The Race to Autonomous Mobility May Be Slowed Down by Hackers

Electric-driven and fully autonomous mobility services have the potential to solve some of the world’s biggest transportation challenges. They are bound to revolutionize the automotive landscape, well beyond technological and environmental advantages. 

Indeed, the global AV market is expected to grow exponentially in the coming years, with some researchers projecting a staggering 40% CAGR until 2030. AV innovations are being introduced at a rapid pace by many stakeholders, including OEMs, smart mobility and ride-sharing services providers, and large technology enterprises. Other manufacturers are not far behind. Autonomous fleets are gaining momentum, delivering unprecedented efficiencies and customer experiences, as demonstrated by many announcements made in recent months.

The benefits of autonomous vehicles are expected to also challenge traditional B2C revenue models (OEM-Dealership-Consumer). The associated cost, and potential liabilities of autonomous vehicles will encourage the shift to B2B models, where vehicles are no longer owned by drivers, but rather fleet operators. This new operations model will not only change the way consumers use vehicles and public transportation, but also push other stakeholders to re-think their business models. For example, insurance companies are already in the process of shifting attention to B2B models and away from the traditional direct-to-consumer engagement.

Despite the tremendous value autonomous vehicles encompass, the cyber risk is equally high.  New sensor types, software and hardware functionalities, and communication types expose potential vulnerabilities, increasing the likelihood of a future cybersecurity attack. Autonomous vehicles are equipped with and rely upon navigator sensors (e.g., GPS, LIDAR, cameras, millimeter wave radar, IMU) that receive data and directions from multiple sources including the internet and satellites. It is therefore possible for attackers to prevent the sensor from retrieving useful data, cause it to retrieve incorrect data, or manipulate the sensor function through crafted data.

In March 2022, researchers at Duke University demonstrated the first attack strategy that can manipulate industry-standard autonomous vehicle sensors into believing nearby objects are closer (or further) than they appear without being detected. The new attack strategy was executed by shooting a laser gun into a car’s LIDAR sensor to add false data points to its perception. The research showed that 3D LIDAR data points, carefully placed within a certain area of a camera’s 2D field of view, can manipulate the system and alter its functionality.

In June 2022, an autonomous and electric robotaxi fleet, owned by a large technology enterprise, completed a critical checkpoint in robotaxi testing and rollout. The company demonstrated how vehicles can operate completely autonomously in an unstructured environment at human-plus safety levels. In the same month, another vendor’s robotaxis blocked traffic for hours in California. Though this incident was not caused by a cybersecurity attack, it highlights the potential challenges still ahead. 

 

Though governments take initial initiatives in securing autonomous vehicles, the road cybersecurity is still long

As governments around the world push forward this transformation and amid the rapid growth of software-defined vehicles, legislators and regulatory bodies are becoming more aware of cybersecurity risks to vehicles, infrastructure, and consumer privacy — and are starting to work on new regulations to address them. This also includes autonomous vehicle regulations. Road safety has been a major factor in driving new regulations, which may have a direct impact on cybersecurity.

In January 2022, the UNECE announced the strengthening of regulations on the emergency braking of commercial vehicles (UN Regulation No. 131). Designed to promote the safety on motorways and urban areas, the proposed revisions of UN Regulation No. 131 require heavy-duty AEBS to be able to prevent a rear-end in-lane collision with a preceding vehicle, and effectively respond to pedestrian detection. The new provisions also restrict the conditions under which AEBS can be deactivated, requiring an automatic reactivation within 15 minutes. This revision of UN Regulation No. 131 may also introduce cyber-based activities, aimed at manipulating automatic emergency braking systems and deactivating them, overpassing the reactivation requirements. OEMs should consider monitoring to detect activation and deactivation anomalies on single vehicles as well as entire fleets. 

In Japan, the National Police Agency (NPA) announced its plans to incorporate Level 4 autonomous driving into traffic law in April 2023. The framework for the upcoming legislation was put in place in April 2022, when the Japanese government passed a bill that introduced new rules for next generation mobility.

The expansion of autonomous, connected vehicle data and privacy laws is inevitable. As regulations continue to evolve, different stakeholders including autonomous vehicle OEMs, off-road, farming  and agriculture OEMs, fleet operators, insurance companies and other smart mobility players will need to adopt a proactive approach. With new revenue and mobility models in mind, we expect attention to shift to securing autonomous systems and ensuring passengers, pedestrians and public infrastructure are protected against cybersecurity exploits, among many other risks.