In this series of blogs we examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, it’s even better to let other people make the mistakes for you.
Maybe you’ve heard by now that this whole “internet fad” doesn’t seem to be dying down anytime soon. Quite the contrary, in fact. Connectivity is an increasingly important part of our everyday lives, so much so that now companies are looking to further integrate it by networking our physical world, as well. Much like how the global introduction to the internet seemed like science fiction to many people at the time, this new endeavor of creating The Internet of Things (IoT) has people similarly awestruck. Whenever a new layer of technology is introduced in to the world, though, there seem to come with it a host of unforeseen, or unprepared-for challenges. It turns out that networking our every last possession is rife with such challenges. Color me shocked.
All the Things
The Internet of Things is set to leave no area of our lives untouched by the “intelligent” label that any inanimate object can garner once it has become connected. The IoT is encompassing everything from refrigerators that can order more groceries from an AmazonFresh account to space-age end-caps for bat/club/racket sports that provide immediate data feedback and swing corrections right to your smartphone. But how does a connection for every object impact our security? Apparently, that impact is only barely beginning to be calculable, but for one company the cost is potentially crippling.
Not Like a Rock
Well, maybe falling like one. This week we saw Fiat Chrysler Automobiles (FCA) hit with a record-setting $105 million fine stemming from a National Highway Traffic Safety Administration (NHTSA) settlement over disturbing news about some of their vehicle’s on-board computers. By exposing how two hackers can access a vehicle over its, “head unit,” or basically the car’s internet-connected brain, a Wired article set in motion the events which led to the auto giant’s troubles. But the problems don’t stop with just a simple fine. After quickly announcing a patch for the vulnerability in their cars’ head units, FCA had to hit the bargaining table with the NHTSA to very quickly find a solution to their little problem. That’s because the software update has to be manually installed with a USB (download the software update here) or by a dealership service agent. Oh, and also because the IT crusaders who exploited the weakness plan to publish portions of the code they wrote at the Def Con Hacking Conference next week. Better get moving, Detroit.
The good news, and I swear there is some, is that if you’re one of the owners of an affected Dodge or Chrysler vehicles that are at risk, then part of the settlement with the NHTSA is for FCA to also buy-back the balance of the cars not yet up-to-date with the software patch. But seriously, what kind of real sense of security does this leave you with your new car, regardless of the make or model? With more technology trickling down from luxury automobiles into all trim levels, we’re likely to only build our number of access points (read- vulnerabilities) with each new model year.
Doom & Gloom For Improvement
Just like Chicken Little proved to us way back in the day, things are never as bad as we initially fear they will be. Elvis Presley and The Beatles didn’t portend the End of Days, neither did the Mayan Calendar. I’m going to make a stand here and say that the IoT isn’t going to completely destroy our lives, either. What is going to happen, though, is that people are going to need to more conscientiously design systems that can bring really cool Jetson’s-caliber features into our lives but that have Skynet security clearance. Wait, maybe they shouldn’t design it just like Skynet, but you get the picture.
So go ahead, buy your fancy new spatula that knows when you’ve whipped the batter enough to start sampling it for “quality control” and don’t be afraid it will actually become sentient and poison you and empty your bank account. That’s like 99% unlikely to happen. What you should do, however, is make sure you’ve thoroughly read about the capabilities of any connected device, how they link/communicate to other devices and the internet, and perhaps most importantly, follow the manufacture on Twitter or through an RSS feed. After establishing solid password protection habits, one of the best protections for your personal or digital safety is simply staying informed. Just like FCA proved, often times these threats are ones that can’t be predicted until they’re discovered, so it’s best to be ready to act fast once and if they are.
That’s it. Good luck out there, and remember to protect ya neck!