Doctoral student Maanak Gupta (left) and James Benson, cyber analyst at UTSA's Institute for Cyber Security Technology, work on their research. Credit: Scott Ball / San Antonio Report

Maanak Gupta was in Phoenix for a conference when headlines spread throughout the country: On March 19, an Uber autonomous vehicle struck and killed a pedestrian in Tempe, just east of Phoenix. It was believed to be the first instance of someone being killed by a self-driving car.

The doctoral candidate at the University of Texas at San Antonio’s Institute of Cyber Security began to consider what could have caused the accident. Was it a sensor failure or something perhaps more alarming – a cyberattack?

Video footage from inside the vehicle shows a safety driver did not have his eyes on the road just before the car struck the pedestrian. Autonomous cars have sensors, however, that are designed to prevent such collisions. A resolution remains pending in the investigation into the incident, but cybersecurity has not been cited as part of that investigation.

But the possibility got Gupta thinking about the what ifs – especially as he and his colleagues are in the midst of developing a system for defending against cyberattacks.

Gupta and Ravi Sandhu, who teaches computer science and directs the UTSA Institute for Cyber Security, are studying cybersecurity risks for a new generation of automobiles, which will have both driverless capabilities and internet connectivity.

So-called connected cars make communication between drivers and pedestrians possible. The people behind the technology hope this will make roads safer.

Connected cars also have the ability to monitor the environment and safety around a vehicle, such as pedestrians, road obstructions, and accidents.

But Gupta said access to the internet will expose those vehicles to cybersecurity threats that plague such devices as computers and smartphones.

The software framework he and Sandhu are developing will authorize drivers using security policies, Gupta said. For example, if a remote key has the ability to power on and off a car’s air-conditioning system, the system would authenticate the person before powering on.

The initial scope of the study, which began in October, was “to understand what are the threats and vulnerabilities that can be exploited and what are the security mechanisms that we can deploy,” Gupta said.

But as they move forward with the development, the researchers will create a standalone service for connected cars that could restrict which users and applications access data and sensors on the vehicle, as well as who can control or access the engine diagnostics.

Once the researchers publish their paper on their findings, Gupta said they plan to share the code with the public.

“The issue about the security and privacy in connected cars is a long view, and that is one of the factors that there is a little hitch about how and when to adopt this technology because you don’t want to leave any loopholes,” he said. “You don’t want to have any open doors before you make it available to the common public.”

Gupta said for now the research team is using simulations to prove up its software, which was written in the programming language Python. The researchers hope to test it out on real cars in the future.

As the technology becomes ubiquitous on roadways, securing vehicles will be paramount, Sandhu said.

“Driverless and connected cars are increasingly becoming a part of our world, where cybersecurity threats are already a reality,” he said. “It’s imperative that we support research that addresses these concerns and presents a strong, innovative solution.”

JJ Velasquez was a columnist, former editor and reporter at the San Antonio Report.