The rapid growth of the “Internet of Things” brings with it a great deal of potential to increase visibility and control of devices and equipment. It also, as has been seen in the news lately, presents opportunities for cyber attacks.
“The Internet of Things is definitely one of the big new frontiers,” Christopher Kruegel, co-founder of cyber security firm Lastline and a professor of computer science at a state university in Southern California, says in a recent Agence France-Presse (AFP) article. “The idea of bridging the gap between the cyber world and the physical world has been around for a while,” he says, referring to fears of possible cyber attacks on power grids, water plants and other crucial infrastructure targets. “Now, these proof-of-concepts show that it’s a real threat. All these devices are out there and reachable, and security is terrible.”
As was reported in Wired magazine and then mentioned almost everywhere, two computer-security researchers demonstrated that—using a laptop computer—they can take control of a moving Jeep Cherokee using the vehicle’s wireless communications system. It took the two men two years’ of research, but they were able to figure out how to enter the Jeep’s electronics via its online entertainment system. They then were able to change the moving vehicle’s speed and braking capability, and also manipulate the radio and windshield wipers. They have, however, kept some of the flaws they uncovered under wraps to prevent other hackers from causing trouble.
After the report, Fiat Chrysler—which makes the Jeeps—recalled 1.4 million vehicles. A free software patch for vulnerable vehicles is now available to patch the software holes. Fiat Chrysler spokespeople say the company had no first-hand knowledge of hacking incidents.
In another interesting development, Harman International Industries, which makes the car radios that the friendly hackers exploited to take control of the Jeep Cherokee, says its other infotainment systems don’t have the same security flaw.
Harman International CEO Dinesh Paliwal said last week on a conference call that the hackers used a cellular connection to get to the radio, which they used to control critical functions such as brakes and steering, an Associated Press article reports. But Paliwal said the radio system that was hacked, with an 8.4-inch touch screen, was developed about five years ago and doesn’t have as many security safeguards as current models.
“We believe—based on our assessment with all other customers we supply our system to—that the Chrysler system is the only one exposed to this particular experimental hack,” Paliwal says, AP reports. “So it’s a unique situation.”
Moving forward, across all industries, the issue is that protecting devices in the Internet of Things is possible, but it also increases costs of smart devices and development time. Given the degree of insecurity in today’s devices, it’s evident that for most makers, security isn’t a priority, IOActive chief technology officer Cesar Cerrudo told AFP.
“We haven’t seen planes drop out of the sky or cars run off the road—that we know of—but these are the issues we face,” Cerrudo says. “Real world hacks are coming.”
Kruegel from Lastline agrees, noting that lack of a profit motive for hackers with the right skills to commandeer control of airplanes or cars is considered a prime factor for the lack of incidents so far.
“The guys who can do it don’t have an interest now,” Kruegel says in the AFP article. “But, when you get the bored kid or the person who likes to create havoc, there will be a problem.”
What’s more worrisome, are concerns about cyber attacks targeting critical infrastructure of the U.S., such as electrical power grids, gas lines and waterworks. Then again, concerns regarding cyber attacks—or at least the possibility—targeting airplanes or cars are troublesome as well. The question then becomes, how will companies, and even industries, improve security to guard against cyber attacks?
What are your thoughts?