BMW recently announced that it had to patch some of its new cars to fix a security flaw that affected its ConnectedDrive software.
This flaw became apparent after German researchers demonstrated how they could spoof a mobile signal, intercept all the communications, and gain access to the car’s computer system.
In order to patch the flaw, BMW enabled the secure Hypertext Transfer Protocol (HTTPS), which essentially adds a security layer to the standard HTTP to encrypt the communications. Although this solves one of the problems and the communication is now encrypted, it’s still important to note that it can still be intercepted.
>See also: The importance of net neutrality for the connected car
Many IT professionals are baffled as to why BMW engineers didn’t encrypt everything and assume that no network is secure – a basic information-security step – but they shouldn’t be surprised. With consumer demand at an all-time high, and software developers being pushed to release new software with the most up-to-date features, it seems that security is taking a back seat.
As more and more devices connect to the internet, it’s important to remember that security needs to be one of the main considerations, and not an afterthought like in the case of BMW’s ConnectedDrive software.
If you install Java on your computer, you will be greeted by a nice splash screen from Oracle telling you how 3 billion devices now run Java, which can include phones, parking meters, ATMs, set top boxes and more. Leaving aside the fact that Java is responsible for a high proportion of security patches, the wider trend is that we are seeing more insecure connected devices.
The topic of cars is covered a lot in the media today, especially with new developments, such as the ‘connected car’. Although security flaws have been pointed out in connected vehicles, it is worth remembering that cars do not have to be connected to anything to be vulnerable.
In 2010, Yoshi Kohno, from the University of Washington, demonstrated that a car could be compromised by injecting malicious code via an audio CD or the radio signal received by the car. His team were able to completely take over all of the on-board computers in the car and by doing so could track its location, listen to conversations and even apply or disable the breaks.
The main issue is that all these on-board computers are connected within the car. They all run software, which, even with the best will in the world, is vulnerable. The car radio is not a transistor radio any more; it is a computer that uses a piece of code to decode the radio signal and play music – this is vulnerable.
By getting someone to tune into your station you can own their car – in much the same way that spyware gets you to go to an infected website to infect your computer.
Car manufacturers in particular should know better than to leave things to chance. They are dealing with people’s lives every day and already have very robust test models and threat models to trial their car’s safety features.
If they can create lights that shine around corners, and cars that drive themselves and deploy lifesaving equipment in the event of an accident, surely they can secure the on-board computers in their cars?
>See also: Forensics and the Internet of Things: the car of the future will be a data goldmine
If they don’t get their act together, imagine what could happen. We have seen Sony’s PlayStation and Microsoft’s Xbox Live networks taken down as a result of huge distributed denial of service (DDOS) attacks recently. Imagine if a group of attackers were able to infect all cars of a particular manufacturer in London and the malware activates itself when the car gets to a specific location or goes above a certain speed.
By doing this, the hackers could then ensure that one day in London all the cars stop. No one knows why, traffic comes to a standstill, buses can’t move and the city grinds to a halt. Then the new hacker group tells the media they did it and unless the car company pays them lots of money they won’t re-activate the cars.
Will it take a circumstance like this for manufacturers to get the message? Imagine the economic impact, the political fallout and the consequences for that car manufacturer?
The message to car manufacturers is to get your act together and secure all your software and software developers – take your foot off the pedal, slow down and build in security from the start.
Sourced from Gary Newe, F5 Networks