The automotive industry is developing new technologies to rush to market fully functioning connected cars with in-built computers to help find routes in a congested city, calculate cost-benefit for fuel consumption per route and analyze car performance and send the information to the manufacturer or insurer. In the next decade, we’ll probably see a fully autonomous, self-driving car, and the industry can’t wait to capitalize on it.
The hope of an IoT wonderland, where everything is connected and runs smoothly, is spreading. But it is an unrealistic expectation — this utopian vision is associated with critical security risks that nobody talks about. It’s like the dirty little secret of IoT; everyone knows it exists, but they don’t do much about it. The smarter a device, the more vulnerabilities it hides, and hackers can’t wait because it makes their job even easier.
What is the price of lax IoT security? Last week at DefCamp, the largest hacking and cybersecurity conference in central and Eastern Europe that takes place every year in Romania, Ixia researchers Gabriel Cîrlig, Senior Software Engineer, and Ștefan Tănase, Principal Security Researcher, taught a good lesson in the risks of connected cars and prospective smart car weaponization. It was as easy as 1, 2, 3 for Cîrlig to hack his own connected car with a USB stick that exploited a vulnerability in the implementation of the SSH protocol to instantly gain access to data on the tiny multimedia computer system from any phone that had ever been connected to it – emails, text messages, voice profiles, contacts, GPS data and vehicle status.
He instantly had access to all the personal information the car had collected and saved. Because too many manufacturers ignore the SSH vulnerability, hackers have abused it for DDoS attacks. Last year, Akamai researchers found a 12-year-old vulnerability in OpenSSH in as many as 2 million devices that hackers abused to attack IoT devices.
Earlier car hacks have even exposed the risk of physical harm, as an exploit allowed the remote hacking of a Jeep Cherokee while the driver was still inside. US researchers Charlie Miller and Chris Valasek ran the experiment to show how easy it was to use the internet to mess with the ventilation system, the windshield wipers or the radio, and even control the brakes to cause an accident, leaving the driver helpless at 70mph on the highway. Following the wireless carjacking experiment, the manufacturer released a patch and withdrew some 100,000 cars from the market.
The point is these devices, no matter how polished on the outside, pose privacy and health risks because programmers don’t build them with security in mind. Data privacy is threatened with each smart device that has our permission to save it into the cloud, but are we the owners of our own data? Someone with malicious intent can steal it for resale to the highest bidder, and exploit it for other illegal purposes. There is also a positive scenario to all this; the hack may be used by law enforcement to get GPS history and other vital information for a case. But still, it has to be regulated because otherwise it still falls under privacy breach.
Ideally, manufacturers, governments and security experts should join forces to create IoT security guidelines. It has already been validated that ransomware can infect smart thermostats, so it’s likely some ransomware variants for smart cars are right around the corner. It could be only a matter of time until they are held hostage in exchange for cryptocurrency. Only two questions remain: how far will hackers go, and are you willing to pay?