Connected vehicles may be first casualties in IoT hacking
There have been many warnings lately about the lack of security in the Internet of Things. But some still fail to realize that the next of data breaches – moving beyond stealing data to manipulating it – will likely start in the IoT because the target is so rich in opportunity and so low in risk (in terms of being caught or stopped). What is understood even less is that the first wave of IoT hacks and attacks is likely to target vehicles.
But that fact is not lost on the Federal Bureau of Investigation, the Department of Transportation and the National Highway Traffic Safety Administration, which jointly released a public service announcement detailing this threat.
"Vehicle hacking occurs when someone with a computer seeks to gain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality," warns that PSA.
The reason for warning the public is simple: to apply pressure to manufacturers of vehicles, components and aftermarket devices to increase their security efforts. If, for some reason, the public does not apply significant pressure, vulnerabilities of this sort will likely increase.
For one thing, the technical issues are very complex, and without sustained public pressure to keep at it, many companies may simply give up.
"The point is that future [IoT] technology will demand a holistic, cross-disciplinary approach for the design and implementation of cybersecurity and its interconnection with technology," said Lane Thames, security researcher at Tripwire.
"This by and large does not exist today. Until this starts to happen, we will continue to hear about more and more technologies coming online and eventually becoming vulnerable to remote exploits."
Part of the problem is that R&D types and app developers don't necessarily possess high level security skills. Obviously, adding security pros to the developer teams so that security is baked in from the start would be a strong improvement.
"The developers have the best intentions and do a terrific job creating those applications," said Reiner Kappenberger, global product manager for HPE Security – Data Security.
"However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated."
Enterprises that plan to use such apps or components in their products, such as vehicle components by vehicle manufacturers, should also add a layer or more in security testing and security applications.
The same holds true with anything IoT related. Accepting promises of security rather than proof of such leaves all vulnerable to attack and all involved companies subject to liability.
- see the PSA
Telematics, IoT, CEM data heat up car manufacturer competition
Privacy Conundrum: When protecting customer privacy makes your company liable
Self-driving cars to create 1GB of data per second