Security gurus get behind wheel of driverless car debate

Ken Munro, a director at security consultancy Pen Test Partners, who worked with colleagues to discover the recent high-profile Mitsubishi Outlander's theft alarm hack as well as previously uncovering other automative security issues, offered El Reg a detailed critique of the UK government's consultation document.

For example, assumptions that much the same regime for handling insurance claims where they involved uninsured or unidentified drivers (extract below) could be carried over to autonomous cars may not be valid because of the potential risk of malware infecting a range of connected self-driving cars.

The consultation document stated:

2.2 Our current motor vehicle insurance system works on the basis of motorists holding compulsory third party insurance to compensate victims of any collision, regardless of who is at fault; and when victims are injured by uninsured or untraced drivers, the Motor Insurers’ Bureau (MIB) steps in as insurer of last resort. The system is designed to ensure as far as possible that victims of road traffic accidents are compensated fairly and quickly.

Munro commented: "Let’s look at the possibility of a viral/worm attack (that could affect say a broad range of vehicles that share a component or OTA mechanism). Is it likely? I’m not sure, but the impact of such an attack would be systemic – not one car, but lots and lots of cars."

"I think the MIB would baulk at being the only insurer in the frame for a rash of claims. On a large scale (remember Sasser and the Love Bug) it could even be enough to break a big insurer. In fact the MIB would do well to consult their own members about such possibilities if they’re going to be who the buck stops with," he added.

The possibility of hacks that interfere with log data involving the switch between auto and manual mode also creates potential headaches, according to Munro. Section 2.7 of the consultation docuement stated:

While some manufacturers have offered to self-insure their automated vehicles while they operate in an automated mode, not all have. Without certainty of how claims will be handled, there is a risk of customer confusion, which could reduce the sale and use of automated vehicles.

"People are used to the current insurance model 'it’s mine, therefore I must insure it'," Munro commented. "As soon as you start complicating that by switching between autonomous and manual scenarios you’re giving attackers a foothold. If one could spoof vehicle telematics to give whatever scenario (autonomous or manual) at a given time you could always be on the 'right' side of a claim - 'No mate, it was in Auto mode, check the data'. Forget reduced sales, you’d be looking at insurance meltdown. This is not far-fetched – we’ve seen plenty of examples of third party telematics devices being the source of security flaws in vehicles."

Munro further argued that the UK government's consultation underestimated the possibility that autonomous cars might be hacked and the implications of this for car insurance.

2.8 Therefore, we believe there is sufficient justification to make a change to the insurance system before the first wave of automated vehicles come to market. We propose to make the minimum changes required to ensure clarity, to give victims easy access to compensation, and to give the market certainty without influencing or preventing different models being developed in the future.

Munro criticised assumptions inherent in this approach: "As soon as a system is hacked, and it will be, all clarity will go out the window and we might as well have an actual fight to decide who’s insurance pays up."

Lastly the IoT security expert argued that more provision should be made to allow injured parties to sue vehicle manufacturers in cases where autonomous vehicles develop faults or otherwise go wrong.

2.22 For example, if an accident occurred as a result of a defect with the vehicle we are proposing that both the driver and injured third parties will be given a right to pursue a claim directly against the driver’s insurer (even though the manufacturer rather than the driver was at fault). Similarly we are proposing that injured third parties will be given a direct right of action against the insurer where an accident results from a vehicle being hacked. In these circumstances the insurer would be able to then pursue the party at fault, or otherwise liable, to recover the costs of compensating the injured parties.

Munro said: "Why are they not proposing that the manufacturer of a defective vehicle is who the claim should be made against? If I get my hand chopped off because of a faulty electric carving knife I’m not going to try and claim against myself; it’s the manufacturer who should suck it up.

"Does this section mean that manufacturers are to be given a green light to provide flaky, insecure systems? 'It wasn’t us directly, it was a hacker, or a virus, so we’re untouchable'. Manufacturers should be first on the list of people to claim against in the event of a defect," he concluded.

The clock is ticking for the consultation. ®