Just as ChatGPT can be abused, a digital voice assistant in electric/autonomous vehicles is a useful value-add — unless it gets hacked!
As electric vehicles (EVs) and autonomous vehicles contain more valuable data and connect to more services, they will also become more lucrative targets for cyber attackers.
There have already been several published examples of cyberattacks on EVs and the infrastructure. For instance, one attack abused the plaintext communication and lack of authentication over the Controller Area Network (CAN) bus protocol between the EV and the charging station. An attacker can spoof the Vehicle Identification Number (VIN), making it possible to charge the vehicle for free.
Another example is an attack targeting the charging station, where a vulnerable open-source software component Log4j was used. An attacker can spoof the car and send a malicious payload to exploit the vulnerability. As a result, the attacker is able to execute arbitrary commands and could possibly charge the vehicle for free.
Can generative AI help?
With the development of powerful AI technologies, there are new opportunities that the automotive industry can seize. One famous example that comes to mind is ChatGPT.
Automobile manufacturers can use such generative AI language models to build their own digital assistants and train the system with automotive-specific information.
One can imagine an automaker training its EVs’ digital assistant module with information from the car user manual as well as information on how to support common use cases including route planning, integration with smart homes and devices, charging, and so on. This would allow the driver to easily ask questions about a warning light blinking on the dashboard; plan an efficient route to the airport; open the garage door or connect a user device; find and reserve a charging spot etc., without having to dig through a large user manual or fiddle with multiple devices or systems.
Know the risks
It is extremely important for automakers to consider what type of training data is used, as well as to apply policies that define what bot responses are allowed with various type of information.
Similar to how early users of ChatGPT were able to figure out how to make the chatbot write malware and hacking tools or to gain information that could be used with malicious intent, an autonomous vehicle’s digital assistant could also be abused by certain people to potentially gain certain harmful information, such as how to clone the car keys. Or, hackers could issue unauthorized commands that could lead to attackers stealing the car or charging for free.
Therefore, as more EVs are deployed, and the necessary infrastructure built up, it is imperative for the automotive industry to improve the overall cybersecurity posture for the entire ecosystem:
- Automotive organizations need to establish a cybersecurity management system (CSMS) with improved cybersecurity awareness in the organization as well as incorporate dedicated cybersecurity activities during product development.
- For automobile software development, these CSMS activities include static application security testing, vulnerability scanning and fuzz testing.
- Moreover, to improve the quality of code, ensuring compliance to certain coding standards such as CERT C/C++, MISRA C/C++ or AUTOSAR C++ is also recommended.
- Organizations also need to consider the risks in the software supply chain such as software vulnerabilities and open-source license violations and how to address them. For example, the procurer should give requirements to the supplier to perform certain cybersecurity activities on their product before it is provided to the procurer. These requirements will include following certain coding guidelines, ensuring license compliance for open-source software components and performing fuzz testing.
- Using automated tools to perform these activities is recommended to improve efficiency and reduce manual effort.
Such steps will help to automakers to establish a secure software development lifecycle with automated tools running continuously in a continuous integration pipeline.