In previous OpenStand posts, we have discussed the proliferation of Internet-connectivity into every aspect of our daily lives as we approach a new “Internet of Things” (IoT) era. As we fill our homes with more and more networked devices, that are capable of relaying information to anywhere in the world in an instant, the importance of cyber-security becomes more and more apparent. If the need for consumer vigilance was not already high enough, the IoT has begun to spill over, from work and home to new territory—our commute—and our cars.
Internet connectivity and the ability to connect our mobile devices to the dashboard has delivered many useful features that car owners find very helpful. From specially curated music playlists to turn-by-turn navigation. However, as useful as these new capabilities may be, they can also create security vulnerabilities.
The exploitation of such vulnerabilities made headlines last July when two cybersecurity researchers found that they were able to remotely attack a Jeep Cherokee that was equipped with the proprietary Uconnect system. The Uconnect system, which had been equipped in as many as 471,000 Chrysler-FIAT automobiles by the time of this attack, connects to the Sprint cellular network to bring enable certain many different features in the car, including remote ignition.
The researchers discovered that by obtaining precise location and vehicle identification information, they could attack the car’s critical systems via its IP address, including turning off its brakes, affecting steering and transmission controls, activating windshield wipers, and taking control of its vehicle information and entertainment systems. They could also take control of the steering of the vehicle in reverse.
Though it may sound like a plot device in a movie, Fiat-Chrysler responded to the researchers discoveries with utmost seriousness and quickly deployed a security patch. While their response was timely, a serious problem remains. There is guarantee that all vehicle operators affected have applied the patch, especially since it must first be downloaded to a USB drive and then installed manually, or initiated in a dealership.
While the Uconnect vulnerability may be the most dramatic example of the dangers of poorly-secured IoT capabilities in vehicles, it is far from the only example. Other researchers have demonstrated that sending precisely coded text messages to a USB dongle plugged into the dashboard of a 2013 Corvette, they were able to engage the vehicle’s windshield wipers and even disable its brakes. Wired reported last year that these sorts of dongles represent a myriad of security issues since they are configured to accept commands via text message.
To add to consumer consternation, it does not appear that any standardized security protocols for IoT devices will have significant industry impact in the immediate future. Industry experts have suggested that the sort of cooperation required to author such standards will likely not manifest until at least 2017.
That is not to say that there is no interest in making cyber security standards a priority. Already there are many alliances and consortiums that have crafted competing standards concepts and models. Such organizations include the Industrial Internet Consortium, the AllSeen Alliance, the Open Interconnect Consortium, the Object Management Group®, Thread, and HomeKit.
In the meantime, consumers would do well to research their purchases carefully. As we work together to promote open standards for security, we make the web (and the road) a safer place.
Join us in working to make the web a better place; become an OpenStand advocate! You can: