When it comes to edge cases – fallen trees, road work, officers directing traffic, etc. – autonomous vehicles (AV) continue to remain dependent on human assistance. Which is a key reason that, for the foreseeable future, teleoperation is central to future AV deployment. Teleoperation utilizes network connectivity and software that allows a human operator to connect and control vehicles from many miles away in real-time.
However, there is still the challenge of cybersecurity. If compromised, teleoperation capabilities can endanger lives and shatter the reputation of the automotive industry. Hence it is imperative for the industry to meet this challenge head-on, by adopting a cybersecurity-centric approach to teleoperation software design rather than relying on off-the-shelf solutions.
Early Cyber-Threats and the Automotive Industry Response
The recent proliferation of connectivity in cars has increased the likelihood of cyber-attacks. Such attacks not only compromise the privacy of drivers and passengers, but also pose risks to their physical safety and that of others on the road.
Automotive connectivity technology was introduced in 1996 by General Motors. The primary aim was to enhance safety by enabling emergency contact with call centers. Since then, connectivity has been enhanced to support a growing set of safety, entertainment and service-related features. At the same time, this advanced communication created an attractive attack surface for hackers.
In 2015, researchers found a vulnerability in the Jeep Cherokee entertainment system, enabling them to take control of the in-vehicle computer. They were able to control steering, brakes, and transmission all from a simple laptop located miles away. This resulted in Chrysler recalling 1.4m vehicles.
For the automotive industry this was a wake-up call. The potential damage of such attacks would be a calamity not just for a particular brand, but for the industry as a whole. Economic losses could be staggering, taking years to regain a damaged reputation.
Significant progress has since been made to meet the cybersecurity challenge. A coalition of car manufacturers (OEMs) and their suppliers, as well as regulators, insurance and technology companies and telecommunication providers, have worked together to create Auto-ISAC, a professional community that works together to enhance vehicle cybersecurity.
New models of connected cars use improved architecture and modern cybersecurity solutions. Both are designed to limit the attack surface. The latter is also designed to identify attacks in real-time and ensure that the critical control modules of the vehicle cannot be accessed. A hack like the one in 2015 has not been reported since.
Autonomous Vehicle Technology Increases the Cyber-Attack Surface
The evolution from “connected” to “autonomous” vehicles has substantially increased the potential attack surface. Generally, the more code a system runs, the greater the risk of an exploitable vulnerability. Compared to connected cars, AVs run lots more code and use many more services.
AVs are also different from connected cars in that they are designed to allow their on-board software to manage and control almost all vehicle systems, including the critical driving modules. Teleoperation adds a real-time communication channel that is designed to control the vehicle remotely - the exact scenario that traditional automotive cybersecurity is designed to prevent.
Cyber-Securing the Future of Mobility
The cybersecurity challenge facing the AV industry, especially when coupled with teleoperation, is formidable. Some think that a standard third-party cybersecurity solution is enough to secure their teleoperation platform. In fact, it is insufficient, because of the unique attack vectors that teleoperation introduces. Therefore, cybersecurity must be an integral part of teleoperation design, planning and implementation.
Let’s explore some attack vectors that are unique to teleoperation:
1. Targeting the three major teleoperation components: The control station, in-vehicle teleoperation software module and the cloud.
- A vehicle can be taken over by a compromised control station.
- Compromising the teleoperation software module in the vehicle allows control of the vehicle and /or a denial of service (DOS) attack.
- Teleoperation cloud data centers can allow for overwhelming a single teleoperation center, impersonating a teleoperation center, corruption of data, data leaks and more.
2. Blocking all communications between the vehicle and the control station, denying any vehicle assistance.
3. An attacker can gain access to teleoperation capabilities via the interface between the AV software stack and the teleoperation module.
And this list is just the beginning. Teleoperation cyber-risks clearly exceed the boundaries of a standard automotive cybersecurity solution. Only when cybersecurity is an integral design element, rather than a third-party solution, can a solution be secure.
Here are a few examples of how such an architecture can provide the security needed:
- Only the vehicle can initiate a teleoperation session to prevent an attacker pretending to be a control station.
- Minimize and supervise the AV stack API to reduce access gained through other software components.
- Prioritize indirect control over direct control, which require the teleoperation module to send the AV stack instructions instead of having direct orders from the station.
- Use a mediating component between the in-vehicle module and the control station to reduce risk of anomalous usage of the platform.
The future of mobility includes teleoperation and it presents a unique challenge to automotive cybersecurity. To meet this challenge, any teleoperation platform must be built with cybersecurity in mind, rather than use an off-the-shelf, third party solution. Anything less would be negligent.