Are We On The Road To Ruin :
Shortly after Wired’s scoop about Jeep vulnerabilities and the consequent decision of Fiat Chrysler to recall 1.4 million cars in the US to update their software, it provides a glimpse into the future and highlights some issues that promise to be fairly common in the future of automotive (and all other connected smart "things" ). And leaves us to consider the following:
A first consideration is not unexpected. Even if we don’t have that much information about how a couple of infosec researchers have been able to hijack most of the core functions of a modern car (all the information relevant to date can be found on CERT’s Vulnerability Notes Database); more will come after the next BlackHat conference where the authors, Charlie Miller and Chris Valasek, have promised to provide some key datapoints about their research). What they showed is that something considered impossible or highly unlikely, by compromising a vehicle remotely without prior physical access, is indeed possible and achievable.
A second consideration concerns the relationship between researchers and OEMs; while until now the whole process of discovering vulnerabilities and communicating them back to the car manufacturer has been almost always transparent and silent, with this last incident it seems that some sort of escalation has occurred. Even though apparently Miller and Valasek have been sharing with FCA Chrysler their research for almost nine months, the decision to disclose portion of the code and methodology used to perform the attack raises concerns on how such information will be used by different players (white/grey/black hats, competitors, international organizations, etc.) and for what purpose. Indeed, this will cause shrinking of the timeframes required to have a software fix for a bug, and it will, therefore, put more pressure on manufacturers.
A third and final consideration relates to the dilemma of industries such as automotive, avionics, medical etc., which have been characterized so far by a tightly integrated and controlled supply chain, delivering high standards in terms of safety critical software. They are now struggling to enable and keep pace with a broader ecosystem and a business model that is driving them to be more “smartphone-like”. There is indeed a huge necessity to improve the adoption of standards and processes that not only deliver software, which is sound from the functional safety perspective, but which also offers solid security against attackers. Once this has been addressed, it will enable industry players to deliver products which are feature-rich and at the same time, safe and secure.
As hackers quickly gain the ability to capture data from and take control of devices once considered dumb and disconnected, which have now been given "intelligence"and are connected via wireless connections we must dramatically re-think how we look to secure them.
Want to learn more about improving your code security, then check out the whitepaper HOW IOT IS MAKING SECURITY IMPERATIVE FOR ALL EMBEDDED SOFTWARE: WHY EMBEDDED SOFTWARE DEVELOPMENT NEEDS TO CHANGE AND WHAT ORGANIZATIONS CAN DO TO IMPROVE SOFTWARE SECURITY WHILE REDUCING DEVELOPMENT TIME