Corvette hack: More evidence that in the race for the IoT, security is not in mind?
In July, this publication reported on the recall of 1.4 million Chrysler cars following an article in Wired whereby a Jeep was remotely exploited by hackers in a controlled experiment, ranging from turning the radio volume to full to cutting the transmission.
At the time, security analysts argued “this won’t be the last patch we see for a car near you”, as well as criticising the move by Chrysler to install a patch via USB stick at “the dumbest move in a long time.”
Now, another hack has emerged, this time whereby a dongle, placed in cars by insurance firms, could be exploited and let hackers take control of a vehicle – in this instance, a 2013 Chevy Corvette. As a video from the researchers at UCSD demonstrates, the researchers could activate and cut brakes, as well as randomly activate windscreen wipers.
The explanation is straightforward; as the dongle connects to the Internet, the researchers could push an SMS message into the vehicle’s internal computer system. While the company which makes the dongles says the vulnerability has been fixed, it again raises the issue of security in connected cars. But does it also focus on the issue of organisations and users rushing too quickly into the Internet of Things (IoT)?
Nicko van Someren is chief technology officer at Good Technology. He argues the Corvette hack is ‘a great example of what happens when you take an interface that was designed for local access and connect it to the wider Internet.’ He explains: “The port was designed in the expectation that only people who could unlock your car and get inside it would have access, so the interface was not built with security in mind.
“Increasingly, in the rush to connect ‘things’ for the Internet of Things, we find devices that were designed with the expectation of physical access control being connected to the Internet, the cloud and beyond,” he adds. “If the security of that connection fails then the knock-on effects can be dire and potentially even fatal.”
Others are nervous about what this means for the near future of IoT. Writing for IoT Evolution Trevor Daughney, executive vice president of INSIDE Secure, argues that given connected cars are essentially ‘data centres on wheels’, and how even security baked into data centres over the past 30 years are not entirely resistant, a more holistic security approach, adding cryptography and remote security monitoring to each of the car’s layers, needs to occur to prevent future issues.
Ken Westin, a senior security analyst at Tripwire, offers a similarly dire warning. “One of the trends I am seeing in automotive system vulnerabilities is that many of these systems are using networks and protocols designed for cellular and IP networks,” he explains. “These tools were designed to facilitate human to human interaction.”
He adds: “When a phone is compromised there is a potential for data to be compromised, which is an inconvenience. However, when machine to machine communications over cellular or IP networks are compromised, it leads to a kinetic attack that could result in serious injury or even loss of life.”
Do you agree with the views of the security experts? Let us know in the comments...