A year ago, an Uber sedan whose driver shared controls with an onboard computer accidentally mounted a sidewalk in Pittsburgh.
No one was hurt, but a few days later, an Uber Volvo also on automatic pilot struck and killed a bicyclist in Tempe, Ariz., causing the ride-hailing company to suspend its testing of self-driving technology in cities across America, including Pittsburgh.
The incidents define a dilemma for Pittsburgh Mayor Bill Peduto and the mayors of other cities who want to be a birthplace of the self-driving vehicle's transformative innovation in moving people and packages.
The same dilemma hangs over U.S. and foreign auto manufacturers that are pushing advanced self-driving technologies into cars in the hope of making them safer to drive and more compelling to buy.
As automobiles turn into computers on wheels and are wedded to wireless networks, how do they defend against the hacking risks that travel with the technology?
"We don't know enough about the technologies or threats that may exist," said Karina Ricks, director of the Pittsburgh Department of Mobility and Infrastructure, charged by Peduto with overseeing the testing of autonomous vehicles in the city. "First and foremost, what are the protections and how are they preparing for threats?"
The mayor has issued an executive order covering autonomous vehicles testing and has engaged engineers from Carnegie Mellon University as its cyber consultants. Uber meanwhile has resumed testing the cars in the city.
The self-driving software that failed in Pittsburgh and Tempe last year did so on its own.
But what if a hacker had been in command?
That was the opening question this week at a panel discussion on cyberthreats to motor vehicles, held at the World Congress conference in Detroit, sponsored by the Society for Automotive Engineers (SAE) International. Could motor vehicles be weaponized, seized by terrorists to attack crowds or taken over by hackers demanding payment?
"Vehicles could be weaponized, but would it be reasonable?" said Jeffrey Massimilla, head of global vehicle security for General Motors Co. "What risks are we trying to mitigate? I believe a more plausible attack on a connected ecosystem in a vehicle would be something on the line of ransomware."
Massimilla described it this way: A motorist gets in the car and is greeted by a hacker's message on the dashboard screen: "'You want to start your car, call a number. Pay a bitcoin and you're in.'"
"There are a lot of other different targets that would be more reasonable to try to weaponize than a vehicle itself," he said.
Kevin Gay, top cybersecurity adviser at the National Highway Traffic Safety Administration, didn't answer the question directly, praising the auto industry instead for how far it has come in combating hacking threats. "I think there is great work going on in the auto sector," he said. "We think the best practices coming out are very positive."
Then he warned, "There are a lot of new things coming at us."
First on the list is a known threat of a hack on a car's internal electronics system if intruders can enter through an array of driver convenience and safety options in today's cars. Another concern is the potential for hacking networks of electric vehicle charging stations, which intersect with the power grid.
The ultimate threat surrounds self-driving, autonomous vehicles like the models that Uber and other tech and auto companies are testing. The first models of autonomous vehicles will travel on pre-mapped city streets, with onboard computers communicating constantly with central control centers over wireless networks that must be hack-proof.
In 2015, the potential for trouble was made loud and clear by hackers Charlie Miller and Chris Valasek with their takeover of a Jeep Cherokee traveling on a St. Louis highway.
The driver, journalist Andy Greenberg, had made himself the guinea pig for the attempt.
'It's [expletive] dangerous'
In a video for Wired that went viral, Greenberg was startled when the car's air conditioner suddenly turned itself on. Then the radio cut loose with a blast of rock music he couldn't turn off. The windshield wipers came to life, spraying water into the driver's vision. Finally, the motor shut off.
The car slowed to a crawl as a tractor-trailer truck barreled by.
"Seriously, it's [expletive] dangerous," he protested to them over his phone. Chuckling at his panic, they told him to turn the car ignition off then back on. Only then was he back in command. (Before going public, Miller and Valasek gave Fiat Chrysler time to fix the entryway into the vehicle's computer control system).
The video has been seen more than 3.4 million times since the 2015 incident. Its impact has arguably been wider still, says Faye Francy, who runs Auto-ISAC, the car industry's cyberthreat information sharing and analysis center.
"That was a real pivot point, a milestone in the industry's understanding that, 'Wow, that makes people scared,'" Francy said.
The same thirst for constant connections that drives cellphone addiction has led automakers toward increasing connectivity between cars and apps offering entertainment and safety.
Connectivity was the backdoor to the Jeep Cherokee. The vehicle's showcase "Uconnect" remote access and entertainment system was added to let drivers start the car and operate climate controls from outside. It inadvertently let Miller and Valasek penetrate the CAN (controller area network) interface in the car that integrates a host of computerized functions. One researcher called it a Pandora's box of vulnerabilities.
The auto industry has scrambled to address this threat, executives say.
"The industry really came together about four years ago," said GM's Massimilla. "We've gotten ahead of sharing vulnerabilities and threat information."
"If we see in the next generation similar hacks, I would be fairly surprised," said Andre Weimerskirch, vice president for cybersecurity at auto supplier Lear Corp., speaking at the same conference.
The "low-hanging fruit" of car vulnerabilities, demonstrated by the Jeep hack, have been addressed as an urgent priority for the industry, said Weimerskirch, founder of the transportation cybersecurity group at the University of Michigan's Transportation Research Institute. "All of these entrance paths are really closed."
But innovation is in the driver's seat and isn't stopping.
A new generation of applications is enabled by high-tech sensors that could offer new targets for attack. Today, passenger cars can come with radar that triggers automatic braking if a car in front is too close or to monitor drivers' blind spots or warn of a pedestrian in the roadway. Cameras track a roadway's painted yellow lines to alert drivers drifting out of their lanes.
Autonomous vehicles will go much further on this course, managing their way among traffic and pedestrians with a selection of onboard sensors including radar, GPS, cameras and lidar, a laser-enabled distance measuring device.
"There are some really interesting vulnerabilities in sensors," said Victor Murray, an engineer at the Southwest Research Institute in San Antonio. SWRI was a collaborator in developing the award-winning Uptane cybersecurity protocol, which aims to protect software updates to vehicle's engine control units.
"If you're going to drive without human interaction, they are critical," Murray said. "For all of the sensors I'm familiar with, I've read papers on exploits with all of them."
"We need to start looking at the broader environment around cars. We are doing fairly well as protecting the car as such, but the car [is becoming] part of the internet of things," Lear's Weimerskirch said.
Another unsolved hazard lies in the computer components automakers and their suppliers acquire from vendors. Massimilla noted that GM patrols the risk closely.
But Weimerskirch remains worried.
"Who knows if hardware is manipulated somewhere between our supplier and us," he said. "Who knows if someone hacked into our supplier's system to introduce malware. It's a really challenging issue."
The second tier of threats posed by charging stations for electric vehicles is commanding attention.
"Is the charging station an attack vector? If you are able to invade the charging station, then can you go into the vehicle?" asks Marc LeDuc, SAE International senior technical program developer.
Gay, the NHTSA official, said if electrification introduces more threats through the electric charging infrastructure, then regulators care about that.
But it's also about the power grid. "Can you hack into the charger and request more power than utilities' power lines actually can provide?" Weimerskirch asked.
The threat to utilities is the focus of a new research project led by the Idaho National Laboratory (INL).
John Smart, a transportation group leader at INL, said researchers are examining risks to electric utilities from fast-charging systems for electric vehicles. Unlike public chargers at big box retail store parking lots, hotel garages and camper parks — which take multiple hours to replenish an EV battery — high-voltage chargers pour power back into high-input batteries and draw on direct connections with electric utilities.
The project focuses not just on the likelihood of an attack but also on its possible consequences. That extends to the power grid, Smart said. "We're not limited to what bad things could happen to an individual or charging station," he said. "We are developing a process to try to envision, characterize and calibrate threats, and quantify the risks of those threats."
The project draws on INL's capacity to simulate the impact on an electricity distributor if lots of cars and trucks were attacked as they recharged. "If an attack happened and was successful, and one gained control over a vehicle, or a charging system, or multiple systems, what is the worst they could do?" Smart said.
"There are more risks than anyone could be expected to address, therefore it's incumbent on us to prioritize the risks," he added. "What are the bad things that we just cannot allow to happen?"
Experts say the arrival of autonomous vehicles in commercial use, perhaps as early as the middle of the next decade, will open the door to new cyberthreats.
The vehicles will "talk" to each other and to control centers over wireless communication channels.
"There will be no automated driving without connectivity. Period," said Kay Stepper, vice president of driver assistance systems and automated driving at Robert Bosch LLC, the Michigan-based unit of the global German engineering and technology firm.
Every carmaker will have their vehicles connected to back-end computer servers. These will be targeted, he said. "Absolutely it will be attempted. It has happened," Stepper said. "So we have to do the utmost from the industry perspective to prepare for that and have a sensible approach to prevent that."
The security of self-driving cars falls under voluntary best practice recommendations issued in 2016 by the NHTSA. That agency is responsible for issuing and enforcing the Federal Motor Vehicle Safety Standards.
NHTSA updated the document a year later with "A Vision for Safety 2.0." The agency encourages automakers to assess the effectiveness of their safety standards and report the results to the public but doesn't require them to do it, notes Michael Morgan, an attorney specializing in cybersecurity issues with the Los Angeles firm McDermott, Will & Emery.
Morgan expanded on the challenge in a recent webcast interview at an SAE International event. Regulators who have until now concentrated on auto safety must deal with fundamentally different issues.
"The technology moves a lot faster than the regulatory environment," he said. "For the next few years, the reality is that in all likelihood the regulatory environment is going to be a few years behind the technology."