An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 4 1 2 3 4 >
Topic Options
#35320 - 08/01/15 12:25 PM Internet of Things security: Don't drive that jeep
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Just about everything you can imagine is going to be Internet-capable soon, from your toaster to your car to the equipment your hospital uses.

And you know what's amazing? Nobody, and I do mean nobody, takes security seriously. You think Flash is bad on security? How about a car that lets the radio tune in to the Internet--and allows an attacker on the Internet who knows the radio's IP address to control the car's brakes? How about drug pumps that listen on FTP ports and allow remote commands with nary even a password? Or maybe tea kettles that can be loaded with malware?

First, the hospital drug pump. My girlfriend was attached to one of these when she went in for surgery two years ago. It's network enabled, can be accessed directly from anywhere in the hospital's network, and has no security at all.

And the car? A design flaw in new Jeeps means if you know the vehicle's entertainment system IP address, you can remotely take over the car's engine and brake controls through the Uconnect network. I have no idea why someone thought it would be a good idea to connect the computer that runs the engine and brakes directly to the computer that runs the entertainment system. It must've seemed reasonable at the time.

I love the idea of the Internet of Things. I weep for humanity's inability to learn from security mistakes of the past.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#35327 - 08/01/15 05:27 PM Re: Internet of Things security: Don't drive that jeep [Re: tacit]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit
I have no idea why someone thought it would be a good idea to connect the computer that runs the engine and brakes directly to the computer that runs the entertainment system.

I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all.


Edited by ryck (08/01/15 05:28 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#35328 - 08/01/15 05:37 PM Re: Internet of Things security: Don't drive that jeep [Re: tacit]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Design flaw??? How is it a design flaw when security was never a consideration, much less requirement in the design?

I could say a lot more about that, but I don't want to bore everyone else while I climb up on my soapbox.
_________________________
joemikeb • moderator

Top
#35329 - 08/01/15 05:41 PM Re: Internet of Things security: Don't drive that jeep [Re: ryck]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: ryck
I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all.

There is a generally held misconception that is too expensive to do. In truth the opposite is the real truth, but until organizations and management have tried it they steadfastly refuse to believe it. As a result the economic incentives are heavily rigged against asking those questions.
_________________________
joemikeb • moderator

Top
#35330 - 08/01/15 05:50 PM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
artie505 Online


Registered: 08/04/09
You've previously pointed out that "design flaws" necessitate paid upgrades.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#35331 - 08/01/15 08:08 PM Re: Internet of Things security: Don't drive that jeep [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
You've previously pointed out that "design flaws" necessitate paid upgrades.
Definitely and for too many managers consider that to be desirable goal. But the rewards system is skewed all along the line. For example software developers are far too often rewarded for their heroic efforts to quickly patch out a defect that should have been designed out long before the first line of code was written. The heroes get the bonuses and promotions while the developers who worked normal job hours and delivered code free of design or any other flaws are in danger of being laid off because they were not seen making a heroic effort! mad

To quote the cowardly lion in The Wizard of Oz, "If I were king of the jungle…" My consolation is, in my role as an instructor in industry and university settings, I may have planted some seeds in the minds of my students that hopefully took root and will bloom in the future.
_________________________
joemikeb • moderator

Top
#35332 - 08/01/15 08:44 PM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all!
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#35333 - 08/02/15 01:35 AM Re: Internet of Things security: Don't drive that jeep [Re: tacit]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
OK, the elephant in the room has been decloaked.
Now ... what can the consumer do about 'foiling' the intrusions? Only practical/practicable solutions should be proffered.
• How do I get my refrigerator off-line?
• How do I prevent my toaster from immolating me?
• How do I guarantee that my drug pump won't be hacked by an evil-doer?
• How do I block interference with my motor vehicle's drive-by-wire system(s)?
(And "Go off the grid" and "Live in a cave" aren't viable options.)

Top
#35337 - 08/02/15 06:18 AM Re: Internet of Things security: Don't drive that jeep [Re: tacit]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all!

I wonder if separating the systems meant there would be some small incremental cost. If so, it would be like a digital version of the Pinto gas tank. It might have been done differently but, when the cost per vehicle was multiplied with the expected number of sales, the decision leaned toward protecting the bottom line.

I have to assume that the moment someone said "We're going to connect the radio to the brakes", even the person in the organization with the least automobile or computer literacy would be moved to incredulity.


Edited by ryck (08/02/15 06:21 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#35348 - 08/02/15 10:40 AM Re: Internet of Things security: Don't drive that jeep [Re: tacit]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: tacit
I would consider the "design flaw" to be not the lack of security (that's an implementation flaw), but the fact that the radio can even talk to the engine control and ABS computers at all!

That is a marketing feature! How else can the car send periodic emails to the vehicle owner advising them that needed service intervals have been reached, miles driven, fuel consumption, download firmware updates to the various systems, etc? Owners pay extra for the feature and monthly subscription costs for the service.
_________________________
joemikeb • moderator

Top
#35351 - 08/02/15 01:34 PM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: joemikeb
How else can the car send periodic emails to the vehicle owner advising them that needed service intervals have been reached, miles driven, fuel consumption, download firmware updates to the various systems, etc? Owners pay extra for the feature and monthly subscription costs for the service.

Some owners be dumb as stumps. You can tell by the way they drive too. crazy mad

Top
#35357 - 08/03/15 04:47 AM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: joemikeb
Originally Posted By: ryck
I think too many things get implemented without anyone asking the "What if…..?" question enough times….if they ask it at all.

There is a generally held misconception that is too expensive to do. In truth the opposite is the real truth, but until organizations and management have tried it they steadfastly refuse to believe it. As a result the economic incentives are heavily rigged against asking those questions.

I think a lot of it starts with a "we'll worry about that later" or "it's harmless (in its present application)". Then time passes, and no one worries about it later because "surely they addressed basic security in vers 1.0?", or the project gets moved to a new group and then another, and at that point it suddenly becomes an internet-facing app that you suddenly really don't want anyone outside your little circle to have access to.

Call it lazy, call it cheap, call it efficient, call it uncoordinated, call it inconsistent, call it discontinuity, call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source.
_________________________
I work for the Department of Redundancy Department

Top
#35358 - 08/03/15 05:59 AM Re: Internet of Things security: Don't drive that jeep [Re: Virtual1]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Virtual1
….call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source.

….which would tempt me to call it bad management. However, I'm quite sure the management would hide behind: "We made a bottom line decision because that's what our shareholders demand."


Edited by ryck (08/03/15 05:59 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#35360 - 08/03/15 11:44 AM Re: Internet of Things security: Don't drive that jeep [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: ryck
Originally Posted By: Virtual1
….call it anything you like, stick any label on it you like. It's not going away because there's no accountability at the source.

….which would tempt me to call it bad management. However, I'm quite sure the management would hide behind: "We made a bottom line decision because that's what our shareholders demand."

I'm sure that's the case at least some of the time, but again at least some of the time it's not.

You might be able to trace that meningitis outbreak two weeks back to a driveway koolaid stand in the burbs, but at the time it was neither a consideration nor a concern, preventative steps were completely nonexistent, and it certainly wasn't intentional. And even if you could go back in time two weeks, could you really make any reasonable and acceptable policy changes that would have done anything to prevent it? "OK kids pack it up. We don't want to risk you creating a meningitis epidemic!" "You WHAT???"

Hindsight is 20-20. Whenever you're going to scrutinize actions taken in the past, it's essential to consider that they didn't know then what you know now. Anything you propose has to be with the understanding that it needs to be a reasonable and acceptable change, given the information that was available at the time. Otherwise you can't justify the change now for the future, let alone criticize the actions of the past.
_________________________
I work for the Department of Redundancy Department

Top
#35439 - 08/08/15 08:16 AM Re: Internet of Things security: Don't drive that jeep [Re: grelber]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Buy old stuff. Seems like a whole lot of Constitutional privacy is gone.


Edited by slolerner (08/08/15 08:30 AM)
Edit Reason: more

Top
#35440 - 08/08/15 08:23 AM Re: Internet of Things security: Don't drive that jeep [Re: slolerner]
slolerner Offline


Registered: 08/25/09
Loc: New York City
I first had concerns about this when I found out cops could stop a stolen car by slowing it down with some kind of built in device in new cars.

Think about someone hacking into an airplane's navigation systems rather than your car radio.

Top
#35519 - 08/14/15 04:55 PM Re: Internet of Things security: Don't drive that jeep [Re: slolerner]
slolerner Offline


Registered: 08/25/09
Loc: New York City

Top
#35521 - 08/14/15 11:44 PM Re: Internet of Things security: Don't drive that jeep [Re: grelber]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
VJ Day anniversary has come and gone, and I'm still waiting for suggestions, re the items in Post #35333 above. frown

Top
#35522 - 08/15/15 05:56 AM Re: Internet of Things security: Don't drive that jeep [Re: slolerner]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: slolerner

Technology marches onward. I recall many years ago the bad guys had receivers that read the transmitted code when people locked car doors. Then, while the folks were away, the crooks opened the cars and rifled them. But now….yikes!

As a person who keeps things as long as they work well, it will be a while before I have a vehicle exposed to this new mischief (beyond door control). Meanwhile, and hopefully, technology will have solved the issue.


Edited by ryck (08/15/15 05:57 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#35524 - 08/15/15 08:28 AM Re: Internet of Things security: Don't drive that jeep [Re: grelber]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: grelber
OK, the elephant in the room has been decloaked.
Now ... what can the consumer do about 'foiling' the intrusions? Only practical/practicable solutions should be proffered.
• How do I get my refrigerator off-line?
• How do I prevent my toaster from immolating me?
• How do I guarantee that my drug pump won't be hacked by an evil-doer?
• How do I block interference with my motor vehicle's drive-by-wire system(s)?
(And "Go off the grid" and "Live in a cave" aren't viable options.)

  1. Assuming the use of modern devices and going for the highest level of certainty of protection…
    1. Disconnect all WiFi modems, routers, or other devices that can create a WiFi network and connect you computer to the internet using a wired ethernet connection
    2. To keep out signals from neighbor's or malefactor's WiFi devices, create a "Faraday" cage of your residence by lining the floors, ceiling, walls and covering the doors and windows with heavy gauge metal foil (copper is best but ruinously expensive and heavy gauge aluminum can work). Welding the strips of foil together to create an unbroken electrical shield and then connecting the shield to an earth ground.
    3. To protect from signals coming in though the electrical wiring, install a motor/generator system to provide power inside your shielded area. (That is an electric motor powered by the public power source driving a shielded generator that provides the power used inside the shielded area. There is no electrical connection between the motor and the generator.
    4. Install military grade filters on any telephone, cable, or internet connections penetrating the Faraday shield (NOTE: You will need wired phones because cell phones will not work inside the shielded area)
  2. The Old School Method (probably the only alternative for your motor vehicle)…
    1. discard any device that was made in the last 10 years (make that 15 or 20 years for your motor vehicle because fuel system have been computer controlled for a long time) and replace them with older devices manufactured prior to the thrust to computerize everything and connect them to the network.
    2. forego the use of portable phones (smart or otherwise)
    3. Disconnect all WiFi modems, routers, or other devices that can create a WiFi network and connect you computer to the internet using a wired ethernet connection being sure to turn off all WiFi in any computer devices you use.
  3. What most are doing…
    1. Take reasonable precautions (After a surge knocked out some systems in our house, I installed a "whole house" power filter to reduce the risk of power surges but it also filters out RF in the incoming power.)
    2. Keep all devices, operating systems,and software scrupulously up to date (that means no more hanging on to older versions of OS X)
    3. Learn to live with a tolerable level of risk.
_________________________
joemikeb • moderator

Top
#35525 - 08/15/15 09:36 AM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Maybe a way to 'cloak' household appliances that don't need access via the router.

A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this...

Top
#35526 - 08/15/15 09:47 AM Re: Internet of Things security: Don't drive that jeep [Re: slolerner]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: slolerner
A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this...

Not a mixed metaphor. I wanted something larger than a gorilla. And what "white" elephant?!

Top
#35527 - 08/15/15 10:26 AM Re: Internet of Things security: Don't drive that jeep [Re: slolerner]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: slolerner
Maybe a way to 'cloak' household appliances that don't need access via the router.

Put them in a small Faraday cage and connect them to an isolated, filtered, and grounded power supply.
Originally Posted By: slolerner
A pet peeve of mine is mixed metaphors, and I apologize if I am wrong; Isn't it the 800 pound gorilla in the room that people pretend doesn't exist

No matter how hard you try to ignore the presence of the 800 pound gorilla in the room, it is impossible to do. Especially in a small room!
Originally Posted By: slolerner
and the white elephant that is rare but not necessarily valuable? I hope I don't catch flack over this…
Close but not quite. White Elephants are not necessarily rare, just unwanted and tough to get rid of. See the definition and derivation of White Elephant here.
_________________________
joemikeb • moderator

Top
#35529 - 08/15/15 01:10 PM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
slolerner Offline


Registered: 08/25/09
Loc: New York City
So the white elephant, once given, is hard to get rid of. The gorilla, on the other hand, I've heard used as a big problem you are ignoring, although I just looked that one up too. Derivation is strong-arming by government or other entity larger than you. The problem is a kind of combination, I guess.

Grelber did not say 'white,' I stand corrected.


Edited by slolerner (08/15/15 02:13 PM)
Edit Reason: complete confusion

Top
#35538 - 08/16/15 12:45 AM Re: Internet of Things security: Don't drive that jeep [Re: joemikeb]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
So on a practical level ...
• Pull the GPS fuse in the car. Any others to foil the trackers/hackers?
• Unplug the toaster after each use. (A good idea anyway, especially if you have a pet that likes to counter graze.)
• Refuse Internet-enabled drug pumps.

Still no idea how to foil fridge trackers/hackers.

Top
Page 1 of 4 1 2 3 4 >

Moderator:  alternaut, cyn