Cyber Threats to 'Smart Cars' – The Legal Response

By: Haim Wismonsky and Yuval Shany

In the past decades, vehicles are becoming more and more "smart". They contain more software, communication devices, and computer-based hardware than ever before, often connected to a wired and even wireless network. These vehicles are based on the CAN Bus (Controller Area Network) - a network that connects the electronic components of the vehicle and is largely responsible for its operation - from the use of electric windows to the use of vehicle brakes. The CAN technology differs from a typical Bus-Topology, because unlike Bus-Topology, information flows through the system all the time, whether the system has been asked for it, or not.

There is no doubt that there are many advantages to using these systems. For example, they enable more efficient and functional vehicles and real-time fault alerts. However, as the inherent nature of computerized systems, their use may increase the exposure of the vehicle to various cyber threats. Thus, creating a security weakness that can be exploited by various factors related to both the computerized systems themselves and the information stored in them. As far as the computerized systems are concerned, a major vulnerability in the use of this technology is the interconnection between many electronic units in the vehicle, meaning that many of the vehicle's components can connect to other components and/or systems. This connectivity can result in a significant security vulnerability, which increases the chances for the system to suffer from threats and cyber-attacks. . For example, vulnerability in the entertainment system is sufficient to connect to the vital systems of the vehicle, such as the brake control system, the engine, the airbags and other systems. Another major vulnerability concerns the possible absence of encryption. This vulnerability, together with the fact that these systems are usually inter-connected, ,  might pose a weak point, since breaking into the vehicle system may expose the attacker to the information stored in it. This vulnerability is not limited to information security issues, but may enable the attacker to make actual changes to the information inserted  into the CAN system or to display new information into the system.

The inherent vulnerability of the network topology, on which the smart vehicles are based, may lead to various cyber threats. These threats include, among other things, the possibility of vehicle theft by taking over the remote system; endangering the privacy of the vehicle users by operating a microphone in the vehicle, and listening to what private correspondents taking place inside it, or alternatively, using GPS tracking. The vulnerability of the system may also lead to damage posed to property and human life. For example, the network topology may allow remote control of the system while attempting to disrupt or disable critical systems in the vehicle, or the introduction of ransomware or any other malicious software that can be used while the vehicle is being operated. These issues, and the inherent risks they impose, require an in-depth examination of various means and forms of regulation.

The proposed legal research seeks to illuminate and deal with the complex issues of cyber-attacks on 'smart vehicles', from different perspectives under the research paradigm of law and technology and through various tools. The first part will focus on describing the challenges posed by the technology of 'smart vehicles' to policy makers around the world. The second part will examine the current legislation and regulation on this subject in the world, headed by the American and European legislature. Furthermore, I will examine the legislation and regulation regarding 'smart vehicles' in Israel. This examination will show that the regulation and legislation of 'smart vehicles' are divided into two main categories: those that try to prevent vulnerability in the system at the production stage, and those who try to deter  and punish those who commit an offense.

At this stage, I will argue that in most countries, at this time, there is no particular regulation of 'smart vehicles'. I will examine whether and how existing penal laws, that existed  before the time of 'smart vehicles', and sometimes even before the cyber age, can be interpreted to include 'smart vehicles' protection against cyber threats. This examination will be conducted in the light of the general discussion on the relationship between law and technology, and whether the legislation should be formulated prospectively and therefore somewhat vague, against the second option of a technology-oriented legislation, that is, on the one hand more precise, and on the other hand will not formulate abstract values that the law wishes to protect.

As for the regulation, there is no doubt that specific steps should be taken to define a specific regulatory environment for 'smart vehicles', and I will present guidelines for such regulation in the paper.