July 30, 2015
In this episode of The Digital Life, we discuss the Jeep auto hack in which cybersecurity researchers were able to remotely take control of a car’s critical systems, the subsequent 1.4M vehicle recall by Chrysler, and the new bill introduced by Senators Ed Markey (Dem – Massachusetts) and Richard Blumenthal (Dem – Connecticut) to protect automobiles from cyberattacks. Are security and privacy the defining issues for the Internet of Things? Unfortunately, it seems like this incident may be the first of many examples of hacking the IoT and connected environments.
Hackers Remotely Kill a Jeep on the Highway—With Me in It
After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
Senate Bill Seeks Standards For Cars’ Defenses From Hackers
I’ve seen other video where they’re able to take control of the steering and do things to the brake system, all of this connected software that Chrysler has in their vehicles and has since issued a patch for and shut down this particular exploit.
The idea is certainly maybe not a new one but has not had this level of public scrutiny, which is, as our cars become rolling boxes of technology, they are subject to people being able to do this sort of exploit of events to them and then ultimately wreak all kinds of mischief.
In this case, no one was hurt, of course, but we can see the potential, where the Internet of Things is meeting up with all of the security concerns of being hacked, and it’s really causing quite an uproar. What’s been your take on that exploit, Dirk?
Here, we have this exploit where somebody could take your car and, with the little picture they showed with the article, drive it right into a ditch. You could be killed by a hacker who gets into your device and gives it instructions to take you off path and put you in the way of physical harm.
This is just the beginning. This is going to be a lot more in the future, not less, as the devices are either integrated into us physically. By into us, I’m not talking necessarily about from a sideboard prospective, but just from touching our bodies, or from controlling things in and around our bodies that, if taken in a certain direction, could cause us harm. To me, it’s just sort of a warning sign for something that those of us on the inside have known is coming. This, now, is really showing it to the mainstream and saying, “Look at the potential of what can happen,” and again, it’s just the beginning.
I honestly don’t know what the total reaction’s going to be. Certainly Chrysler was immediate with their recall of 1.4 million vehicles across a number of their different vehicle types. There’s a US Senate bill which was introduced on July 21st by Senators Markey and Blumenthal, both from the New England region, which is technology laden. These guys are immediately calling for security standards, privacy standards, and some transparency around those compliance issues. Car manufacturers in the future, you’ll look and you’ll see, “Oh, we get 70 miles to the gallon, and oh, by the way, we’re hopefully 100 percent compliant with out cyber security and cyber privacy standards as well, as you go around to your car dealer.”
I think it’s an interesting moment for a lot of reasons, because it’s forcing, as you said, this intersection of digital and reality in a very physical and immediate and scary way in an area that’s so important to Americans, generally speaking. How do you see this playing out, especially with this US Senate bill, Dirk?
On a more local level, look, for a long time people have been able to hack into ATMs. That’s a proven, not this big giant government saying, hackers in Siberia, thinking that happened. We have proof of concept of people, in local ways, being able to apply technology to corrupt and undermine physical systems that, in the case of an ATM, it’s “just” stealing a lot of money out of a machine, but if we get into things that are on, around, or implanted in our bodies, the implications can be really, really a whole lot more dire.
Again, going back to the show we did before, on the hacking of the US government, it’s not preventable at a certain level. Coming back and talking, now, about the specific car example that started this whole conversation, there’s way too many fail points. Depending on what the specific application is, or what’s happening, you have a car manufacturer that may have software in this process. You have a device manufacturer, an Apple, or a Google, or one of their Samsung, one of their partners may have software in this process. There may be apps being used within those platforms that additionally have a role in this process.
Then you have the carrier. You have your Sprint. I guess it was Sprint’s network, or maybe it wasn’t the network, but something about how Sprint interfaced with this whole system that was the fail point in this example. You’ve got that aspect, so it’s hard enough to lock an information system like those that the US Government has when you’re talking about all of these different platforms and applications that all present potential vulnerabilities. Holy Cats! It’s a hard problem.
I don’t want to call it unsolvable, but certainly today it’s unsolvable to really, really be able to look the consumers in the eye and say, “This system that’s connected to the internet and makes all these cool things happen for you in the context of this device, and in this case, we’re talking about a car as a device, can’t be hacked. You’re a hundred percent safe. Nobody can crack this.” As long as it’s going out and connecting with external networks, nobody can make that promise, so it’s an eye-opener, that’s for sure.
The automobile hack, while it’s directly related to those kinds of systems, it also portends bad things for systems that have that physical capability of doing harm, as you mentioned earlier. Because there’s often a lot of standard ways for communicating wirelessly, that also means that there’s a lot of exposure for a hack and an exploit that could be warped in one area may very well apply to another if it’s not patched.
It sort of opens up a can or worms, because now we’re not just thinking about our desktops and laptops and tablets and phones. We’re also thinking about all of these other nifty gadgets that are proliferating, whether they’re in health environment or home environment or out on the road. There’s so much great promise to the general Internet of Things, but the security issue is quickly racing to the forefront. It will be interesting to see how the government gets involved in the design of the Internet of Things, because they’re already starting to do that. Then how private industry tries to manage the potential damage caused by the perception and the reality of security being so porous.
Frankly, it’s one thing in the United States. There’s the whole specter of next-generation warfare, and there has been a lot of blame cast on the Chinese, or for groups that are associated with the Chinese Government for hacking into US Government facilities and systems. You can see how cyber warfare could be brought to the next level when you’re talking about hacking into automobiles, so all of a sudden, it’s not just information moving that sort of a negative player would want to act on that information. It could also be physical consequences to that hacking as well, which I think is going to at least be a consideration when we’re talking about cyber warfare in the future.
Like I said, it’s astonishing to me how quickly this moves. A good example of that is our discussions around drones regulation. At the beginning of the year, we were postulating about that. Now it’s very much an issue at the forefront. Same thing with Internet of Things hacking is all of a sudden becoming very, very important. I always think it’s going to be happening in a couple of years, but this seems to have reduced the time line to months. That’s going to be something I’m very interested in keeping an eye on.
If you want to follow us outside of the show, you can follow me on Twitter @jonfollett. That’s J-O-N-F-O-L-L-E-T-T. Of course, the whole show is brought to you by Involution Studios, which you can check out at goinvo.com. That’s G-O-I-N-V-O dot com. Dirk?