was going, and merely was trying to see what might be beyond the hatchway. In any case, the idea is that if you can get into one area or element, perhaps this can be profitably used to get into more areas (a common technique by cyber hackers).
The CAN Internal Network
Cars typically have an internal electronic network that enables the various systems and subsystems to electronically communicate with each other. Rather than having to wire each system to each other system, which would be a potential nightmare to try and undertake and maintain, instead a convenient overarching digital pathway is established.
Electronic messages and data flow back and forth on this internal network. Think of it as a river that runs throughout the vehicle and for which any device connected to the river can partake in tasting the water or can also place items into the water for purposes of floating downstream or upstream to others along the river.
The technical parlance is that this is the CAN (controller area network). It is usually referred to as a CAN “bus” in that it is a type of passageway for messaging.
Envision that an AI driving system is trying to electronically communicate to the ECU used for the brakes. If a cyberhacker has found a means to intrude upon the CAN bus, let’s say in our river-related analogy the evildoer is floating along with a conniving piece of code that can intercept messages, this is a classic man-in-the-middle security breach. Not good.
Since I keep mentioning the possums, it is noteworthy that they decided that the air conditioning ducts in my home would be a handy means to get from one place in the house to another. They infiltrated the (shall we say) network of piping and were able to traverse wherever they wished to. This also led them to try to chew through the grates of the A/C ducts that led into the various rooms of the residence.
V2V and V2X
I’ve written extensively that a boon to self-driving cars will be the use of V2V (vehicle-to-vehicle) electronic communications (see my columns). This might be undertaken via DSRC (dedicate short-range communications) capabilities. The notion is that a self-driving car could send a message to another nearby self-driving car, doing so to perhaps forewarn about debris in the roadway up ahead.
There will also be V2I (vehicle-to-infrastructure) electronic communications. Think about traffic signals that can send out electronic messages to let self-driving cars know that the traffic light is not working or that it is turned to a full-stop red because of a traffic incident nearby. There are going to be a variety of these kinds of vehicle-related communications avenues, which all told is referred to as V2X (vehicle-to-everything).
An AI driving system is likely to rely significantly upon the V2X. If cyber hackers could fool the V2X, they have a chance of tricking the AI driving system.
You might be puzzled that if self-driving cars are potentially a leaking sieve of cybersecurity holes, why haven’t those despicable cyberhackers already been going after self-driving cars in droves.
The straightforward answer is that it hasn’t been worth their time.
There are only a small set of tryout self-driving cars underway today. Attacking an experimental self-driving car is not especially profitable right now. Going after large companies like banks, hospitals, gas pipelines, and the like are today a much more attractive target.
Other than trying to glean some bragging rights, it just isn’t especially worthwhile at this time to cyber hack self-driving cars. Furthermore, the attack can be readily downplayed as nothing more than an annoyance and had little or no demonstrative impacts. This claim can be strengthened by the assertion that the tightened security hasn’t been put in place yet, and will happen once self-driving cars are widely employed. All told, finding ways to cyberattack self-driving cars is not on the priority list of things that can gain fame or fortune.
You can bet your bottom dollar that once self-driving cars avidly being used and widespread, the attention of the cyber crooks will indubitably turn toward self-driving cars.
Just as I had to take special precautions to keep out the possums, automakers and self-driving tech firms cannot let themselves fall asleep at the wheel when it comes to bolstering cybersecurity protections. It is easy to fall into such a trap when there isn’t any overwhelming menacing indication at this time.
Be expecting that possums are going to quietly first perhaps occupy the attic, and the next thing you know, the entire house will be in their destructible hands (marsupial feet).