INSURTECH: DRIVERLESS CARS
Hackseatdriver Hack driver Alissa Knight’s new book is a how-to guide for hacking autonomous cars. Why? Because everyone should know where the weak spots are… including insurers Successfully navigating the UK’s main north/south highway any day of the week is stressful enough. So it was probably just as well no one knew they were sharing their lane with two driverless cars at the start of this year. Part of the government-backed HumanDrive project to accelerate development of autonomous vehicles, the 230-mile road trip went off uneventfully; but the implications are profound. The longest test drive ever undertaken in the UK, it challenged the cars – both Nissan electric vehicles (EVs) – to negotiate unmarked, high-speed country lanes, complex junctions, roundabouts, and motorways; the onboard system making its own judgments on speed, positioning, changing lanes, merging, stopping and starting. The only time the passengers – both engineers on the project – intervened was when they pulled in for a quick coffee and a recharge. If you’re rubbish at parallel parking, you collect traffic tickets like other people collect stamps and you’re the kind of driver who can’t wait to flick on the speed limiter, then being able to delegate your daily commute to a supercomputer on wheels probably sounds very appealing – although at around £170k, the cost of such vehicles is likely to be beyond the reach of mere mortals for some time. If, on the other hand, the moment when Charlize Theron steered hundreds of hacked cars remotely down 7th Avenue in 2017’s The Fate Of The Furious (as in Fast And…) left you with a queezy feeling about our future transport plans, you’re not alone. While governments and insurers have been quick to point out the environmental, cost-saving and even life-saving benefits of autonomous technology – around 28,000 people a year are killed or seriously injured on Britain’s roads and 95 per cent of those incidents are caused
4
TheInsurtechMagazine | Issue 3
by human error, according to the Royal Society for the Prevention of Accidents – there are others who believe we’re jumping a glaring red light. Alissa Knight is one of them. A self-described ‘recovering hacker’, she’s used her inside knowledge of the vulnerability of connected devices to build a career advising challenger brands and market leaders on cybersecurity. She points out that most cars released after 2011 share the same communication network as your mobile phone or tablet – a standard called the Global System for Mobile Communications, or GSM. “If you think about it, cars today are pretty much like cell phones on wheels, so original equipment manufacturers can communicate with them and push what’s called OTA, or over-the-air updates – which opens up a potential attack vector for these cars,” says Knight. “If you can communicate with a car over GSM, you can theoretically do it from anywhere. Being able to take remote control of a vehicle over GSM, or in close proximity over Wi-Fi, is becoming easier and easier to do. We’re making it possible to be able to connect with them, and with that connectivity comes vulnerability.” A thief, in theory, could already hack your security system to steal your car; if you know what you’re looking for, the hardware to instigate a replay attack can be picked up for $20 on eBay. But combine that capability with a vehicle that can think for itself and you’ve potentially got an army of robotic devices that can be mobilised remotely to cause havoc and create panic on our streets. Smart city transportation systems built on the Internet of Things and plugged into V2X, or vehicle-to-infrastructure, communication systems, could similarly be hacked, creating the spectre of ‘spam jams’ and potential collisions. In every case, the question of where liability rests
– the vehicle owner, manufacturer, civic authority, etc – will come to haunt whichever insurer picks up the claim. Knight’s argument – which she brings home forcibly in her new book Hacking Connected Cars: Tactics, Techniques And Procedures – is that tomorrow’s passengers of driverless cars (and the pedestrians and other road users who share their environment) are being asked to trust – with their lives – that manufacturers will have tested the 1.2 billion lines of code in every autonomous EV sufficiently to know there are no potential security flaws. And, as a professional penetration tester herself, who somewhat shockingly revealed at Money20/20 USA that she had (legitimately) downloaded 30 leading financial services apps and managed to reverse engineer them, she says that’s just not happening. “The problem is, unlike with home Wi-Fi, you can’t just go to Best Buy and pick up a wireless firewall to protect your home network. It’s one thing if I were to compromise your web server and deface your website; it’s another if you and your family are in your car and I drive it into a wall. Unfortunately, there’s really nothing that the average consumer can do, except ask different questions when shopping for a car, like ‘has this car been penetration tested? Does this car have ECU firewalls in it? Is the infotainment system connected to the CAN bus so if my car were to get hacked, they can’t jump to the steering column?’. It’s those kinds of questions we need to ask as a society and hold manufacturers’ feet to the fire, and say ‘hey, are you thinking about these things?’. But the responsibility isn’t on the consumer to address this,” continues Knight, “it’s on the manufacturer and Tier 1 suppliers to make sure that when they put out a request for a proposal, it contains language like ‘if we’re going to award you this contract, you need to produce a penetration test report.
www.fintech.finance
