This week, I saw several seemingly-unrelated articles, one (a video) on eavesdropping Bluetooth headsets, one on automotive hacking, and one on attacking the keyless ignition system popular on some newer cars. These topics have been in the news quite a bit in the past year (albeit mostly back page), and it got me to thinking. Our world is evolving. Entertainment, convenience, and transportation devices are increasingly Internet-aware, bringing us ever more convenience, ever more capability.
I love that I can play mp3 music from my DLNA server using my Blu-ray player. I love that I can stream movies from Netflix using my Wii or my Blu-ray player. I love that I can challenge players anywhere in the world to a round of Mario Kart on my networked Wii. I love that my car has tire pressure monitoring sensors to tell me at a glance the exact air pressure in each tire. I love that I can listen to music on my smartphone, and seamlessly take phone calls from my Bluetooth-enabled headset.
Using an iPhone app, I could remote control my DVD player from anywhere. Using another app, I could turn off lights at home, and with yet another app (thanks to the Intel Home Energy Dashboard proof of concept) adjust my home's thermostat. The Dodge Ram had the capability of serving as a full-fledged WiFi hotspot as far back as 2008. General Motors and Nissan have both announced electric vehicles with advanced remote control – imagine phoning your car 5 minutes before leaving the office to turn on the heat or a/c (in fact, aftermarket kits to do this have been available for a while).
This brave new world has a dark side though, a dark side that has not yet shown itself in any substantial way. What happens when all this connectivity is used for ill? In most cars produced after 2007, the ECU (Engine Control Unit) has the ability to control everything from brakes to locks, wipers to the horn. In 2008 researchers from the University of Washington and University of California San Diego showed that the ECUs could be hacked, giving attackers the ability to be both annoying, by enabling wipers or honking the horn, and dangerous, by disabling the brakes or jamming the accelerator. In March 2010, a dissatisfied former employee of an auto dealer in Austin, Texas, accessed the dealer’s control system to disable more than 100 cars bought from that dealer. In September 2010, a researcher at security conference PacSec Japan demonstrated a proof of concept to piggyback malicious code on the end of games downloaded to a Wii, using the Wii as an access point to a home network.
Do I think we need to go back to the dark ages of completely independent devices? Hardly. But I do wonder if consumer-oriented businesses have gotten ahead of themselves. In the infamous words of Jurassic Park’s Ian Malcolm, businesses are so preoccupied with whether they could, they didn’t stop to think if they should. More to the point: I wonder if consumer product companies have created new capabilities without fully understanding (and defending against) ways these capabilities could be abused. Business products are generally implemented by technology teams that understand how to secure the systems. Consumer products are generally used by people that just want it to work. When I plug in a new toaster, I simply want it to toast bread. If it downloads recipes to detect the type of bread and adjust its cooking habit to perfectly toast that variety of bread, great! But I don’t expect to have to think about how my new Internet toaster could be the access point an intruder uses to infiltrate my home network.
Even as a pretty savvy security geek, I still get caught up in excitement over the cool new features technology enables. I worry that we may get (or maybe already are) millions of devices down the road with formerly utilitarian vehicles before someone truly exploits the system, with now millions of very vulnerable targets, that could have been prevented with a little forethought.
With Centrino, Intel created a standard that ushered in the world of widespread WiFi – and made basic network security reasonably simple. When was the last time you bought a wireless access point for your home that did not include a firewall, and more than likely, a wizard that recommended basic security settings? But who is doing this for embedded technology in set-top devices, in autos, and in household appliances? Do technology companies have a responsibility to do the same with the increasingly interconnected consumer devices they are enabling?