Electric and connected, therefore (partially) autonomous and (potentially) intelligent. It is the new paradigm of the car: no longer just a vehicle, but an IT platform for mobility. It begins to show us the possibilities but also the risks that so much innovation brings, starting with the new issues for driving, cybersecurity and privacy, which it is time to take seriously.
A fully electric, non-hybrid car (BEV, Battery Electric Vehicle) contains up to 100 times as many chips as a conventional car, approximately 5,000 against 50. The main functionalities of the BEV, even the mechanical ones typical of an ICE (Internal Combustion Engine) vehicle, are entrusted to electronics and it is no coincidence that the first self-driving cars are and will be electric ones.
For everything to work properly, an operating system is needed, which must be connected to the Internet. This makes these smart vehicles similar to devices, bound to continuous updates and able to know their owners down to the smallest detail, thanks to the data these owners provide when using them. If we can manage to cause not insignificant damage with the reckless use of smartphones, what could we do with a car?
1. Access: from car theft to hacking
The greatest risk we can imagine for our car today is theft. Tomorrow, it could be hacked like a PC, doing similar or paradoxically greater damage. A hacker could exploit vulnerabilities in the software and open the car and then steal it without the need for a break-in. Or manipulate the communication systems to control it remotely, sabotaging certain functionalities, from brakes to airbags, and cause it to break down. It is a short step from here to blackmail: “Pay me and I'll unlock your car.” And here is the last frontier of ransomware. And what about phishing? “Try this incredible update to cut your battery consumption by 50 per cent.” A careless click follows, and a virus infects the operating system, stealing data. Malicious activities such as identity theft or financial fraud may also take place in our garages, with significant privacy implications.
2. Data: if privacy breaks down
A smartphone knows whether we are at home or in the office. It knows how many steps we take. It also knows whether we are walking or running. Why should it be any different for a car that is also a device? Continuous tracking through GPS could compromise privacy if monitored without authorisation. It would reveal our driving style, aspects of our routine and the destinations we travel to. Information that an authority could use to control us and a hacker to blackmail us. Not to mention the telephone and other conversations we have inside our vehicles. A new additional challenge for privacy protection, which requires collaboration between the automotive industry, regulators and also the cybersecurity expert community. Only a joint approach will ensure that e-mobility is not only efficient and sustainable, but also safe for all.
3. Connection: ‘bumper cars’ not for fun
New generation cars, in particular self-driving cars, are connected to each other and will be increasingly so (V2V, vehicle to vehicle, ed.). Direct communication between vehicles is crucial in order to eventually have coordinated traffic and safe roads, but if not managed properly it carries risks. Manipulation of the information exchanged could lead them to unpredictable behaviour and increase the risk of accidents: if one car communicates that it is braking, the neighbouring car will also brake, but if the message is not true, a pile-up will follow. The autopilot systems themselves could also be attacked, compromising their ability to make safe decisions or performing reckless manoeuvres such as sudden acceleration or steering. In order to function, these systems must also exchange information with other objects (V2X, Vehicle to everything, ed.), which could in turn be targeted by malware. Think of the impact that hacked road signalling devices and infrastructure, such as traffic lights or level crossings, would have on traffic.
4. Update: the truth under the bonnet
An electric and connected car can independently install OTA (Over The Air) updates like a smartphone, without user or service centre intervention. They serve to improve battery life, navigation systems and safety mechanisms, such as the so-called Advanced Driver Assistance Systems (ADAS), sensors and software aimed at accident prevention.
The Autonomous Emergency Braking (AEB), the driver fatigue detector, Driver Monitor System (DMS), the black box to record vehicle information, ELKA (Emergency Lane Keeping Assist) lane keeping system, reversing camera, all these Advanced Driver Assistance Systems are mandatory already from 2022 for newly certified vehicles in the European Union. And they are, in fact, the foundation of self-driving cars.
The direction in which the industry and legislation are heading is clear and it is crucial that all these OTAs and operating systems are protected by proper encryption. Otherwise, they would be exposed to attacks with the danger of losing their integrity through a malicious update that grants unauthorised access to the vehicle or compromises the security of the software, creating a further danger to road safety.
5. Black out: end of the race
The increasing dependence on digital infrastructures also exposes connected mobility to risks from service interruptions. Without power, electric vehicles would stop moving. Without the Internet, they would not be able to communicate with each other and with the road infrastructure (V2I, vehicle to infrastructure, ed.), inhibiting safety systems based on connectivity. The absence of a data exchange would increase the risk of accidents and put traffic management in crisis: with difficulties in interpreting the surroundings or with real service disruptions, autonomous driving would be nothing more than a science fiction memory. Managing such blackout scenarios requires not only a robust IT security infrastructure, but also contingency strategies and security protocols to ensure that vehicles remain operational in critical situations and the safety of users is not jeopardised.