Uber snapped up car hackers Charlie Miller and Chris Valasek. Miller, who had worked on Twitter's security team, and Valasek, who had been working as Director of Vehicle Security Research at IOActive, will now join "dozens of autonomous vehicle experts hired from Carnegie Mellon University" working at Uber's Advanced Technologies Center.
Uber previously said it would buy a half million Tesla autonomous cars if the self-driving vehicles were ready in 2020; Uber wants to kick "hundreds of thousands of contract drivers" to the curb and replace them with a fleet of autonomous cars. Miller and Valasek will be working to make self-driving cars more secure…but as Fortune pointed out, "Uber can now effortlessly hack its rivals six ways to Sunday."
After they proved it is possible to remotely attack an Internet-connected vehicle, Chrysler recalled 1.4 million vehicles in the first known automotive recall to prevent hackers from wirelessly exploiting cybersecurity vulnerabilities. But that may be only the start of things to come…and those recalled vehicles are not even autonomous.
We may seriously need Miller, Valasek and others like them to protect us…especially if value investor Alex Rubalcava is correct about autonomous vehicles being the "greatest force multiplier to emerge in decades for criminals and terrorists." Rubalcava, who is also on the Board of directors at South Central Scholars, took to Medium with his "roadmap for a world without drivers."
Along the way, Rubalcava spelled out the future threat from autonomous vehicles as he sees it. "Whether you're a school shooter or a religious extremist, the biggest barrier to carrying out your plan is the risk of getting caught or killed by law enforcement." But "autonomous vehicles neutralize those risks," he wrote, "and they open the door for new types of crime not possible today."
A future Timothy McVeigh will not need to drive a truck full of fertilizer to the place he intends to detonate it. A burner email account, a prepaid debit card purchased with cash, and an account, tied to that burner email, with an AV car service will get him a long way to being able to place explosives near crowds, without ever being there himself. How will law enforcement solve physical, violent crimes committed by people who were never at the scene of the crime?
Rubalcava suggested that if autonomous cars were available right now, the Boston bombers "could have dispatched their bombs in the trunk of a car that they were never in themselves."
The reaction to the first car bombing using an AV is going to be massive, and it's going to be stupid. CNN will go into "missing airplane" mode. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA ordered a ground stop after 9/11. But unlike 9/11, which involved a decades-old transportation infrastructure, the first AV bombing will use an infrastructure in its infancy, one that will be much easier to shut down. That shutdown could stretch from temporary to quasi-permanent with ease, as security professionals grapple with the technical challenge of distinguishing between safe, legitimate payloads and payloads that are intended to harm.
The scenario described above — using an AV to commit a violent crime — involves no hacking. Hacking is the second major barrier to adoption that will present unique problems.
Andy Rowland, BT's Head of Customer Innovation, Energy, Resources and Automotive, warned that future multiple-vehicle hacking scenarios may include large-scale ransomware attacks with infections that begin at manufacturing plants or auto dealerships. Such proposed attacks were on smart cars – not self-driving cars – which Rubalcava said would prove to be an "irresistible target" to "average hackers" and even pranksters who might lock all the doors on a fleet of autonomous vehicles to trap passengers inside. "Hackers motivated by destruction, rather than thrills, will be even more dangerous when they gain control of AVs."
No pressure for Miller and Valasek, but if that is the world to come when self-driving cars rule the roads, then we may need you to do more than secure Uber's future autonomous fleet.