A new report by the European Union Agency for Cybersecurity (ENISA) finds that self-driving vehicles are vulnerable to hacking because of the advanced computers they contain. The hacks could be dangerous for passengers, pedestrians, and other people on the road. Fortunately, cars aren’t yet being hijacked off the streets by hackers.  “The good news is most of the attacks we have seen are in a lab or controlled conditions,” Vyas Sekar, assistant professor of electrical and computer engineering at Carnegie Mellon’s College of Engineering, who was not involved in the study, said in an email interview. “We haven’t seen large-scale exploits or breaches in the wild just yet.”

Car Hackers’ Paradise

The ENISA report found that automakers should guard against a range of attacks, including sensor attacks with beams of light, overwhelming object detection systems, back-end malicious activity, and adversarial machine learning attacks.  Autonomous cars could be attacked by artificial intelligence systems that could damage the automobiles in ways that humans would find hard to detect, the report says. To prevent such attacks, carmakers will have to continually review the software in self-driving cars to make sure it hasn’t been altered. According to the report’s authors, sensors and artificial intelligence used by self-driving cars to navigate make them more vulnerable to hacks. “The attack might be used to make the AI ‘blind’ for pedestrians by manipulating, for instance, the image recognition component in order to misclassify pedestrians,” the authors write in the report. “This could lead to havoc on the streets, as autonomous cars may hit pedestrians on the road or crosswalks.” Experts say the threat of attacks is real, even for the semi-autonomous cars driving on the road today. Cybersecurity company McAfee demonstrated it could confuse the autonomous driving system on a Tesla with minor modifications to speed limit signs. “In today’s world, a driver would likely recognize the car’s error as it quickly sped up to an incorrect speed setting and take over control,” Steve Povolny, head of McAfee Advanced Threat Research, said in an email interview. “However, if the driver is eventually sitting in the backseat reading an article on their smartphone, the implication to a driver and human life is much greater, and could easily result in devastating consequences.”

Many New Cars Can Be Hacked

Even cars that aren’t autonomous are becoming more vulnerable to hacking. Modern vehicles are more hackable than many older generations because they have features like Bluetooth, infotainment, remote monitoring, and cellular connections linking them to the outside world much more, Sekar said. The new technologies incorporated into late-model cars means the “attack surface” has increased, and the “threat model has changed,” he added. “Vendors who previously thought the networks/Electronic Control Units or ECUs (components inside the car) were not ‘reachable’ have to rethink their security story.” But modern cars that aren’t attached to a network are reasonably safe from hackers, Brandon Hoffman, chief information security officer at cybersecurity firm Netenrich, said in an email interview. Without an internet connection, a hacker would need to have physical access to a car or be very close to one. “This would limit the interest from adversaries to highly targeted attacks by expert attackers,” Hoffman said. Despite the ENISA report and demonstrations that cars can be hacked, the average user doesn’t have much to worry about, Robert Lowry, vice president of security at Bumper, a vehicle marketplace and history search site, said in an email interview.  “We won’t really know what additional risks autonomous vehicles may present until fully autonomous modes are readily available,” he said. “The reality is that these features prevent more accidents than they cause due to hacking.”