Cyber-terror tactics: Hacking autonomous vehicles

June 29, 2017
Cyber-terror tactics: Hacking autonomous vehicles
Andrew Staniforth
Andrew Staniforth Non-Resident Fellow - Counter Terrorism & National Security

Cities across Europe remain under siege from recent terrorist events fuelled by the extremist ideology espoused by Daesh. The UK has witnessed four terror attacks in as many months, three of them occurring in London, including incidents outside the Finsbury Park Mosque, on Westminster Bridge and London Bridge. The trio of attacks in London have all been low-tech; terrorist’s using vehicles as weapons to indiscriminately plough into pedestrians in public places.

The recent incidents of terror in London mirrored the tactics used by extremists responsible for the terrorist attacks in Nice, Stockholm, and Berlin over the last twelve months, killing 104 people and injuring a further 519.  The copy-cat tactic of driving vehicles into defenceless citizens represents a fundamental shift in contemporary terrorists’ attack planning across Europe. The shift to the use of vehicles to plough into pedestrians as a method of attack should, however, come as no surprise to the counter-terrorism community, as it is a tactic that has been repeatedly encouraged by groups including al-Qaeda in the Arabian Peninsula (AQAP) and Daesh. It is also a tactic that has been promoted online in both terrorist organisations’ English language magazines. The series of recent terror events using cars, vans and lorries as weapons across cities in Europe has placed the future security of vehicles under the spotlight, serving to raise serious concerns amongst national security officials for the safe introduction of the first generation of autonomous vehicles.

Innovation and investment

The introduction of self-driving vehicles is no longer science fiction, it is the new reality from which is emerging a suite of new security threats and risks to be tackled by government agencies.  A company by company examination of public investments by leading car makers makes it clear that most car companies are betting self-driving technology will be inevitable, and they’re all jumping in with investment and initiatives. In 2016, General Motors (GM) spent $581 million to acquire self-driving car start-up Cruise Automation. GM Chief Executive Officer Marry Barra stated that: “We expect to be the first high-volume auto manufacturer to build fully autonomous vehicles in a mass-production assembly plant.”

Over the next decade the acceleration of autonomous driving technology, including advances in artificial intelligence, sensors, cameras, radar and data analytics, are set to transform not only how we drive but the notion of car ownership itself – all of which provides fresh opportunities for the terrorist attack planner. There are five levels of vehicle automation, defined under international standards by the Society of Automotive Engineers (SAE), which range from “no automation” to “full automation” and includes:

  • Level 1 automation: some small steering or acceleration tasks are performed by the car without human intervention, but everything else is fully under human control.
  • Level 2 automation: advanced cruise control or original autopilot system allowing the vehicle to automatically take safety actions but the driver needs to stay alert at the wheel.
  • Level 3 automation: still requires a human driver, but the human is able to hand some “safety-critical functions” off to the vehicle, under certain traffic or environmental conditions.
  • Level 4 automation: a vehicle that can drive itself almost all the time without any human input but might be programmed not to drive in unmapped areas or during severe weather.
  • Level 5 automation: full automation in all conditions.

The levels of automation set by the SAE are descriptive rather than normative, and technical rather than legal. They imply no particular order of market introduction but such services, according to SAE, will make driving safer, reduce pollution and congestion, and will also bring about a paradigm shift in personal vehicle ownership.

Man versus machine

The drive to introduce autonomous vehicles is fuelled by the potential to significantly reduce accidents. Road traffic collisions pose a major public health risk in many nations across the world and autonomous vehicles could serve to mitigate this crisis. In the United States, on average, 32,000 people are killed and more than 2 million are injured in motor vehicle accidents every year.[i] And more than 90 percent of crashes are caused by human errors, such as driving too fast and misjudging other drivers’ behaviours, as well as alcohol impairment, distraction, and fatigue.[ii] U.S. motor vehicle crashes as a whole can pose enormous economic and social costs – estimated to be more than $800 billion in a single year.[iii]

Given the scale of death and destruction on roads and freeways across the world, it comes as no surprise that a number of government authorities want autonomous vehicles to become as safe as possible and as quickly as possible so that their potential is realised and a new era of safer transportation can be ushered in. The urgency to reduce vehicle-related deaths, injuries and the economic and social costs is accelerating the production of self-driving vehicles, and security policy-makers are now questioning whether the race to bring self-driving vehicles to our roads is compromising safety.

Cyber threats

When implemented, self-driving cars will presumed to be reliable, automated and autonomous machines, providing their services at any time. But from a technical perspective of a cyber-terrorist, autonomous vehicles are highly exposed, multiply-linked and networked complex pieces of software and hardware. According to Kevin Tighe, a senior systems engineer at the autonomous vehicles security testing company Bugcrows: “Car companies are finally realising that what they sell is just a big computer you sit in.” The security design flaws within the increasing autonomy of vehicles has already been exposed. During 2015, two researchers from the security consultancy IOActive and Twitter, turned car hacking from a vaguely theoretical pursuit into one with terrifying consequences. At the 2015 Defcon, Twitter’s Charlie Miller and IOActive’s Chris Valasek were able to wirelessly take over a Jeep Cherokee being driven by a technology writer for Wired Magazine to demonstrate the vulnerability of the vehicle’s dashboard computer.  They used a laptop connected to the internet miles from the vehicle to seize control of it, cutting the brakes and transmission at the flick of a switch. The cyber security experts controlled the air-conditioning, radio and windshield wipers of the Jeep remotely, before making the vehicle come to a complete stop on the interstate. 

The demonstration sparked a worldwide recall for the affected cars – which included much of Fiat Chrysler’s range. Adding to the cyber security concerns of autonomous vehicles, Miller and Valasek were also able to track the GPS coordinates of the Jeep they hacked, a vulnerability already exploited by cyber criminals in Housten in the U.S., where police discovered that hackers were able to use a laptop to access into the computer system of a 2010 Jeep Wrangler, start the engine and steal it from the owner’s driveway.

Research to reality

Driverless cars offer great promise in improving safety and convenience but they also pose considerable security risks which will be exploited by terrorists and cyber criminals.  The successful implementation of autonomous vehicles has many hazards and hurdles to overcome. If implementation is managed carefully by car and systems manufacturers, and a legal framework for progressive utilisation and full uptake is realistically guided, autonomous vehicles have the potential to revolutionise transportation. As an integral part of the development and implementation of autonomous vehicles, intelligence and law enforcement agencies must collaborate in their production to support designing-out security flaws based on the latest attack vectors of terrorists and cyber criminals. Governments must begin to consider all the security risks very carefully and make a concerted effort to address them before urging adoption of this revolutionary, new technology.


[i] Bureau of Transportation Statistics, Motor Vehicle Safety Data, (Washington D.C.: Research and Innovative Technology Administration, U.S. Department of Transportation, 2015) Table 2-17.

[ii] National Highway Traffic Safety Administration, Traffic Safety Facts, A Brief Statistical Summary: Critical Reasons for Crashes Investigated in the National Motor Vehicle Crash Causation Survey, (Washington, D.C.: National Centre for Statistics and Analysis, U.S. Department of Transportation, 2015).

[iii] Blincoe L, Miller T, Zaloshnja E, Lawrence B, The Economic and Societal Impact of Motor Vehicle Crashes 2010, (Washington D.C: National Highway Safety Administration, 2015).