Our CEO (Adriel Desautels) recently spoke at the Green Hills Software Elite Users Technology Summit regarding automotive hacking. During his presentation there were a series of reporters taking photographs, recording audio, etc. Of all of the articles that came out, one in particular caught our eye. We made the front page of “Elektronik iNorden” which is a Swiss technology magazine that focuses on hardware and embedded systems. You can see the full article here but you’ll probably want to translate:
http://www.webbkampanj.com/ein/1011/?page=1&mode=50&noConflict=1
What really surprised us during the presentation was how many people were in disbelief about the level of risk associated with cars built after 2007. For example, it really isn’t all that hard to program a car to kill the driver. In fact, its far too easy due to the overall lack of security cars today.
Think of a car as an IT Infrastructure. All of the servers in the infrastructure are critical systems that control things like breaks, seat belts, door locks, engine timing, airbags, lights, the radio, the dashboard display, etc. Instead of these systems being plugged into a switched network they are plugged into a hub network lacking any segmentation with no security to speak of. The only real difference between the car network and your business network is that the car doesn’t have an internet connection.
Enter the Chevrolet Volt, the first car to have its own IP address. Granted we don’t yet know how the Volt’s IP address will be protected. We don’t know if each car will have a public IP address or if the cars will be connected to a private network controlled by Chevy (or someone else). What we do know is that the car will be able to reach out to the internet and so it will be vulnerable to client side attacks.
So what happens if someone is able to attack the car?
Realistically if someone is able to hack into the car then they will be able to take full control over almost any component of the car. They can do anything from apply the breaks, accelerate the car, prevent the brakes from applying, kill (literally destroy) the engine, apply the breaks to one side of the car, lock the doors, pretension the seat belts, etc. For those of you that think this is Science Fiction, it isn’t. Here’s one of many research papers that demonstrates the risks.
Why is this possible?
This is possible because people adopt technology too quickly and don’t stop to think about the risks but instead are blinded by the continence that it introduces. We see this in all industries not just automotive. IT managers, CIO’s, CSO’s, CEO’s, etc. are always purchasing and deploying new technologies without really evaluating the risks. In fact just recently we had a client purchase a “secure email gateway” technology… it wasn’t too secure. We were able to hack it and access every email on the system because it relied on outdated third party software.
Certainly another component that adds to this is that most software developers write vulnerable and buggy code (sorry guys but its true). Their code isn’t written to be secure, its written to do a specific thing like handle network traffic, beep your horn, send emails, whatever. Poor code + a lack of security awareness == high risks.
So what can you do ?
Before you decide to adopt new technology make sure that you understand the benefits and the risks associated with the adoption. If you’re not technical enough (most people aren’t) to do a low-level security evaluation then hire someone (a security researcher) to do it for you. If you don’t then you could very well be putting yourselves and your customers at serious risk.