In July, security researchers posted evidence that they were able to control various Jeep systems remotely – posting a picture of said Jeep in a ditch after the hackers remotely disabled the brakes. They attacked the entertainment system, which could then connect to automotive systems to control them.
Just yesterday, researchers at UCSD published research showing how they could use SMS messages to take control of a number of different cars, by hacking an OBD2 dongle. These are the devices that rental car agencies and insurance companies use to track speed and other operating conditions of your car.
These kinds of hacks are inevitable for a couple of reasons. System’s become much more complex and difficult to test as interconnectedness increases. Each of the interconnected components needs to be tested, but they also need to be tested as a system to detect anomalies. This is nearly impossible because of the random nature of how people interconnect different systems. Compatibility and interconnectability are great, but we need to consider their effect on security and reliability.
Also, it is difficult to keep all these interconnected systems patched. Many people don’t even patch their PC’s, phones or tablets much less their cars. I have several dozen different devices in my home that all need to be maintained – and some of them get forgotten or otherwise fall behind, even though I’d say I’m much more disciplined about this stuff than, say, my mom, neighbors, etc. This needs to be automated, but then systems testing becomes much more important (and difficult, again, because of the random connections that can be made.)
Finally, as systems age without patches, their functionality can suffer. Even if the other systems they talk to are being patched and upgraded, if the API’s or other interfaces that connect them are not being kept up-to-date, their functionality in such an interconnected system can be reduced.
As we develop IoT systems for our manufacturing facilities or even our customers/consumers, we need to make sure that system security and maintenance are included in the design of the support model – we can’t afford to create systems that aren’t maintained and regularly patched and upgraded. This needs to be considered as part of the cost of these new systems.
What are your thoughts/concerns?