Mikko Hypponen, chief research officer of F-Secure, says there is mounting evidence that ISIS is developing self-driving vehicles for the purpose of using them as self-guided car bombs.
"We have concrete evidence they're building cars that drive themselves," he said Sunday while addressing vulnerabilities in the transportation system at South By Southwest. "They're also building mannequins to put behind the driver's seat, and have built a system to clone the heat system of a human being so it looks like a human's driving."
A principal fear is that terrorists could load a bomb onto a self-driving car, type in the address for a desired destination and send it on its way. Suicide bombers would no longer need to be recruited. While there's been much focus among auto industry experts and media alike on the havoc hackers could create by breaching security systems in vehicles – autonomous or not – Hypponen said these kind of attacks are the ones that may need to be feared most.
"It's obviously a deep concern, because you are looking at safety vulnerabilities that could be exposed."
The level of sophistication he described might be new, but the concept of terrorists using self-driving cars for malicious purposes is one the government has previously addressed. In 2014, the FBI's Strategic Issues Group authored a report that said autonomous cars "will have a high impact on transforming what both law enforcement and its adversaries can operationally do with a car."
The report, titled Autonomous Cars Present Game Changing Opportunities and Threats For Law Enforcement outlines both potential benefits for police officers and the possibility a car could be "more of a potential lethal weapon than it is today."
Hypponen has led efforts to stop some of the world's most notorious cyber criminals, and worked with authorities in the United States, Asia and Europe. If there's any consolation, he said ISIS was currently the only terrorist group capable of mounting a credible autonomous threat. While that's a worst-case scenario, he and other experts cautioned the US transportation system remains vulnerable to a range of cyber-related attacks that could produce major damage and disruption.
Hackers could disrupt beyond cars
Besides attacks upon individual cars, security experts, transportation officials, and insurance carriers are more closely analyzing the risks associated with infrastructure, such as software that could be used to place two trains on a collision course or viruses that could disrupt air-traffic control communications.
"These are very, very dangerous," said Robert Hartwig, president of the Insurance Information Institute. "Imagine a hacker causing a massive oil tanker to come ashore. It's not even the tanker itself you're worried about; it's the environmental damage that results."
Self-driving cars "will have a high impact on transforming what both law enforcement and its adversaries can operationally do with a car."
Unmanned shipping is perhaps further along than in development than self-driving cars, so that's a plausible scenario. Remote attacks on transportation have yet to occur in the real world, but security researchers have already demonstrated that cars can be remotely commandeered through a variety of access points. In the automotive realm, manufacturers have started to address these threats more seriously. In December, they opened an information sharing and analysis center to collectively gather intelligence and assess threats. But third-party researchers have warned of the dangers for years, and there's a sense automakers are behind in protecting cars.
"You have nation states and criminal organizations all over the world," said Tom Winterhalter, the supervisory special agent of the FBI's cyber criminal agency based in Detroit. "It's obviously a deep concern, because you are looking at safety vulnerabilities that could be exposed as (connected cars) become more popular and mainstream."