Intel joins forces with the University of Luxembourg's Centre for Security, Reliability and Trust (SnT) in securing autonomous cars. From left to right: Dr. Marcus Völp, Dr. David Kozhaya and Professor Paulo Esteves-Veríssimo of SnT's Critical and Extreme Security and Dependability Research Group (CritiX). (Credit: University of Luxembourg)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Any driver who has lost control of their car for any reason knows how dangerous and terrifying the experience can be, and how quickly one must act to regain control and avoid a crash. In the past, environmental factors such as ice on the road may have caused such incidents, and in some cases, mechanical problems such as faulty brakes may have been the culprit.

But now, in an increasingly connected world, where autonomous self-driving vehicles could one day become a part of a widespread, cooperative ecosystem that pervades everyday life, passengers of these vehicles will have more to worry about than just the weather and parts in need of repair. Hackers could exploit vulnerabilities in the system that connects the cars not only to the internet, but also to other cars and parts of the interconnected ecosystem, manipulating the actions of these large, fast machines with potentially deadly consequences.

It is no surprise then that cybersecurity for autonomous, connected vehicles has become an area of high priority for researchers, such as those at University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT), who recently signed a partnership agreement with Intel’s Collaborative Research Institute for Collaborative Autonomous & Resilient Systems (ICRI-CARS). Through the partnership, SnT’s Critical and Extreme Security and Dependability Research Group (CritiX), led by Prof. Paulo Esteves-Veríssimo, will seek better solutions to ensure autonomous vehicles can be resilient to potential cyberattacks as their connectedness and vulnerability simultaneously increase.  

“What has changed in the last few years is that more and more traditional hard- and software companies realized that [autonomous] cars are actually computer systems with sensors and actuators,” Dr. Marcus Völp, a member of the CritiX team, said in a statement to Forensic Magazine. “My fear is that most of them continue to believe that they are safe from highly skilled hackers and that the technologies they apply in computer systems are sufficient to secure cars.”

Völp said that while securing autonomous cars may not be much different from securing a traditional computer or mobile device, the situation for connected vehicles is inherently different due to the potential for physical damage caused by hackers sending manipulative signals to cars’ sensors, among other malicious strategies. The zero-day exploits and vulnerabilities present in other forms of software and hardware cannot be ignored or forgotten while working to secure these vehicles.

This is why the researchers, instead of assuming any amount of security would be sufficient to prevent infiltration, take the approach of assuming a breach could occur and training the vehicles to “self-heal” and properly brace for an attack so they can quickly regain control before the worst damage is done.

“Our background is in Byzantine Fault and Intrusion Tolerant Systems, an alternative take to security, where we admit that computer systems can be attacked successfully, but continue to work correctly, even if some of the critical software components are controlled by adversaries,” Völp explained. “It was therefore not difficult to see that autonomous vehicles and more so, cooperative vehicles, with their huge and complex software stacks, need some form of automatic real-time response to attacks, and self-healing capabilities (you cannot carry a system security officer in the trunk of each car…)”

Völp further explained that adding several layers of resilience to the system could prevent disaster even if a hacker manages to peel one layer away. He gave the analogy of three drivers steering a car together, in which only one wants to steer the wrong way and crash the car. Because the other two—the majority—still want to steer in the right direction, the car will stay on track. In a real life scenario, a car could maintain control even as an attack is taking place, giving it as much time as possible to fight off the attack and resolve the damage with the self-healing capabilities that the CritiX team is still working to develop and perfect.

“As autonomous cars are rolled out significantly, we are bound to see more security incidents and accidents, probably the first glimpses of cyberterrorism (which fortunately we haven't known so far), as our already semi-autonomous vehicles become soft targets that can be compromised in the millions,” Völp stated. “It was therefore a pleasant surprise when Intel took up this challenge and asked all the difficult questions about how autonomous and cooperative vehicles can be automatically secured against faults but also attacks, timely and in an unattended manner, and during periods of long-term autonomy.”