Why Are Privacy and Security Laws Necessary for IoT and Autonomous vehicles?


Posted on by Mohamed Ashik (Ashiq JA)

Autonomous vehicles have already started making headlines in the Middle East. GCC countries such as the UAE have shown widespread commitment to sustainability and renewable energy initiatives. We saw the launch of the first Tesla showroom in Dubai during July of this year. This growth of driverless technology has resulted in the fear of malicious actors taking control of glaring flaws in smart cars.

Security vulnerabilities and loopholes are on the rise constantly and are considered to be one of the major challenges for the automotive industry. Car manufacturers have been struggling with implementing and addressing vehicle cyber security and privacy issues. Existing road regulations do not address the scenario of cars with autonomous capabilities. Many government organizations have introduced laws to regulate driverless cars and have started preparing for the move from autonomous vehicle (AV) testing to commercialization. In fact, the US Federal government released its first rule booklast year governing the building, testing, deploying and sale of self-driving cars.

The need for security regulations for driverless cars

As the technology for IoT and driverless cars continues to develop, government organizations and car manufacturers have started to notice the potential security threats in these systems. Various hacking demonstrations have shown that gaining remote access on these vehicles are possible by exploiting security vulnerabilities in the software or the system.

Yes, driverless cars are being programmed to avoid collisions. These systems are based on algorithms and safety rules, but we’ve seen that it’s not too difficult to construct scenarios in which said algorithms come into conflict with each other. MIT technology review published an intriguing article about the driverless car dilemma, where a driverless car must choose the lesser of two evils, such as killing two passengers or five pedestrians in case of an unavoidable accident. Are the car manufacturers who program such decisions responsible in case of a fatality? – Researchers have also surveyed and identified that most people prefer autonomous vehicles (AVs) to minimize casualties in situations of extreme danger. Many driverless car regulators are suggesting that car manufacturers should apply for testing permits before bringing self-driving cars to public roads. 

Germany has recently introduced ethical rules with 20 guidelines for driverless cars. UAE’s Emirates Authority for Standardization and Metrology (ESMA) has also announced that it will draft rules and guidelines that focus on technical regulations, infrastructure, communication systems, tests and safety requirement for driverless vehicles. ESMA will also host a conference on self-driving cars by the end of this year, which will include leading manufacturers, researchers, developers, and various decision makers from federal and local authorities. 

Driverless vehicle security regulation must address many issues including: 

  • Testing and validation of driverless system safety on roads
  • Data collection and sharing methodologies
  • Software and hardware update mechanism
  • Consumer and developer security awareness
  • Federal and local body involvement

Privacy concern and exposure of personal Information

The volume of data that could potentially be generated, stored and processed by autonomous vehicles (AVs) is ever-increasing. The data could consist of various information points such as GPS coordinates, addresses, driver’s usual route, and frequently travelled places. Privacy and exposure of this sensitive data is another major concern in driverless car security. Such information would prove to be attractive to cyber criminals. Personal information stolen from driverless systems could be either sold on the dark web or leaked publicly. Further enabling this is the fact that driverless cars feature multiple sensors, cameras, GPS and lasers that collect large amount of data every second to identify obstacles and recognize the drivable terrain.

Driverless car privacy regulation and laws should focus on:

  • Transparency of data collection
  • Data security and encryption
  • Accountability
  • Storage and processing of location data
  • Complying with existing traffic laws and government standards

To address these issues, car manufacturers, researchers and federal bodies have to collaborate to identify the weak points in the system. Laws and regulations must keep up with the growth of technology. Implementing regulatory framework and security protection for the newly introduced technology will remain a challenge but can be overcome with proper planning, execution and structure.

References and further reading:

https://www.transportation.gov/AV

https://www.lexology.com/library/detail.aspx?g=b4fb752e-539c-47c4-a39b-b5c419657404

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/security-nightmare-of-driverless-cars/

http://news.mit.edu/2016/driverless-cars-safety-issues-0623

Contributors
Mohamed Ashik (Ashiq JA)

Cyber Security Consultant,

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs