In 2015, a pair of hackers demonstrated just how easy it was to break into the UConnect system of a Jeep Cherokee, remotely manipulating the speed, braking, steering, even shutting the car down entirely. Vehicles on the road will only have greater interconnectivity from this point forward, with self-driving cars on the horizon. That poses a unique potential risk: if someone can hack one car, what happens if they manage to hack many at once in a major metropolitan city?
That question inspired scientists at the Georgia Institute of Technology to quantify the likely impact of such a large-scale hack on traffic flow in New York City. Skanda Vivek, a postdoctoral researcher at Georgia Tech, described the study's findings at the American Physical Society's 2019 March meeting, held last week in Boston. Worst-case scenario: a small-scale hack affecting just ten percent of cars on the road would be sufficient to cause city-wide gridlock, essentially cutting half of Manhattan off from the rest of the city. And unlike compromised data, compromised vehicles can lead to physical injury.
Vivek and his colleagues performed computer simulations of traffic flow in Manhattan, using a statistical method called percolation theory. If that reminds you of brewing coffee, that's exactly the right image. Percolation theory is a mathematical model of a smooth, continuous phase transition (as opposed to a rapid one, like flicking a light switch), similar to water seeping through roasted ground coffee beans until it shifts into a new state: "coffee." Hot water seeping through packed coffee grains will hunt for the most viable path. The more connected routes that are open, the more likely it is the water will filter through. Traffic works much the same way. Cut off too many routes, and there won't be sufficient connectivity for cars to filter through.
When multiple vehicles are hacked, there is a critical slowdown.
The individual nodes in a random network form short-range connections gradually, until the system reaches a critical threshold. Then the largest cluster of nodes experiences a growth surge, giving rise to uber-connectivity. Traffic has phases, too. When it's moving freely, it's like a liquid; when it's at a standstill, it's like a solid—a state of complete blockage. In between is a unique, uber-connected state known as "synchronized flow," where the cars become highly correlated. So when the density of vehicles is very high, like during rush hour in Manhattan, small perturbations can have a ripple effect, producing traffic jams.
"Immediately after a vehicle is hacked, the traffic slows down around the hacked vehicle," said Vivek. And when multiple vehicles are hacked, there is a critical slowdown, which can turn into complete stoppage. "This is a concerning scenario, because when emergency vehicles want to get through, they can't," said Vivek. "You need to wait for a tow truck to come and move one of the hacked self-driving cars."
Enlarge / A simulation shows clusters of connected roads. Half of Manhattan is essentially disrupted when you reach about 15 compromised vehicles per kilometer per lane.
Skanda Vivek/ Georgia Tech
The probability of this kind of blockage occurring depends on the minimal amount of space in between vehicles, the length of the road, the number of lanes, and overall density of the compromised vehicles in traffic. As the compromised vehicle density increases, the probability of a "zero flow" blockage also increases, although the probability is less the more lanes are available. The Georgia Tech simulation worked great for one lane, so they expanded their simulation to include multiple roads, akin to a city network.
"When you have zero compromised vehicles, all 8,000 Manhattan roads are accessible," said Vivek; he then noted that small amounts of hackery can cause big slowdowns. "But when you reach about 15 compromised vehicles per kilometer per lane, then half of Manhattan is essentially disrupted. We call this the point of city fragmentation." That's ten percent of the vehicles on the road during a typical NYC rush hour.
If that seems unlikely, Vivek points out that four major auto manufacturers each have roughly a ten percent market share of vehicles on the road in New York: Hyundai, Nissan, Toyota, and GM. If just one of those four has a security vulnerability that affects its vehicles, there would be the potential for city-wide disruption. Of course, this is a worst-case scenario, and self-driving cars have deliberately redundant sensor systems and multiple cameras, so even if one or two get hacked, the car should still be able to access enough information to operate safely.
Their findings also suggested a possible strategy for reducing the risk of this worst-case scenario. Vivek et al. suggest using multiple networks for connected vehicles, thereby decreasing how many cars can be compromised in a single hack. "If no more than, say, five percent of connected vehicles were compartmentalized to the same network, or used the same network protocols, the chance of city-wide fragmentation would be low," said Vivek. That's because it would post a much greater challenge to potential hackers keen on causing widespread disruption, since this multi-network architecture would require many attempted intrusions simultaneously.
"Connected cars are the future," Vivek said. "Our work is not in opposition to the future of connected cars. Rather, the novelty of our work lies in identifying and quantifying the underlying cyber-physical risks when multiple connected vehicles are compromised. By shining a light on these technologies at an early stage, we hope we can help prevent worst-case scenarios."