Right out of a Sci-Fi episode plot, news travelled fast a few weeks ago when two benevolent hackers showed the world they could breach the computer systems of some Fiat-Chrysler Automobiles (FCA) vehicles using the UConnect system, and remotely control the car’s operational features. According to a recent blog in Forbes, the two hackers – Chris Valasek of IOActive and Charlie Miller, a former NSA staffer – believe that more than 471,000 cars are vulnerable to attack.
Forbes reports Valasek and Miller “were able to create attacks that could connect to that system, jump over to a chip powering the in-vehicle entertainment and rewrite the firmware on that little piece of hardware. From there, their exploit code could send commands across the car, from killing the brakes to shutting off the engine and playing with the steering, as shown in a video on Wired. It’s total car compromise.”
Setting aside the controversy around the merits of the dangerous live demonstration, Fortune Magazine points out, “automakers are, right now as you read, shipping increasingly connected cars to market that perform pitifully in terms of security. Their critical, internal electronic systems are not adequately isolated from one another. Their code has not been vetted to an acceptable degree by penetration testers. They are open to attack.”
The FCA solution is to mail out USB sticks with a patch to owners of affected automobiles. According to Carl Leonard, principal security analyst at Raytheon Websense (as reported in NetworkWorld.com), "The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull … [Hackers] could, for instance, parody the update with a bogus letter and USB stick of their own, allowing them to launch a multitude of real-life threat scenarios, including crashing or stealing the car.”
Leonard also questions the wisdom of letting consumers do their own update: "This doesn't even take into account the uncertainty that the USB patch has been applied properly without any negative consequences for the safe operation of the vehicle."
In addition to the USB mailer, FCA has also provided a patch that’s available for consumers to download online. They created a website where consumers can enter their Vehicle Identification Number (VIN) and then download the update. Unless consumers take their vehicles to a mechanic, they are required to perform the patch upgrade themselves.There are basic instructions on the site, but for less tech-savvy consumers, it might prove easier and safer to go to a local dealer.
The recent Jeep hack is just one example of how the Internet of Everything may be moving past the point of no return. Consumer products, from cars to refrigerators, are adopting Internet technology not only to connect consumers to the on-demand services they are becoming accustomed to, but also to collect data on consumer behavior.
As connectivity accelerates, there is a real concern with the ability of manufacturers’ to keep up with the Internet of Everything. For example, in February, well before this FCA hack, the Associated Press reported, “Automakers are cramming cars with wireless technology, but they have failed to adequately protect those features against the real possibility that hackers could take control of vehicles or steal personal data, a member of the U.S. Senate is asserting.”
While the Jeep hack received media attention recently, the safety concern goes well beyond the automobile industry, and affects many products consumers may not realize are connected to the Internet.
If we are indeed past the point of no return and everything will be connected, we need to move beyond thinking of technology as just our computer, laptop, and smartphone. We need to ask how these consumer manufacturers will ensure our data is safe as they develop new, connected products. We can assume connection to the Internet is more important than ever, so businesses and consumers alike will need to understand and implement data security best practices. Your organization’s IT Team (and even your auto mechanic) needs to be comfortable dealing in a connected world, anticipate potential security risks associated with being connected using the newest technologies, and how using legacy, disconnected hardware may put your business at risk.