Full Report
Self-driving cars are just around the corner, with the UK government putting up £10 million (around $15.6 million) for cities to pilot trials as soon as next year, but the country's Institute of Engineering and Technology (IET) today issued stern warnings about the security of the technology.
Analysis Summary
# Vulnerability: Inherent Security Risks in Early Autonomous Vehicle Software
## CVE Details
- CVE ID: N/A (Discussion revolves around general software quality and future risk, not a specific disclosed vulnerability yet)
- CVSS Score: N/A
- CWE: Software Defects (General concern raised about reliability, implying potential but unspecified CWEs)
## Affected Systems
- Products: Early generation Autonomous Vehicles (Driverless Cars) utilizing connected software systems.
- Versions: Not specified, as the discussion targets foundational software quality before mainstream deployment (circa 2014 context).
- Configurations: Applicable to any system relying on the software controlling vehicle operation.
## Vulnerability Description
The IET (Institute of Engineering and Technology) expressed concern regarding the inherent security and reliability of software intended for autonomous vehicles. A representative noted that high percentages of applications typically contain serious defects (10-15 defects per application). This general software quality issue is compounded by the significant, specific threat of **cybersecurity attacks** allowing external actors (hackers) to interfere with vehicle operation, potentially causing significant chaos or being weaponized for terrorism. The industry focus appeared too heavily weighted on AI safety rather than external cyber threats.
## Exploitation
- Status: Theoretical/Potential threat (Discussion highlights the *risk* of future targeting).
- Complexity: Not specified, but the potential for widespread chaos suggests moderate to high impact even with moderate complexity.
- Attack Vector: Implied Network/Remote due to "hacking" context, potentially leading to Local (in-vehicle access) after initial compromise.
## Impact
- Confidentiality: Unknown / Not the primary focus.
- Integrity: High (Direct control alteration can compromise the vehicle's driving integrity).
- Availability: High (Malicious interference could cause vehicles to cease operation as planned, leading to road chaos).
## Remediation
### Patches
- No specific patches mentioned, as this is a warning about broad pre-deployment software quality and threat modeling.
### Workarounds
- The IET suggested considering the mandatory inclusion of "black boxes" in vehicles in the event of an incident to aid investigation.
## Detection
- The primary suggested detection/mitigation focuses on preventative quality assurance of the software before deployment and implementing forensic recording capabilities (black boxes) post-incident.
## References
- Vendor advisories: N/A (Industry-wide concern raised by regulatory/engineering body).
- Relevant links - defanged:
- [mashable.com/2014/11/25/driverless-cars-uk/](http://mashable.com/2014/11/25/driverless-cars-uk/)
- [techtimes.com/articles/20756/20141123/driverless-cars-vulnerable-to-hacking-possible-use-in-terror-attack-experts.htm](http://techtimes.com/articles/20756/20141123/driverless-cars-vulnerable-to-hacking-possible-use-in-terror-attack-experts.htm)
- [theguardian.com/technology/2014/nov/21/driverless-cars-hacking-threat-road-trials-january](http://www.theguardian.com/technology/2014/nov/21/driverless-cars-hacking-threat-road-trials-january)