UK sets bar for hacker attacks on driverless car

The UK government has set new rules for driverless cars, urging testers to ensure vehicles are built to record and store critical data while fending off remote hackers.

The UK wants to be a leader in autonomous vehicle technology and, having permitted driverless car trials on public roads in February, has now released a new set of road rules for people behind the wheel of autonomous vehicles and companies manufacturing them.

The UK guidance comes as plans for Australia’s first driverless car trial was announced this week, with Telstra, Bosch and Volvo to take part at its proposed launch in South Australia in November. The UK code may offer food for thought to Australian lawmakers about the information security of vehicles ahead of its launch on public roads.

Under the code, which may shape future legislation on driverless cars in the UK, test drivers of autonomous vehicles are expected to behave as they would if they were driving a conventional vehicle: they won’t be exempt from rules against driving under the influence of drugs or alcohol and won’t be permitted to use their smartphones while driving.

Given that autonomous vehicles will likely encounter drivers who are not be familiar with them, test drivers should also be “conscious of their appearance to other road users” and ensure the direction of their gaze matches what an oncoming driver would expect.

The code also offers vehicle manufacturers a taste of regulations that could materialise ahead of the commercialisation of driverless cars, which is expected in 2020.

Drivers must be able to manually override the autonomous vehicle at any time, according to the department. But to ensure this it suggests vehicle and parts manufacturers “need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.”

That requirement may be difficult to meet. The guidelines touch on issues that security researchers in the US have identified in conventional vehicles equipped with wireless networking capabilities. Charlie Miller and Chris Valasek, who have been researching remote attacks on new vehicles for several years, this week revealed to Wired a remote attack that cut off a Jeep Cherokee’s dashboard functions, steering, brakes, and transmission. The pair plan to reveal more details at the Black Hat conference in Las Vegas in August.

Two US senators on Tuesday filed a bill “to protect consumers from security and privacy threats to their motor vehicles” dubbed the “SPY Car Act of 2015”, which calls for all vehicles sold in the US to be equipped with “reasonable measures to protect against hacking attacks” and that vehicles undergo penetration testing.

But the safety controls that the UK government wants for autonomous vehicles introduce new privacy challenges for vehicle manufacturers. The UK government wants organisations running driverless tests to fit vehicles with an equivalent of an aircraft’s blackbox, capable of capturing data from the sensor and control systems powering the vehicle, such as data on the state of the vehicle’s mode (automated or manual), speed, steering, braking, lights, indicators, horn, sensors that detect other objects, and “remote commands which may influence the vehicle’s movements”.

“This data should be able to be used to determine who or what was controlling the vehicle at the time of an incident. The data should be securely stored and should be provided to the relevant authorities upon request. It is expected that testing organisations will cooperate fully with the relevant authorities in the event of an investigation.”

However, as the department outlines, this will likely include personal data and will therefore be subject tho the UK’s privacy laws.

“If data is collected and analysed about the behaviour or location of individuals in the vehicle, such as test drivers, operators and assistants, and those individuals can be identified, this will amount to the processing of personal data under the Data Protection Act 1998. The project team must therefore ensure that the data protection legislation is complied with, including the requirements that the personal data is used fairly and lawfully, kept securely and for no longer than necessary.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags information securityTelstrapersonal dataUKLas VegasVolvoUK governmentBlack Hat ConferenceChris ValasekBoschCSO Australiadriverless carremote hackershacker attacks

Show Comments