Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 1
|
OP
Joined: Aug 2009
Likes: 1 |
Just about everything you can imagine is going to be Internet-capable soon, from your toaster to your car to the equipment your hospital uses. And you know what's amazing? Nobody, and I do mean nobody, takes security seriously. You think Flash is bad on security? How about a car that lets the radio tune in to the Internet--and allows an attacker on the Internet who knows the radio's IP address to control the car's brakes? How about drug pumps that listen on FTP ports and allow remote commands with nary even a password? Or maybe tea kettles that can be loaded with malware? First, the hospital drug pump. My girlfriend was attached to one of these when she went in for surgery two years ago. It's network enabled, can be accessed directly from anywhere in the hospital's network, and has no security at all. And the car? A design flaw in new Jeeps means if you know the vehicle's entertainment system IP address, you can remotely take over the car's engine and brake controls through the Uconnect network. I have no idea why someone thought it would be a good idea to connect the computer that runs the engine and brakes directly to the computer that runs the entertainment system. It must've seemed reasonable at the time. I love the idea of the Internet of Things. I weep for humanity's inability to learn from security mistakes of the past.
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 14
|
Joined: Aug 2009
Likes: 14 |
I have no idea why someone thought it would be a good idea to connect the computer that runs the engine and brakes directly to the computer that runs the entertainment system. I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all.
Last edited by ryck; 08/02/15 12:28 AM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
Design flaw??? How is it a design flaw when security was never a consideration, much less requirement in the design?
I could say a lot more about that, but I don't want to bore everyone else while I climb up on my soapbox.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all. There is a generally held misconception that is too expensive to do. In truth the opposite is the real truth, but until organizations and management have tried it they steadfastly refuse to believe it. As a result the economic incentives are heavily rigged against asking those questions.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
You've previously pointed out that "design flaws" necessitate paid upgrades.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
You've previously pointed out that "design flaws" necessitate paid upgrades. Definitely and for too many managers consider that to be desirable goal. But the rewards system is skewed all along the line. For example software developers are far too often rewarded for their heroic efforts to quickly patch out a defect that should have been designed out long before the first line of code was written. The heroes get the bonuses and promotions while the developers who worked normal job hours and delivered code free of design or any other flaws are in danger of being laid off because they were not seen making a heroic effort! To quote the cowardly lion in The Wizard of Oz, "If I were king of the jungle…" My consolation is, in my role as an instructor in industry and university settings, I may have planted some seeds in the minds of my students that hopefully took root and will bloom in the future.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 1
|
OP
Joined: Aug 2009
Likes: 1 |
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all!
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
OK, the elephant in the room has been decloaked. Now ... what can the consumer do about 'foiling' the intrusions? Only practical/practicable solutions should be proffered. • How do I get my refrigerator off-line? • How do I prevent my toaster from immolating me? • How do I guarantee that my drug pump won't be hacked by an evil-doer? • How do I block interference with my motor vehicle's drive-by-wire system(s)? (And "Go off the grid" and "Live in a cave" aren't viable options.)
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 14
|
Joined: Aug 2009
Likes: 14 |
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all! I wonder if separating the systems meant there would be some small incremental cost. If so, it would be like a digital version of the Pinto gas tank. It might have been done differently but, when the cost per vehicle was multiplied with the expected number of sales, the decision leaned toward protecting the bottom line. I have to assume that the moment someone said "We're going to connect the radio to the brakes", even the person in the organization with the least automobile or computer literacy would be moved to incredulity.
Last edited by ryck; 08/02/15 01:21 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all! That is a marketing feature! How else can the car send periodic emails to the vehicle owner advising them that needed service intervals have been reached, miles driven, fuel consumption, download firmware updates to the various systems, etc? Owners pay extra for the feature and monthly subscription costs for the service.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
How else can the car send periodic emails to the vehicle owner advising them that needed service intervals have been reached, miles driven, fuel consumption, download firmware updates to the various systems, etc? Owners pay extra for the feature and monthly subscription costs for the service. Some owners be dumb as stumps. You can tell by the way they drive too.
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all. There is a generally held misconception that is too expensive to do. In truth the opposite is the real truth, but until organizations and management have tried it they steadfastly refuse to believe it. As a result the economic incentives are heavily rigged against asking those questions. I think a lot of it starts with a "we'll worry about that later" or "it's harmless (in its present application)". Then time passes, and no one worries about it later because "surely they addressed basic security in vers 1.0?", or the project gets moved to a new group and then another, and at that point it suddenly becomes an internet-facing app that you suddenly really don't want anyone outside your little circle to have access to. Call it lazy, call it cheap, call it efficient, call it uncoordinated, call it inconsistent, call it discontinuity, call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source.
I work for the Department of Redundancy Department
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 14
|
Joined: Aug 2009
Likes: 14 |
….call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source. ….which would tempt me to call it bad management. However, I'm quite sure the management would hide behind: "We made a bottom line decision because that's what our shareholders demand."
Last edited by ryck; 08/03/15 12:59 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
….call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source. ….which would tempt me to call it bad management. However, I'm quite sure the management would hide behind: "We made a bottom line decision because that's what our shareholders demand." I'm sure that's the case at least some of the time, but again at least some of the time it's not. You might be able to trace that meningitis outbreak two weeks back to a driveway koolaid stand in the burbs, but at the time it was neither a consideration nor a concern, preventative steps were completely nonexistent, and it certainly wasn't intentional. And even if you could go back in time two weeks, could you really make any reasonable and acceptable policy changes that would have done anything to prevent it? "OK kids pack it up. We don't want to risk you creating a meningitis epidemic!" "You WHAT???" Hindsight is 20-20. Whenever you're going to scrutinize actions taken in the past, it's essential to consider that they didn't know then what you know now. Anything you propose has to be with the understanding that it needs to be a reasonable and acceptable change, given the information that was available at the time. Otherwise you can't justify the change now for the future, let alone criticize the actions of the past.
I work for the Department of Redundancy Department
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
Buy old stuff. Seems like a whole lot of Constitutional privacy is gone.
Last edited by slolerner; 08/08/15 03:30 PM. Reason: more
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
I first had concerns about this when I found out cops could stop a stolen car by slowing it down with some kind of built in device in new cars.
Think about someone hacking into an airplane's navigation systems rather than your car radio.
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
VJ Day anniversary has come and gone, and I'm still waiting for suggestions, re the items in Post #35333 above.
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 14
|
Joined: Aug 2009
Likes: 14 |
Technology marches onward. I recall many years ago the bad guys had receivers that read the transmitted code when people locked car doors. Then, while the folks were away, the crooks opened the cars and rifled them. But now….yikes! As a person who keeps things as long as they work well, it will be a while before I have a vehicle exposed to this new mischief (beyond door control). Meanwhile, and hopefully, technology will have solved the issue.
Last edited by ryck; 08/15/15 12:57 PM.
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Sonoma 14.4.1 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
OK, the elephant in the room has been decloaked. Now ... what can the consumer do about 'foiling' the intrusions? Only practical/practicable solutions should be proffered. • How do I get my refrigerator off-line? • How do I prevent my toaster from immolating me? • How do I guarantee that my drug pump won't be hacked by an evil-doer? • How do I block interference with my motor vehicle's drive-by-wire system(s)? (And "Go off the grid" and "Live in a cave" aren't viable options.) - Assuming the use of modern devices and going for the highest level of certainty of protection…
- Disconnect all WiFi modems, routers, or other devices that can create a WiFi network and connect you computer to the internet using a wired ethernet connection
- To keep out signals from neighbor's or malefactor's WiFi devices, create a "Faraday" cage of your residence by lining the floors, ceiling, walls and covering the doors and windows with heavy gauge metal foil (copper is best but ruinously expensive and heavy gauge aluminum can work). Welding the strips of foil together to create an unbroken electrical shield and then connecting the shield to an earth ground.
- To protect from signals coming in though the electrical wiring, install a motor/generator system to provide power inside your shielded area. (That is an electric motor powered by the public power source driving a shielded generator that provides the power used inside the shielded area. There is no electrical connection between the motor and the generator.
- Install military grade filters on any telephone, cable, or internet connections penetrating the Faraday shield (NOTE: You will need wired phones because cell phones will not work inside the shielded area)
- The Old School Method (probably the only alternative for your motor vehicle)…
- discard any device that was made in the last 10 years (make that 15 or 20 years for your motor vehicle because fuel system have been computer controlled for a long time) and replace them with older devices manufactured prior to the thrust to computerize everything and connect them to the network.
- forego the use of portable phones (smart or otherwise)
- Disconnect all WiFi modems, routers, or other devices that can create a WiFi network and connect you computer to the internet using a wired ethernet connection being sure to turn off all WiFi in any computer devices you use.
- What most are doing…
- Take reasonable precautions (After a surge knocked out some systems in our house, I installed a "whole house" power filter to reduce the risk of power surges but it also filters out RF in the incoming power.)
- Keep all devices, operating systems,and software scrupulously up to date (that means no more hanging on to older versions of OS X)
- Learn to live with a tolerable level of risk.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
Maybe a way to 'cloak' household appliances that don't need access via the router.
A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this...
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this... Not a mixed metaphor. I wanted something larger than a gorilla. And what "white" elephant?!
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
Maybe a way to 'cloak' household appliances that don't need access via the router. Put them in a small Faraday cage and connect them to an isolated, filtered, and grounded power supply. A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist No matter how hard you try to ignore the presence of the 800 pound gorilla in the room, it is impossible to do. Especially in a small room! and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this… Close but not quite. White Elephants are not necessarily rare, just unwanted and tough to get rid of. See the definition and derivation of White Elephant here.
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Internet of Things security: Don't drive that jeep
|
|
Joined: Aug 2009
|
So the white elephant, once given, is hard to get rid of. The gorilla, on the other hand, I've heard used as a big problem you are ignoring, although I just looked that one up too. Derivation is strong-arming by government or other entity larger than you. The problem is a kind of combination, I guess.
Grelber did not say 'white,' I stand corrected.
Last edited by slolerner; 08/15/15 09:13 PM. Reason: complete confusion
|
|
Re: Internet of Things security: Don't drive that jeep
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
So on a practical level ... • Pull the GPS fuse in the car. Any others to foil the trackers/hackers? • Unplug the toaster after each use. (A good idea anyway, especially if you have a pet that likes to counter graze.) • Refuse Internet-enabled drug pumps.
Still no idea how to foil fridge trackers/hackers.
|
|
|
|