I have recently been researching the future of transportation and mapping out the potential attack surface associated with the systems and technologies that will most likely be used to deliver these capabilities. Some of these technologies are already with us, albeit in an embryonic form, so I wanted to mention a few of them to highlight some of the cyber attacks that may be mounted against them.
Driverless vechicles are increasing on a global scale, with autonomous pods cropping up all over the UK -- from Heathrow Airport, to Milton Keynes and Cambridge. In Dubai they are even trialing autonomous two-person helicopter taxis and Hyperloop One super-high-speed magnetic levitation capsules. In addition, all of the major vehicle manufacturers are now developing their own autonomous vehicle technologies. Driverless vehicles are highly reliant upon wireless sensor technologies such as Radar, Lidar, ultrasonic and camera systems to act as eyes and ears and provide data that can be processed by a sensor fusion processing unit, which is analogous to a brain. The decision-making process is handled with machine learning which is used to achieve artificial intelligence.
A great deal of research is currently being conducted into understanding the impact of attacks against vehicle sensors, such as confusing a radar to think an object is blocking the road when no object actually exists, or making real objects invisible to radar. Another approach being investigated is known as adversarial machine learning, which put simply is vehicle "brainwashing," or causing a vehicle in learning mode to learn incorrect information. This means that when it needs to make a decision in future based on what it has learned, it makes the wrong decision, with a potential impact upon passenger or pedestrian safety.
Vehicle-to-vehicle (V2V) communications
There have been many trials around the world into the use of V2V communications for use cases including truck platooning (which can save fuel), and communicating information about hazards to other vehicles further behind on the same road. However, two major challenges associated with V2V are standardization (the system is only useful if all the vehicles are "talking the same language") and data privacy concerns.
V2V technology broadcasts what are known as Basic Safety Messages (BSM), which contain, amongst other things, the vehicle's location, speed and direction. Unauthorized access to this data is of obvious concern and, therefore, needs to be appropriately protected from attackers.
In recent years electronic ticketing has become the norm for train and bus journeys in many countries. However, a further enhancement, which would completely remove the need for ticket barriers, would be a completely ticketless system where an app on your smartphone would collect your travel fee based on geolocation. As you enter a train station the app would know at which station your journey started and then calculate the travel costs based on the location of the station at which you exit.
Current geolocation techniques are primarily based on GPS (Global Positioning System), which relies upon your smartphone receiving signals from at least four GPS satellites in order to calculate an accurate position. However, the entire GPS satellite constellation can easily be spoofed using free open source software and a software-defined radio, a piece of hardware costing only a few hundred pounds. It is therefore critical that the designers of these systems use multiple sources of location data (such as the location of the nearest cellular basestation taken from mobile communications data) to compare against to ensure that thieves are not trying to trick the app into charging less for a journey.
Tech is revolutionizing how we get around, from our cars to public transport. (Image: iStock)
Predictive maintenance drones
Unmanned Aerial Vehicles (UAVs), more commonly known as drones, are already used by various industries, such as offshore oil platforms and railway infrastructure, for inspection and preventative maintenance. It is anticipated that in the future not only will many other sectors start using them for similar purposes, but they will also become autonomous rather than requiring a pilot to manually control them.
One concern from a cyber perspective is the security of the video data being streamed from the drone, as this could be used by criminals to gain visibility of sensitive areas of buildings during the planning of robberies or by terrorists planning an attack.
Electronic cargo tagging
The amount of freight that can be transported by modern ships and trains has increased significantly in recent years and therefore the ability to track what cargo is located in each of the shipping containers is vital. The use of electronic tagging means that cargo handling systems can scan containers wirelessly to confirm which container needs to be routed in which direction at a port.
The convenience of this system can also be abused by attackers, with key incidents being reported. Pirates used hacked information from a global shipping company's Cargo Management System to pinpoint high-value goods in specific shipping containers when they boarded vessels by using a hand-held scanner to identify which containers to target.
With all of these transport technology applications there are cybersecurity risks that need to be considered by systems designers, developers and integrators as early as possible in the engineering process. Security that has been built in from the design stage onwards always provides a greater degree of assurance than bolt-on solutions, which are never as effective and can often be expensive to implement.
To hear more about the importance of cybersecurity assurance activities such as design reviews, threat modelling and vehicle penetration testing please come along to Andy's two talks at Smart Transportation and Mobility, part of TechXLR8 2018 (June 12-14, ExCeL, London):
Creative cyber security assessment of autonomous vehicle systems on June 13 at 3:15 p.m.
Full vehicle testing - how to assess the attack surface of a connected car on June 14 at 2:00 p.m.
— Andy Davis, Transport Assurance Practice Director, NCC Group