Hardly a day goes by without some news on the Internet of Things (IoT) and frankly it is exciting to imagine a world where we can control literally everything from a smartphone. Or is it. Perhaps there is a contrarian viewpoint that we need to consider since it is all too easy to get swept along with the relentless advancement in connected devices that we are experiencing. Someone recently stated that the development of IoT is equivalent to the Industrial Revolution and they might be right. Historians will tell you that countless people suffered and died during the Industrial Revolution, and society as a whole paid a hefty price, all in the name of progress. Could anyone argue that it was ultimately worth it, and are we entering into a similar phase? What concerns me is where security sits within the grand scheme of IoT. And does it? I have my doubts.
The Genie is out of the bottle
Of the many technological advancements we are witnessing, an article that caught my attention had the following headline “Apple Watch will soon control your Volvo”. Volvo has built an Apple Watch version of its On Call connected car platform, which originally provided safety and location services in case of accidents and breakdown, or even theft. The Volvo app will be available at the end of June, with an update that allows navigation information to be sent to the car from the Watch. Other carmakers including BMW, Mercedes and Porsche will follow soon with similar Apple Watch apps. So the genie is out of the bottle - lose your Apple Watch and someone else will be controlling your car.
This sounded interesting enough to warrant further investigation and what I discovered surely requires the security industry to take notice of where we are heading. The Los Angeles Auto Show launched the Connected Car Expo as recently as November 2013, serving as an open forum, to discuss and debate the challenges and issues companies are facing in this evolving market. Furthermore on January 6, 2014, Google announced the formation of the Open Automotive Alliance (OAA) a global alliance of technology and auto industry leaders intent on bringing the Android platform to cars starting from 2014. The OAA founding members were Audi, GM, Google, Honda, Hyundai and Nvidia, and now include an additional 40 companies, although for some reason not BMW or Mercedes, possibly because they use another platform. The starting gun has been fired!
Connecting your car to the internet
There are many plausible uses for having full remote control over vehicles, and science fiction is rapidly becoming reality. Some of the applications include fleet management and control, location of stolen vehicles, pre-programming journey routes as well as emergency assistance in the case of accident. But since car manufacturers foresee vehicles becoming mobile ecommerce platforms (iPhone on wheels), we can soon expect location-based ads appearing on our car dashboards, such as where the nearest Starbucks is or where to buy fuel once the car realises that your tank is close to empty, perhaps with a voucher for a Whopper. Of course there are other concerns too, including the real possibility of distraction whilst driving. A quick glance at people in any social situation, whether it be walking down the street or at lunch tells you that your mobile device is the primary point of attention, and this could easily happen in a vehicle. Some high-end vehicles now have built-in heads-up display units factory fitted, and is this the next big wave to hit us following on from after-market satellite navigation systems? Check out Navdy (www.navdy.com) to see what I mean. UX designers and safety campaigners are already getting worked up about how many accidents will result from the rapid deployment of these devices, however I am more worried about the first hack that sends you down a blind alley, or worse still, starts collecting personal data about your driving habits. What will happen when Vinli (www.vin.li) begins to gain traction? This is a nifty little device that plugs into your car's OBD II port, which is a USB-like data interface conveniently provided as standard on all cars since 1996. Suddenly your car and all its critical systems are accessible via the Internet through an embedded 4G LTE service, along with multiple apps. According to the company more than 1,000 developers are now building apps and there will 20 available on launch followed quickly by another 100. The most interesting comment from the company can be found on their website “Installing Vinli is as easy as plugging a USB drive into your computer. Just insert it into your car’s data port, located under your dash. You’ll be using Vinli in seconds.” Hasn’t the security industry spent the last 10 years trying to lock down USB ports? I can imagine Vinli type devices being distributed as swag at trade shows just like USB keys.
Cyber attack susceptibility
There are several reasons why we need to take this seriously, mostly because connected cars are like an iPhone on wheels, and consequently susceptible to all of the same issues we face on a daily basis with computers. But let’s not forget that cars are big hunks of metal and when not in control, can do a lot of damage. BMW recently admitted that its ConnectedDrive platform had been hacked by researchers, who took control of the air conditioning and door locks. Could they have also played with the brakes or engine management system? This has been proven although not necessarily on a BMW. Given that Gartnerpredicts there will be more than 250 million connected cars on the roads by 2020, that makes for one heck of a big mobile botnet!
This picture shows how complicated cars have become and how interconnected the systems are.
Who is looking after the user and ensuring that none of the systems becomes a weak link in the chain? Are the car manufacturers implementing security assurance and oversight programs? Do they regularly conduct security audits on the source code of the systems and do they have an effective vulnerability assessment program in place? Perhaps what is needed is the equivalent to the PCI and OWASP compliance guidelines, but aimed at the vehicle industry. This would not be an easy program to establish, nor would it happen over night. We know that compliance only works when it has teeth, and is backed by regulation, hefty fines or some other form of penalty that causes companies to view it as more than just a cost of doing business. Tesla recently visited DefCon to hire some hackers, presumably to assist with its security effort, and to make it really interesting, the company even maintains a public security researcher hall of fame. Perhaps Volvo may become a leader given that people often buy their first Volvo because it has a reputation for transporting our children safely. And to be fair, many of the physical vehicle safety innovations were designed, developed and pioneered by Volvo.
Security as part of an industry vision
Where is this going to take us? More often than not, businesses are driven by profit and only invest in safety innovation when required to do so, either by governments, peer pressure or customer demand. We know this because safety studies in developing nations continue to show the dreadful outcome of not wearing seat belts or tolerating drinking and driving, so we should take this into consideration when thinking about how to avoid the consequences of insecure connected vehicles. And if we think even further ahead, what happens when driverless cars start to appear on our roads? Based on recent reports, serious trials are about to start on public roads. This also raises concerns about physical safety, since the systems, perhaps running in the cloud, controlling and coordinating the vehicles are all prone to intrusion and failure. If the US government can’t keep its personnel records secure, what hope is there for a car manufacturer? It does bring to mind that classic scene in the original Italian Job, when Benny Hill, as the mad professor, manages to replace the magnetic tape on the mainframe computer to reprogram all the traffic lights in Turin. Who ever wrote the film script in the late ‘60s had a moment of brilliance, because they foresaw exactly what could happen, only on a less grandiose scale given that the traffic in Turin normally flows at a crawl anyway. But it should nevertheless provide some comic insight into how bad it could get. I can imagine a caravan of connected cars being hacked to keep going round most major roundabouts in London, with little that any law enforcement agency could do.
Privacy campaigners have their hands full debating about how our most personal of information is being sold to the highest bidder and even Tim Cook of Apple is telling the world that he believes in keeping our data private. Your car could tell so many stories if only it could speak. But wait, perhaps it soon will be able to do so, only not quite as we had ever expected. We already know that vehicles with Internet enabled platforms are sending a plethora of information back to the manufacturer, and thankfully they are not yet doing much with the information. But this is going to change rapidly. Could there come a time when more money is made from the sale of private data as opposed to the initial car purchase? Now that is worth thinking about for a few minutes, because if you follow me, as an industry we need to change how we consider the security of connected vehicles, as we have seen it all before.
All of this is of course speculation, but what we do know is that the Internet of Things is here to stay and connected cars are becoming a common sight on our roads. We will see innovation occur much faster than ever thought possible as the ubiquity of fast networks collides with the availability of high-powered software. The supporting hardware is ready and waiting. I would subscribe to the view that the security industry has both an obligation as well as a huge opportunity in our midst. As usual it will not be the large companies that provide the innovation. It will be left to an entrepreneur with a vision to save the world.