‘Hackers Remotely Kill a Jeep on the Highway – With Me In It’ screams the headline today after news that renowned hackers Charlie Miller and Chris Vaselek have simulated what it would be like for a driver to have his vehicle overcome by an ‘invisible, virtual force.’
Andy Greenberg, a senior writer at Wired, played crash test dummy as Miller and Vaselek first mucked about with the air conditioning, then the sound system and ultimately the brakes and transmission of the Jeep Cherokee he was driving at 70mph in downtown St Louis. End result – Jeep disabled and traffic chaos as a result of the hackers working off a laptop 10 miles away. Greenberg happily unharmed.
This hacking technique, what’s known in the industry as a ‘zero-day exploit’ where a vendor has not had time to formulate a fix, can give an attacker wireless control via the internet to thousands of vehicles.
Well folks, welcome to the internet of things(IoT!
Here’s a simple premise. You purchase the Internet and Online Music option when you speak to the dealer to order the shiny new automobile you’ve had your eye on for the last few months. Sometime later you’re driving along, window down, wind in your hair, but hackers at your controls.
As Miller and Vaselek’s research has proved, this will keep happening if manufacturers don’t address the vulnerabilitiesand security issues inherent with IoT.
Two years ago the pair had carried out a similar experiment with Greenberg but at that stage could only hack the car’s controls by physically plugging their PC into the vehicle’s onboard diagnostic port. At that time Miller told Greenberg, “When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works.”
Well this time round, the exploit was carried out wirelessly and the view has changed.
This is just one type of car but it’s definitely got all automobile manufacturers spooked plus the rest of the IoT industry and has left politicians scratching their heads as to how to deal with this new threat to our digital security. Already in the US two senators plan to introduce new legislation to require that cars sold there meet certain standards of protection against digital attacks and privacy.
The issue is now being addressed by the Open Interconnect Consortium, created last year with the primary responsibility of agreeing and creating frameworks for security for interconnected devices.
The Consortium estimates that by the end of 2020 there will be approximately 212 bn ‘things’ globally installed as part of the internet of things, of which 30.1 bn will be ‘connected (autonomous)’ things.
So as we move to an era of smart cities, intelligent buildings and ever smarter cars, the worry is that for every connected smart device there is an environment and an operating system(however small) that is reliant in some way on user credentials to run certain elements of it. How though do I change the password on my car’s entertainment system? How do I reset the root user password on my fridge? The issue goes on.
Open standards (like internet access) are vulnerable themselves to the software – the browsers and apps - which interacts with them. If security can’t be managed on these devices you’re just one smart geek away from intrusion.
Who cares? Well imagine the Apple Watch as an example.
This is a device that will know 1) who you are; 2) where you are via GPS; 3) What you’re doing via accelerometer and gyroscope; 4) how healthy you are; and 5) will even be able to monitor your mood. Access to this information in the wrong hands or unsecured could have some impact on your life.
What if someone gets access to my fridge? Say goodbye to last night’s leftovers as someone turns the temperature up on it or orders 280,000 litres of milk from your connected Waitrose Online account.
There are companies, including customers of ours, who are working on better protection solutions for Machine 2 Machine communications and the IoT world. However we must all be aware of security when buying any Internet connected devices and there needs to be clear messaging from vendors on how secure those smart devices that they want us to use really are.
Phil Worms is CMO for cloud company iomart, sponsor of the Drum’s Social Buzz Awards.