We all remember the landmark Christmas 2013 Target uber-breach as if it were yesterday. Between Thanksgiving and Christmas 2013, criminal hackers potentially gained access to some 40 million Target customer credit cards. More than 100 million people could have been affected and as many as 60 million may have had personal information accessed.
A security blogger broke the news along with allegations that Target was hiding the bad news from vulnerable customers after Target executives reported the breach to the Department of Justice and the company discreetly hired a forensic investigator. The quiet approach in this case didn't work.
Predictably, news stories said that Target had failed to act on warning signs that a major breach was imminent. According to Target, few serious instances of fraud have been reported, but customers panicked when they realized that some cards may have been sold on the black market. Target's profits dropped almost 50 percent from the same time the previous year while angry customers lashed out at the company's customer service hotline's perpetual busy signal.
Despite the noise and serious consequences of the Target breach, hacks in the retail industry continued. Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses. According to TechTarget, after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million. Other retail companies have faced breaches on a similar scale.
Flash to today, different industry, same implications. Several weeks ago wired.com reported a Jeep Cherokee had been hacked and taken over by hackers with the driver inside. A security flaw in a cellular-connected computer served as the entry point that they could wirelessly hack into the Jeep over the internet to hijack its steering, brakes and transmission. And as with the Target scenario, the fall out in the automobile industry continues. The next day we learned Chrysler recalled 1.4 million vehicles for a potential IoT bug fix. We’ve also learned Chrysler faces another inevitable punishment: a potentially massive lawsuit.
Next, two researchers found that they could plug their laptop into a network cable behind Tesla’s Model S driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.
Subsequently, researchers demonstrated their proof-of-concept attacks on a 2013 Corvette, and can use text messages from a mobile phone to mess with its windshield wipers and both activating and cutting its brakes. The use of those vulnerable dash gadgets could extend beyond consumers, too. An executive order from the White House in March called for federal agencies with fleets of more than 20 vehicles to use telematics systems whenever possible to improve vehicle efficiencies. That could mean many thousands more government-owned cars and trucks using Internet-connected dongles in the near future. In fact, Gartner Says By 2020, a quarter billion connected vehicles will be on the road.
I believe the automobile industry is facing even a bigger fall out than the Target breach caused in the retail industry if immediate action is not taken. With car breaches, it could be physical safety and lives on the line, not just financial well-being. And yet cars are just a small part of the IoT market. Gartner estimates there will be over 25 billion connected IoT devices by 2020, many with implications to physical safety and peace of mind. So how many more scenarios will have to play out before IoT security becomes a budget line item, not just an afterthought?
What is the IOT connected car problem and how can it be solved?
In any modern car, there is a series of increasingly powerful computers all connected to each other on several networks. These networks are consolidating, so there are connections among all information systems, such as satellite navigation, Radio Head Unit, controls systems (ECU, Transmission), and safety features (ABS Brakes, 4WD, Tire pressure sensors, lights). They are all increasingly interwoven with each other. When you add cellular, WiFi, Bluetooth, NFC — and any number of other connections outside the car — you have now moved from having the old, standard access to a car — via the diagnostic port in the dash — to a connected wireless machine that can be hacked, possibly from anywhere.
Basically, the modern car has become a datacenter on wheels, but without the perimeter defenses that have been built into the traditional data center over the last 30 years; not to mention that we know even these are not exactly secure. In other words, security has been left to the individual components in many cases, sometimes relying on basic hardware authentication, but rarely has anyone thought about the interaction of thousands of lines of software code in these components.
The problem must be addressed by a more holistic security approach, which involves more than hardware security, which, while strong, can’t run an entire ECU or ABS Braking system inside the secure chip. Also, these things have to communicate outside the perimeter at some point in order to function at all.
What to do: Instead of attempting the very expensive or nearly impossible task of starting from scratch, car manufacturers must ensure that all the individual executables that are written for each of the devices in the car, including the entertainment system, are secure.
#1 — Add cryptography to ensure that communications and authentication between software inside a device and among devices are authenticated (signed), and ensure that software is only allowed to run in the manner designed by the coder.
#2 — Add in remote security monitoring to alert if there is a software or network breach. (Note: This means you do not have to rely on trying to create white-list/black-lists for known attacks because the bad guys are always a step or two ahead of developers — and it’s an arms race that has never yet been won in anti-virus markets.
In other words, the car network has to be treated in the way that the mobile payment folks are treating mobile phones, the way the retail industry has responded to the Target breach – they are facing a potentially hostile environment, and must act accordingly. Developers must anticipate and bring best-fit security to the fast growing Internet of Things market by addressing the need for authentication, secure communication, information protection and user privacy.
Trevor Daughney is Executive Vice President at INSIDE Secure. Prior to joining INSIDE Secure, he was Vice President, Marketing at security and compliance software vendor Actiance, and Senior Director, Global Enterprise Product Marketing at Symantec. He has an MBA from the Haas School of Business, University of California Berkeley. A native of Canada, Trevor studied at Queen’s University where he holds a B.A.H in Political Science.
Edited by
Peter Bernstein
