What Does the Volkswagen Hack mean for IoT Security?
A remote hack-attack on Chrysler Jeeps dominated headlines this past summer when researchers used an exploit to wirelessly control parts of a car’s systems. Initially, they took over the air conditioning, the windshield wipers and the radio. Intrigue grew to concern, however, when those same researchers showed how they could also slow down the car on the highway without any chance for the driver to maintain control. Those revelations led to the first known product recall on a networked car: The Jeep Manufacturer Fiat Chrysler had to update software in more than 1.4 million of its vehicles.
Are Car Hacks A Real Problem?
The Jeep hack was just one of several hacks during the summer.
Security experts from an IT security firm were also able demonstrate a hack when shut down a moving Tesla Model S at low speed. A couple of weeks ago I had the pleasure to test drive a Tesla S car and for me this experience was amazing and scary at the same time. Amazing from a driving experience point of view, because the Tesla S has a velocity of almost 0.8G and you feel like a rocket. But on the other hand, it was scary from an IT Security point of view. The Tesla S is essentially a tablet computer on wheels. Its central command unit is remotely connected and it get updates all the time, with no real control from the car owner.
And now, more recently, Volkswagen had to admit that they had deliberately changed the behavior of their software during specific circumstances, in what is being considered a de-facto software hack. How did this Volkswagen hack happen? The fraud was possible because the company ran engine management software that could recognize laboratory situations and this could turn the engine into a kind of diet mode. Putting aside questions of ethics and responsibility, this is another example of how cars are not being designed with hacker protection in mind, regardless if the hacks are coming externally or internally.
A New Era Has Dawned
We are now in a time in when technology companies must provide “digital confidence.” This is necessary and should be mandatory to keep customer trust. From a technology and historical point of view, consider this the beginning of a digital Cambrian explosion. In the Cambrian explosion 524 million years ago, conditions changed virtually overnight. Almost all known animal species emerged and before this, almost three billion years had passed with just a few algae and bacteria on earth. Such a comparable explosion has begun now in the digital world.
Three reasons stand out from many others.
- First, everything is connected with everything else via the Internet and cloud infrastructure. This is the baseline for all steps which are following.
- Second to consider is the amount of data generated from all devices connected to this cloud. It is getting massive and clearly cars are now a connected “Thing” in this context.
- And third, is the digital intelligence of data processing. This does not mean artificial intelligence, but the variety of calculations that are possible using the amount of sensor data available today. Software can now recognize the most complex situations and customize the behavior of the machine, for good and for bad. In most cases this is for our advantage in our day to day life, but it can also be negative when such “bots” can become attackers.
Machine Learning Is the Next Level of the Evolution
In the Volkswagen case, the car had not become a learning machine (yet), but they did develop an intelligent application program that was able to adapt to specific situations and driving scenarios.
The fact is that digital automation is now a driving force behind many aspects of life, including the cyber-attack landscape. A modern upper class car carries million lines of code in its system, Tesla might be even more, and it is hardly feasible to have serious examinations and quality control over such large amounts of code.
Consequences for IoT Security
The Internet of Things (IoT) is here and it is real and cars are becoming a fundamental part of it. But the software-driven world of this new car technology and with it the related economy, is becoming a central problem for cyber security. It involves pieces of work from different suppliers that use some proprietary software, some of which may be many years old.
For driving safety, there is a long tradition and also legal requirements like manufacturer crash tests. But the issue of safety is not bound to a security check in the software, which is used in the car nor to the network and connectivity layer of a car. Let’s face it, no Internet-connected car is without cyber-attack risk anymore and as a first step we have to have cyber security tests as part of the operation permit certification. This must be mandatory as legal requirement or regulation.
Everybody who is doubting this reality should consider that we’ve seen a more than 300% increase in organizations under constant cyber-attack, a sure indication that attacks now come from tireless machines. For those wondering how the security community should respond, the answer may well be a “if you can’t beat them, join them” approach where the same degree of automation is implemented into security management. We’ve reached a “my good bot against your bad bot” state in security.
Join me next week at IP Expo in London (7-8 October, Excel London), for my seminar on cyber-attacks and geo-political events. I look forward to having you in the session and discussing with you latest trends in cyber security.