Security Concerns in Vehicle Networks Mirror Those in Computer Networks
Traffic fatalities in the United States were 143 per one million people in 2006, compared to 93 per million in Europe. While fatalities have since fallen in both the United States and Europe, government and private industry continue to look into ways to improve traffic safety. An emerging standard, IEEE 802.11p, is one communication method to be used in networks between mobile vehicles, including aircraft and automobiles. Vehicle networks, often referred to as an intelligent transportation system (ITS), promise to improve vehicle safety as well as lower costs in terms of reduced travel time and fuel consumption by allowing vehicles and their operators to exchange traffic, speed, and weather information to allow better awareness and assist operators in decision making.
Some security researchers presenting at Black Hat DC 2011 have leveled concerns against the implementation of ITS as a potential attack vector against physical systems. Insecure deployment of an ITS could allow attackers to gain access to information within the system or deliberately sabotage system functionality. However, because there are no real-world deployments, the threat remains potential rather than real.
Even so, the possibility for vulnerabilities still exists in future deployments of vehicle networks. By its very nature, such a network has many points of contact, with greater accessibility than wireless networks tied to the physical confines of buildings. Due mainly to the complexity of the system, real-world deployments could expose vulnerabilities within the system, including the ability to manipulate human operators relying upon the system. It is these complexities that have attracted the concern of the security industry.
However, the potential dangers are similar to those in existing computer networks. Similar to computer systems, ITS networks may be subject to intrusion, allowing attackers to gain access to information within the network or possibly subvert the network to their own uses. By injecting spurious information into the network, an attacker could affect the integrity of information and possibly cause a disastrous change that may lead operators to perform unsafe and possibly lethal actions.
Human involvement in such a system is both a strength and weakness. While users can make dangerous errors, a properly trained and aware operator can avoid actions that are equally dangerous. Information in an automotive or computer system can be similar, and untrusted or unverified information should be met with the same amount of skepticism. When a computer user receives an e-mail message that instructs the user to download and execute an unsafe file, a well-trained user should recognize this is an unsafe action. Similarly, instructions from an automotive network telling an operator to brake heavily and avoid an imminent accident should be a warning to be aware for danger, rather than take a potentially dangerous action and cause an accident. Thus, proper training and operating procedures should be part of any ITS implementation.
User error will always be a part of any system. The danger exists, too, that too much information may cause bad decisions. Too much or inaccurate information, whether true or false, may drive users to perform unsafe actions. In an effort to head off mistakes, a better approach may be system-aided decision making where the computer can warn the user when a decision may have dangerous consequences. The Windows Vista and Windows 7 operating systems’ User Access Control feature, which warns a user when elevated privileges are required and query the user for input, is a good example of this. Existing vehicle systems, such as those that detect and sound an alarm when an operator has steered a car too close to the edge of the roadway or another vehicle, use this type of warning system.
Whatever the end result of a vehicular network system, all parties involved in the design and implementation of such a system must keep an eye toward safety and security. If the system itself poses greater risk toward operators than no system at all, there is no sense in using the system in the first place.