Why IoT connected cars need better security
The Dyn Distributed Denial of Service (DDoS) attack that occurred in the late weeks of October this year have shaken the world at its very foundation - it's virtual foundation, that is. The attack was carried out largely using connected Internet of Things (IoT) devices.
Author: Andrew Heikkila
These devices have been built on an infrastructure so obviously open in terms of security that Wired has gone so far as to call the IoT 'wildly insecure,' while others have pointed out that many of these problems could be averted if device manufacturers required users to set a password as a first step.
While Fitbits and DVR bot slaves that spam a network like Dyn's are absolutely a problem, the situation takes a whole new light when you look at bigger systems controlled by the IoT such as your home, or, more vitally, the connected car.
The future of connected cars at stake?
Driverless cars are being tested at the moment, but connected cars are absolutely already here. Kim Komando just reported on the hidden costs of new car infotainment systems, where she warms auto buyers against the subscription services that might be sneakily bundled in with their new car at the dealership. These smart systems include 3G/4G connections and the ability to turn your car into a WiFi hotspot. What Komando didn't mention was that any connection to the internet opens up potential vectors for infection, and need to be secured.
As it stands, a breach in these systems would pose a major inconvenience, and could put drivers and passengers in potentially dangerous situations. However, as our vehicles become more autonomous in nature, that potential for danger grows. Steering, braking, engine operation and management, navigation, and even power will be manipulatable by code, and could put the driver in disastrous situations. Cars that pick up the wrong bit of code from an outside attacker might sound like science fiction, but it's a growing reality.
Beyond Dyn DDoS
Every year, cyberattacks are already cost global businesses and private citizens a whopping $400bn in damages and ransom money. By far, the biggest threat to cybersecurity and, particularly, the Internet of Things, is ransomware.
Ransomware is a type of malware that infects a computer or device, encrypts all of the files on it, and demands that the user pay the hacker a ransom, usually in bitcoin. One of the most famous, (or infamous, more accurately) examples of a ransomware attacked involved Hollywood Presbyterian Medical, who paid attackers $17,000 after its network was locked down for money. The concern is that we could start to see hackers taking over cars for money - or worse. We already know that it's possible to remotely shut off a car while it's on the highway, because last year two hackers demonstrated to Wired that they could. These two hackers caught back up with Wired again this year to demonstrate that it can get a lost worse. From the article by Andy Greenberg:
"...they're now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car's brakes or turning the vehicle's steering wheel at any speed. "Imagine last year if instead of cutting the transmission on the highway [a year ago], we'd turned the wheel 180°," says Chris Valasek. I can imagine. But he spells it out anyway. "You wouldn't be on the phone with us. You'd be dead."
The question of liability
Here's the thing: cars are already deadly. We regulate the heck out of them for that specific reason, which is why it's illegal for you to put yourself at risk by not wearing a seatbelt. In fact, the question of who is liable if an automated car gets into a wreck has been tossed around for a while now, especially if the car is put in a no-win situation. I've even written on it before. But the real question is: who's liable if your car gets hacked? The automaker, for not providing enough security? You, for not buying enough security? In the same way that parents can be liable for teen drivers that get distracted and in accidents, should owners be liable for software that gets corrupted and crashes too? It's a sticky situation.
While many write these situations off as 'one-off' situations, it's hard to leave it at that and move on - and there's an interesting argument to be made here. Let's look at the latest Dyn DDoS attack that occurred. The manufacturers of many of the devices that were hacked actually had security settings on them, but the default user passwords were never changed, easy to guess, and contributed to the attacks. While some companies like Hangzhou Xiongmai may be forced to recall their devices, others think that consumers should share some of that blame for not changing their default passwords. Of course, by not using default names and passwords in the first place, this entire situation could have been mitigated.
Gearing up for the road ahead
Liability is an important question, because if the Dyn DDoS attacks proved anything, it's that the scale of these attacks will only continue to increase. Industry experts the world over have been decrying the lack of security in the IoT almost since its inception, and it's high time that manufacturers started listening. The connected car and later, connected planes, trains, and other automobiles, represent the next step in automation, but also represent higher stakes - ones that will not be as forgiving as Dyn DDoS.
This most current attack can be considered a warning shot to the world, a damaging, but not crippling wake up call that insists on heightened security in the IoT ecosystem. The next attack could make use of much more mobile systems for a much more sinister purpose - and we need to be ready,