Face It: The World Is a Hacker’s Playground
Consumer Reports said the 1999 Protege had “all the verve of a BMW but at half the price,” but that isn’t the best reason to buy a 16-year-old car that has seen better days. All the junkers in used car lots don’t have GPS-enabled devices, smart dashboards or any Internet connection to the outside world.
That may actually be an advantage over a 2016 model — the so-called “smartcars” — with all the bells and whistles that automobile manufacturers are falling all over themselves to introduce to consumers.
A Wired Magazine story in July where “good guy” hackers were able to track and then remotely take over a Jeep Cherokee from a laptop miles away made a huge splash. The harrowing story had a willing guinea pig drive down a busy city street while two researchers demonstrated how they could take over the car from the comfort of their own home.
The Internet was developed back in the 1970s without a thought for security. That’s why we’re in a mess today with almost daily stories about massive hacks.
And we haven’t learned any lessons. Security experts continually say that computer-enabled systems need to be developed with security in mind from the get-go — built in from the ground up — but that isn’t what’s happening.
The researchers who hacked into the Jeep shared their discovery of the zero-day vulnerability — a previously unknown security hole in software — with the manufacturer. A couple days after the story appeared, Fiat Chrysler had to recall some 1.4 million models to put a patch on the software. Days later, GM had to patch its OnStar software after another researcher was able to remotely intercept messages and unlock the car. These were so-called white hat hackers — the good guys. Who will be the next to find new security holes?
Making less of a journalistic splash was a brief in the May issue of National Defense where University of Virginia researchers with funding from the Defense Department hacked into and took control of driverless vehicles. This is of great concern to the military as it plans to drive, fly and sail myriad robotic systems in the coming years.
Smartcars are just one example of the so-called “Internet-of-things.” Refrigerators, home security systems, baby monitors and thermostats are all becoming connected to the web. Along with the mini-computers everyone is carrying in their pockets — smartphones — the entire world will soon become the hackers’ personal playground.
Why security remains an afterthought for all these systems is a headscratcher.
“There are a lot of companies that are building [Internet-of-things] devices and security is kind of second, third, fourth, fifth, sixth task down that gets looked at,” Jackson Shaw, senior director of product management for Dell’s identity and access management division, said in a recent interview.
“The person who’s building whatever the device is — whether it’s an Apple Watch or a thermostat or an HVAC system of some nature — they’re not thinking about security in the context of the enterprise and the context of the government,” Shaw said.
Human nature must be taken into account. There are those among us who have an inner need to make money through illegal means. Since time immemorial they have searched for any vulnerability they can find in order to steal.
Today’s computer-enabled thieves look for any advantage to make a buck. VIPs might have important information worth stealing. Ordinary people may only have cash, jewelry and electronics.
Bill Evans, senior director of project marketing at Dell Software, knew of one man who had an Internet-connected camera in his apartment installed so he could keep tabs on his cats. Checking it three times one afternoon would be enough to tell a criminal that it’s a great time to break in. The victim may never figure out that it was the hijacked camera that tipped off the thief.
This has huge implications for the military and those who work in the intelligence community who have secrets worth keeping.
Sabotaging a car and making it drive off a cliff is horrific, but spies don’t want their intrusions to be known.
Being able to track a car traveling in Northern Virginia to the CIA’s well-known turnoff on the George Washington Parkway could blow a cover. It makes espionage much easier, especially if the spy never has to leave the comfort of his Beijing cubicle.
Vulnerable “smartcars” with GPS data could be monitored over time to plan a kidnapping or terrorist attack.
Working from home, remotely, or from branch offices that aren’t as well secured as a company’s headquarters, creates more vulnerabilities, security experts said.
“You don’t want to comingle this [Internet-of-things] stuff with your enterprise or agency information. That’s just bad business right now,” Evans said. IT and security personnel need to go to consumer electronics shows and educate themselves on the Internet-of-things because it is ever changing. “They can’t be bringing these video cameras in to look at their office to see if anybody came in and drank [something] from their refrigerator.”
Soldiers outfitted with health monitors and telemetry data is another concern, Evans said. “If somebody notices 100 or 1,000 of those going from the United States to Europe, that would be great information for somebody in North Korea to know and they could prepare for it. But you may never know that they got that information by watching these things be activated.”
For now, it’s a hacker’s world. We just live in it. So the smart thing might be to hold onto that “dumb” 2007 car for a few more years until all this gets sorted out.