Tesla and the vulnerability of autonomous vehicles
Your engine warning light has come on, and you’ve taken your car to the local garage. What is the first thing the mechanic will do? Lift the bonnet and look at the engine? Start the engine and listen for any audible signs of a problem? Odds are that the first thing your mechanic will do will be to plug a laptop into your car’s on-board diagnostic port and check for the fault that way.
It is a sign of the times that mechanics are increasingly requiring IT skills and that our cars are essentially mobile computers with wheels and an engine, containing such technology that makes them unrecognisable from the cars we drove only a decade ago. Motor vehicles truly have come along way, and with the dawn of the autonomous vehicle on the horizon, there is clearly more change to come.
The analogy of a car being a mobile computer requires careful consideration. If our cars are indeed mobile computers, does this mean we need to install antivirus protection on our cars, can our personal data be stolen from our cars, and more worryingly, can our cars be compromised? The issue of cyber security in the context of a car has never been more important than it is now.
In the last few weeks there have been reports in the press of a team of hackers from a Chinese security company taking control of a Tesla Model S remotely from a distance of 12 miles away. They were able to access the cars controller area network (also known as the Can bus), which connects a modern vehicle’s systems. The hackers were initially able to take control of the indicators, windscreen wipers, dashboard display units, they could open doors and the boot whilst the car was in motion, and move seats backwords and forwards. Alarmingly, they were also even able to overcome Tesla’s “gateway” system and gain control of the cars safety critical driving systems, enabling them to control the brakes adding a more sinister dimension to the hack.
In this particular case, Tesla were fortunate, as this was a so called ‘ethical hack’ where the hackers were looking for holes in the IT security system of the car and immediately reported their findings to Tesla. To Tesla’s credit, they acted immediately and issued a software update over the air to their vehicles to address the issue whilst taking immediate steps to inform their customers of the security breach.
It’s not just Tesla that has fallen foul of cyber security. There are anecdotal reports of a mainstream manufacturer neglecting to take sufficient security precautions with their over the air software update system. It is reported that this manufacturer used http protocol as opposed to the more secure https protocol leaving their vehicles computer systems unsecured and ripe for attack.
In February last year, BMW responded to reports of a security flaw, which potentially allowed hackers to unlock some of its vehicles, with an over the air security patch, in much the same way Tesla did.
These incidents have served to highlight weaknesses which if exploited by an individual or group with malevolent intent, are particularly chilling. There are already many examples in criminal law of cars being used as weapons. If ‘ethical hackers’ are able to control the brakes and steering of a vehicle, what sort of carnage could a hacker with a sinister motive achieve?
In a world where our cars are connecting over the air with manufacturers and other third parties, they are vulnerable to the same cyber attacks as our home computers. Throw into the mix that our cars’ computer systems control almost every safety critical function and that vehicles with increasingly autonomous features are handing more and more control to the computers. It is not difficult to envisage hackers causing a multi vehicle accident by hijacking the connected cars.
It is well known that viruses are capable of migrating from one computer. This multiplies the risk when you consider that fully autonomous vehicles and those with more advanced driver assistance systems will need to communicate with smart roadside furniture to optimise journey times and establish safe operation of an autonomous road network.
There is no doubt that manufacturers are taking their security obligations seriously, evidenced by the speed with which both Tesla and BMW issued software updates to patch the holes in their systems. Indeed, consumer confidence in fledgling autonomous technologies would be seriously eroded if such prompt action was not taken.
The Tesla incident, in particular, raises a number of interesting legal questions; firstly is the manufacturer responsible for keeping its vehicle systems secure and is the manufacturer liable if they don’t. Alternatively, is the consumer responsible for ensuring their security systems are up to date much as they are with their own computers and smart phones? Secondly, who is liable in the event of a hack; and how do we access sufficient information to establish what actually happened?
Volvo has said they will accept liability for accidents where their autonomous systems are at fault, but others have not. Will this extend to a fault caused by a hack which could have been preventable had the manufacturer kept its security system up to date?
There is undoubtedly a burden on manufacturers to ensure that their vehicles are secure, but some responsibility is also likely to pass to the consumer at the point of sale. Ultimately, it is not difficult to imagine a situation whereby liability could rest with the consumer, the manufacturer, the software programmer or a combination thereof.
Whilst motor insurers may view a hack as similar to the theft of a vehicle, such incidents could see insurers looking to recover monies paid out in the event of a party failing to maintain adequate security systems on the car. This could well erode consumer confidence, and impact sales. It is perhaps worth noting that insurers are likely to exclude liability for a terrorist incident; a concern recently raised in the Department for Transport’s recent consultation.
However, the determination of liability in such a situation will be extremely complex and the data collected by the autonomous vehicle itself will prove to be crucial in understanding exactly what caused a car to malfunction, or what allowed the car to be hacked.
Manufacturers already receive data through connected devices installed into their cars and this data will be need to be shared and scrutinised to understand the cause of breach of a car’s security systems (and for that matter in determining the cause of an accident). Some manufacturers already understand the importance that data will make in the determination of liability, Tesla for example immediately released the data collected by their vehicle to assist regulators, insurers, and other interested parties to understand just what the caused the hacking incident.
Parking the privacy, data protection and intellectual property issues which are not insurmountable hurdles to data sharing, without access to the data collated by automotive systems, manufacturers, software developers, consumers, and their insurers have little hope of being able to understand the cause of a hacking incident and the determination of liability could be almost impossible. Not only could a failure to share this data impede an understanding of the cause of an incident, but it could impede the development of new security systems and thus compromise the security of our connected cars. Such a gap in security could have a catastrophic impact on society and road safety.
Cyber security is therefore an issue of paramount importance for the manufacturing industry and must continue to be a fundamental component of autonomous vehicle research and development. Manufacturers, software developers, consumers, and insurers must also work together to facilitate cost effective access to the data collated to allow everyone involved to accurately and quickly determine liability.
Kurt Rowe, Emerson Wallwork, and Chris Ball are members of the Motor Technology Group at national law firm Weightmans LLP
Follow @ManufacturingGL and @NellWalkerMG
Siemens: Providing the First Industrial 5G Router
Across a number of industry sectors, there’s a growing need for both local wireless connectivity and remote access to machines and plants. In both of these cases, communication is, more often than not, over a long distance. Public wireless data networks can be used to enable this connectivity, both nationally and internationally, which makes the new 5G network mainframe an absolutely vital element of remote access and remote servicing solutions as we move into the interconnected age.
Siemens Enables 5G IIoT
The eagerly awaited Scalance MUM856-1, Siemens’ very first industrial 5G router, is officially available to organisations. The device has the ability to connect all local industrial applications to the public 5G, 4G (LTE), and 3G (UMTS) mobile wireless networks ─ allowing companies to embrace the long-awaited Industrial Internet of Things (IIoT).
The router can be used to remotely monitor and service plants, machines, as well as control elements and other industrial devices via a public 5G network ─ flexibly and with high data rates. Something that has been in incredibly high demand after being teased by the leading network providers for years.
Scalance MUM856-1 at a Glance
- Scalance MUM856-1 connects local industrial applications to public 5G, 4G, and 3G mobile wireless networks
- The router supports future-oriented applications such as remote access via public 5G networks or the connection of mobile devices such as automated guided vehicles in industry
- A robust version in IP65 housing for use outside the control cabinet
- Prototypes of Siemens 5G infrastructure for private networks already in use at several sites
“To ensure the powerful connection of Ethernet-based subnetworks and automation devices, the Scalance MUM856-1 supports Release 15 of the 5G standard. The device offers high bandwidths of up to 1000 Mbps for the downlink and up to 500 Mbps for the uplink – providing high data rates for data-intensive applications such as the remote implementation of firmware updates. Thanks to IPv6 support, the devices can also be implemented in modern communication networks.
Various security functions are included to monitor data traffic and protect against unauthorised access: for example, an integrated firewall and authentication of communication devices and encryption of data transmission via VPN. If there is no available 5G network, the device switches automatically to 4G or 3G networks. The first release version of the router has an EU radio license; other versions with different licenses are in preparation. With the Sinema Remote Connect management platform for VPN connections, users can access remote plants or machines easily and securely – even if they are integrated in other networks. The software also offers easy management and autoconfiguration of the devices,” Siemens said.
Preparing for a 5G-oriented Future
Siemens has announced that the new router can also be integrated into private 5G networks. This means that the Scalance MUM856-1 is, essentially, future-proofed when it comes to 5G adaptability; it supports future-oriented applications, including ‘mobile robots in manufacturing, autonomous vehicles in logistics or augmented reality applications for service technicians.’
And, for use on sites where conditions are a little harsher, Siemens has given the router robust IP65 housing ─ it’s “dust tight”, waterproof, and immersion-proofed.
The first release version of the router has an EU radio license; other versions with different licenses are in preparation. “With the Sinema Remote Connect management platform for VPN connections, users can access remote plants or machines easily and securely – even if they are integrated in other networks. The software also offers easy management and auto-configuration of the devices,” Siemens added.