UK sets bar for hacker attacks on driverless car

The UK government has set new rules for driverless cars, urging testers to ensure vehicles are built to record and store critical data while fending off remote hackers.

The UK wants to be a leader in autonomous vehicle technology and, having permitted driverless car trials on public roads in February, has now released a new set of road rules for people behind the wheel of autonomous vehicles and companies manufacturing them.

The UK guidance comes as plans for Australia’s first driverless car trial was announced this week, with Telstra, Bosch and Volvo to take part at its proposed launch in South Australia in November. The UK code may offer food for thought to Australian lawmakers about the information security of vehicles ahead of its launch on public roads.

Under the code, which may shape future legislation on driverless cars in the UK, test drivers of autonomous vehicles are expected to behave as they would if they were driving a conventional vehicle: they won’t be exempt from rules against driving under the influence of drugs or alcohol and won’t be permitted to use their smartphones while driving.

Given that autonomous vehicles will likely encounter drivers who are not be familiar with them, test drivers should also be “conscious of their appearance to other road users” and ensure the direction of their gaze matches what an oncoming driver would expect.

The code also offers vehicle manufacturers a taste of regulations that could materialise ahead of the commercialisation of driverless cars, which is expected in 2020.

Drivers must be able to manually override the autonomous vehicle at any time, according to the department. But to ensure this it suggests vehicle and parts manufacturers “need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.”

That requirement may be difficult to meet. The guidelines touch on issues that security researchers in the US have identified in conventional vehicles equipped with wireless networking capabilities. Charlie Miller and Chris Valasek, who have been researching remote attacks on new vehicles for several years, this week revealed to Wired a remote attack that cut off a Jeep Cherokee’s dashboard functions, steering, brakes, and transmission. The pair plan to reveal more details at the Black Hat conference in Las Vegas in August.

Two US senators on Tuesday filed a bill “to protect consumers from security and privacy threats to their motor vehicles” dubbed the “SPY Car Act of 2015”, which calls for all vehicles sold in the US to be equipped with “reasonable measures to protect against hacking attacks” and that vehicles undergo penetration testing.

But the safety controls that the UK government wants for autonomous vehicles introduce new privacy challenges for vehicle manufacturers. The UK government wants organisations running driverless tests to fit vehicles with an equivalent of an aircraft’s blackbox, capable of capturing data from the sensor and control systems powering the vehicle, such as data on the state of the vehicle’s mode (automated or manual), speed, steering, braking, lights, indicators, horn, sensors that detect other objects, and “remote commands which may influence the vehicle’s movements”.

“This data should be able to be used to determine who or what was controlling the vehicle at the time of an incident. The data should be securely stored and should be provided to the relevant authorities upon request. It is expected that testing organisations will cooperate fully with the relevant authorities in the event of an investigation.”

However, as the department outlines, this will likely include personal data and will therefore be subject tho the UK’s privacy laws.

“If data is collected and analysed about the behaviour or location of individuals in the vehicle, such as test drivers, operators and assistants, and those individuals can be identified, this will amount to the processing of personal data under the Data Protection Act 1998. The project team must therefore ensure that the data protection legislation is complied with, including the requirements that the personal data is used fairly and lawfully, kept securely and for no longer than necessary.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags personal dataBoschBlack Hat ConferenceLas Vegasremote hackersUK governmentVolvoCSO AustraliaTelstradriverless carhacker attacksUKinformation securityChris Valasek

More about BoschCherokeeCSOEnex TestLabTwitterVolvo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts