The Internet of Things (IoT) is already affecting nearly all aspects of life, and it’s just getting started. Some of the most promising IoT applications occur in the auto industry, but as technological innovation outpaces security, millions of Americans’ physical safety is put at risk.
Cars can already parallel park themselves, steer you back into your lane if you start drifting, and automatically slow down if you get too close to the vehicle in front of you. More and more cars are being controlled by computers, not humans. It’s not hard to envision cars of the near-future with the capability to drive from one place to another without a driver’s interference. You can relax while your car uses sensors to avoid obstacles, accesses the Internet to check traffic patterns, and checks your GPS to make sure you’ve arrived at the appropriate destination. (The in-dash espresso machine is an optional feature.)
This car of the future has a major flaw, though: security. The auto industry needs to convince me that the onboard computers in my car are secure. I don’t want to ride in a car that a hacker can steer into an oncoming semi or direct to the wrong location. Companies have been integrating computers into cars for over 15 years, and typically the entertainment and safety features are also integrated. For most cars, this means if you can compromise the car’s entertainment system (or espresso machine), you can also access the car’s critical functions. The Internet presents many opportunities for breaches of information security; without proper safeguards in place, the rise of the Internet of Things will put our physical safety at risk in our cars, in our homes, in hospitals, and through the public infrastructure.
I Am The Cavalry, a global grassroots movement that focuses on issues where computer security intersects public safety and human life, recently petitioned automakers to acknowledge this very real threat, accept security researchers as allies, improve the visibility of automobile cyber safety programs, and start preparing now to avoid the possible dire consequences. Their five-star automotive cyber safety program is forward-thinking and compelling: I Am The Cavalry wants auto manufacturers to ensure the public’s trust by building cyber safety into the software development lifecycle, incorporating security research to root out flaws before they can be attacked, capturing evidence to secure proof if a breach does occur, allowing secure updates in the field, and physically and logically isolating the critical systems from the non-critical systems. These information security precautions are very similar to the measures (ISC)2 advocates for application security through our CSSLP® certification.
The biggest downside of increasing security measures is the loss of privacy. I Am The Cavalry notes that their call for evidence capture will be the tenet that will take the most effort to implement, and any “black box” technology used for the purposes of logging and collecting evidence will have to be sensitive to privacy infringements. I think the delicate balance between the elaborate privacy concerns and the need for increased security will cause the greatest number of objections to this petition. However, this is a discussion we must have as information security professionals if we plan to go “full-tilt boogey” into the ubiquitous IoT.
There is a vast number of cars with computers already on the road. The fact is the car that can be hacked, the one I said I didn’t want to ride in, is already barreling down the freeway. If the auto industry doesn’t take action now to improve the security of the technology controlling our cars, millions more insecure vehicles will reach the road. Insecure technology in our cars is one of the most pressing concerns regarding the IoT, because it has an immediate impact on the physical safety of millions of travelers per day. There are over 200 million licensed drivers in the United States, and each one that gets behind the wheel is putting him- or herself at risk of unforeseen accidents; let’s not also put ourselves at risk of consequences we can prevent. I bet there are a lot of opinions about this. What do you think?