The danger of infosec ignorance in IoT

Hackers taking remote control of our cars is a frightening prospect for many of us, but what are the real risks and what should we do about them?

Last week two security researchers used a feature in the Fiat Chrysler Jeep called Uconnect to hook in through the entertainment system, jump to the engine management system and issue commands that affected the car’s engine, breaks and steering.

Valasek told Wired "anything that connects to the outside world is an attack vector, from my point of view".

The point Valasek is making needs to be considered in as wide a context as possible, given the massive push across industry to get as many products and services connected online and reporting to everything else as possible and as quickly as they can.

Being connected is the new ‘value proposition’ that manufacturers are jumping on. The so-called internet-of-things (IoT) will connect our fridges to our microwaves, to our online shopping accounts, to mobile technicians who can fix it before we even know it’s broken, ensuring it’s running smoothly before our groceries on a truck that’s tracked by a smartphone app.

What an amazing ecosystem, right?

A couple of weeks ago we heard about a plane being hacked during an internal flight within the US. A security researcher made his way through the entertainment system and managed to make the plane fly sideways for a short period of time.

In this case, the flight systems were designed by Panasonic and Thales, two companies that have loads of experience in delivering security-focused services and products..

But Thales’s flight-control solution still contained security vulnerabilities that could be hacked.

If my experience working alongside Thales in the past is anything to go by, these guys really know how to design secure systems, so how could this have happened?

The simple fact is that no system is totally secure. Every time we touch technology there is some level of residual risk in that system that could potentially lead to an adverse impact on our lives.

Even the most rigorously designed and tested government network can potentially be hacked, as can our bank accounts, home computers, smartphones, work networks, and now our televisions, cars and planes.

Why is the problem seemingly getting worse?

There are really two issues that need to be addressed.

Firstly, a few months ago (ISC)² reported [pdf] there would be a global deficit of 1.5 million security professionals in five years.

This is potentially a huge problem given the growing frequency of cases like the Jeep and plane hacks. These experts are those we are relying on to ensure the likes of Fiat take information security seriously and realise the risks of not doing so.

We need to find new and enticing ways to attract talent into our profession, potentially through apprenticeship programs, collaborations with TAFE colleges and universities, and accelerated professional training programs - and even starting as early as primary school.

The second and more difficult issue to deal with is the problem of companies simply being ignorant of security issues.

Have car manufacturers ever had to care about information security issues before? Do fridge or microwave manufacturers building wi-fi and control systems into their products even consider they could be used as attack vectors in the home?

What if a glitch in fridge software makes dozens of the same order to your supermarket, racking up hundreds of dollars of unwanted orders on your credit card? Who, in this case, would even be liable?

So while the skills shortage is a massive issue that needs to be addressed, security ignorance is an even bigger problem for companies looking to jump on the IoT bandwagon.

As long as the media keeps highlighting cases like the Jeep hack the message may just sink in: risk is inherent in everything we do. It's imperative this risk is evaluated and the repercussions of ignorance and inaction are made clear.