Addressing cyber-risks in the race for a driverless future

25 May 2017


With the prospect of fully driverless cars in the UK on the horizon, potential threats from hacking need to be seriously addressed. Helen Davenport, director at Gowling WLG, considers some of the issues that could arise and maps out the steps that should be taken to reduce risk in this safety-critical sector.

Is the UK likely to be significantly involved in the development of driverless car technology?

The global race is on to build fully autonomous vehicles and, in the process, create a future where we can all get around more easily and safely-and the UK is no exception despite the current uncertainty around Brexit and its trading future.

Not only is there a significant bedrock of development by UK original equipment manufacturers (OEM) but also a plethora of electronic and digital innovation around the technology that will support driverless vehicles. Indeed, this is something that the government has recently further committed to, announcing that it has invested £100m in a fund for autonomous vehicle-related projects.

It is important that addressing major risks-in relation to cyber-security, as well as passenger safety-keeps apace with the rapid evolution of the market. Indeed, there are already a number of instances that have helped highlight the potential security risks.

Are there any real-world examples of hacking vehicles with driver-assist systems?

The Guardian recently reported key claims that have been made by hackers in relation to driverless technology. One hacker states that they were able to take control of a passenger plane's systems. They claim to have been able to get as far as making a 'flight command' via the plane's entertainment system. In another of the reported claims, hackers accessed a driverless car's software during a planned test/research scenario allowing them to apply the brakes, kill the engine and take control of the steering, causing the vehicle to crash.

Commentators expect further examples of ransomware attacks on autonomous vehicles in the future. For example, cybercriminals hacking into an autonomous vehicle's software and then demanding an immediate ransom to release control of it, possibly by displaying a message when the ignition key is turned-'your car has been hacked. Pay x in order to get it back.'

How might the risk of hacking increase with the introduction of advanced driver assistance systems and again with fully automated systems?

The risk is that systems providing enhanced functionality, user experience and safety, such as advanced driver assist, provide would-be cybercriminals with greater opportunities and motivation for hacking into vehicles. Hackers will seek to target any weak point in cyber security. If key operational components of a driverless vehicle are all connected to other elements as one internal network there is a risk that hackers will use access to one component, which, if it is a minor one, may potentially be less secure, to then easily to hack into a vehicle's essential controls such as brakes or the engine. As referred to above, hackers have reported using access to entertainment systems as a means of accessing other systems within vehicles.

What steps are currently being taken to address the risk-both technical and regulatory?

In terms of what is being done already to address the risk of hacking, an important premise is that no system can ever be 100% 'hack-proof'. Instead, it is a case of adopting sensible principles and strategies to reduce risk. For example, although a mobile broadband service might be facilitated through a car's entertainment system, do the vehicle's operational controls have to be intrinsically linked to the entertainment system in order to enjoy wireless benefits? OEMs will no doubt already be looking at ways of keeping key components of the vehicle's system separate and/or unbundled from other potentially less secure elements.

Others in the industry have discussed the need to recognise that cyber-security solutions should have a number of defensive layers in order to protect against a failure at one level and to stop the advancement of an attack. Using multiple layers instead of just one means a hacker has to work much harder to get to the central control system. Then by ensuring these layers are as robust as possible, for example encrypting sensitive data, the likelihood of a hacker being successful is significantly reduced.

The General Data Protection Regulation (EU) 2016/679 is the result of four years of work by the EU to bring data protection legislation into line with the new ways that data is now used. Presently, the UK depends on the Data Protection Act 1998 but this will be overtaken by the new legislation. It not only introduces tougher fines for breaches but provides individuals with more say over what companies can do with their data. While this is reassuring from the perspective of a consumer's privacy, legislation alone cannot combat hacking. Indeed, it could even be argued that it is not the role of data protection legislation to catch criminals.

Legislation focused on governing Autonomous Vehicles and related technology is still in development. The Vehicle Technology and Aviation Bill (currently stalled in the House of Commons following the dissolution of Parliament but to be carried over to the new Parliament after the general election) deals largely with the insurance-focused aspects of driverless vehicles. It seems that in the area of cyber security the preference of OEMs seems to be guidelines rather than legislation.

What steps need to be taken in the future as the technology develops?

As technology develops, so do the potential 'tools' available to potential hackers, so trying to remain one step ahead of cybercriminals remains an ongoing challenge. However, a point made by industry experts is that while cybercriminals can have very different motivations, they are less likely to hack a driverless system unless there is something that can be obtained or procured for commercial gain, like for example personal banking details or data that can be put to further use.

An area of focus for OEMs is identifying innovative ways to incorporate further levels of security authentication that are more 'hacker-proof'.

This article was first published on Lexis®PSL TMT on 8 May 2017. Click for a free trial of Lexis®PSL.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.