Friday, August 02, 2013

The Internet of Scary Things

I’ve been reading a lot lately about the Internet of Things – the world in which pretty much every last object is connected and can be accessed from anywhere. Thus, you can lock your door or spy on your dog or lower your thermostat anywhere, anytime from your smarty-pants smartphone

Some of this is for the good – lock your door, spy on your dog, lower your thermostat – while other things are useless, evil, and/or just generally fall under the  “just because you can do it doesn’t mean you should do it” category.

Then there are the downright scary possibilities. And one of those is the possibility of evil-doers hacking into your smart car.

Two white-hat (good guy) software hackers:

Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government. (Source: Reuters.)

For years, white hat hackers have worked to expose security vulnerabilities. Many organizations hire them to test their systems to see just how locked-down they are. Better to have a white hat embarrass you than a black hat hacker destroy you.

They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

Fortunately, the scenario in which Charlie and Chris did their sleuthing is not a real-world one, and, thus, the information they will be revealing won’t let someone hack into your car and drive you off the road:

They were sitting inside the cars using laptops connected directly to the vehicles' computer networks when they did their work. So they will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack.

Nonetheless, as the wonderful Internet of Things has shown us time and again, if you can direct connect to something, you can probably remote connect to it, as well.

Both Ford and Toyota (and other car makers) are spending lots of time and money trying to make sure that their cars are secure. They don’t want any 21st century version of the exploding Ford Pinto or the Chevrolet “Unsafe at Any Speed” Corvair on the road any more than you do. And as Ford spokesman Craig Daitch said:

"This particular attack was not performed remotely over the air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers and any mass level.”

Still, as someone who wishes that electronic car windows had a manual override, the thought of parts of a car failing because of an electronics glitch is bad enough. The idea of some bad guy slamming on my brakes when I’m tootling down the left lane is a bit unnerving, even if at present there’s no “risk to customers and any mass level.”

Why do I think that last part in Daitch’s statement might just have really meant to say at any mass level?

Meaning an individual car and driver may be at risk.

Which is probably the case, given earlier (unpublished) work by some academics who found:

…ways to infect cars using Bluetooth systems and wireless networks in 2011.

These folks – also white hats – didn’t publish their findings, but it did prompt the National Highway Traffic Safety Administration to launch their own cybersecurity initiative:

"While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities," the agency said in a statement. It said it knew of no consumer incident where a vehicle was hacked.

Yet.

I’d say it looks like we’re all going to have to be very careful before we modestly beep at some yahoo who’s about to cut us off 0r is drifting lanes because they’re too busy texting to pay attention. We’ll need to think twice before we lightly tap our brakes at the nimrod tailgating at 90 m.p.h., in hopes that he’ll back off a bit. And we’ll have to adopt the habit of smiling sweetly – the far better choice than flipping someone the bird, no matter how egregious their behavior.

After all, if they can just hack into your car and run you off the road…

Think of all drivers with their “brakes failed” defenses.

And imagine all sorts of “it just happened”, poltergeist defenses.

Sometimes the Internet of Things can be a big, bad, scary-ass place, that’s for sure.

And while on topic of dangers on the road, somewhere in my wanderings, I came across a fellow who’s got a business building desks for cars. He calls his business Dashboards to Desktops, or D2D, which makes for a clever play on B2B.

Most of this guy’s products make sense for people who work out of their cars or trucks: construction workers, field engineers, D2Dtruckers. But I was a bit scared by one of his products. It may be a bit hard to see, but that’s a keyboard bungee’d onto the steering wheel.

Now it’s one thing to pull over and use your D2D apparatus to get some work done safely and comfortably. But I’m trying to envision the circumstances under which someone would actually want or need to use a computer keyboard attached to their steering wheel.

Is this just a paucity of imagination on my part, or do I really need to be afraid, very afraid?

No comments: