The Internet of Things
An article review.
Vulnerabilities Found in Everything from Coffee Makers to Cars
Generally, our article reviews relate to a single article, but we recently found two separate articles that highlight many of the same concerns. These concerns simply apply to different product categories, so we decided to review them together.
The first article examined a recent study by HP’s Fortify security team that explored the security vulnerabilities of networked household appliances. After all, just about anything and everything within our daily lives is becoming connected to the internet. This is where the colloquial name “The Internet of Things” originates.
While the researchers at HP did not identify specific product names, they did take a look at 10 different devices. Within each of those devices, the team “found an average of 20 security flaws within each system.”
Daniel Miessler from HP’s Fortify stated, “It was as if everything we’d learned over the last 25 years had been extracted from memory. We saw credentials being sent over clear text, network ports listening with root shells without a password, private data leakage, and every common Web and mobile vulnerability you’d expect in a web or mobile security lab.”
The alarming part in all this is that humans very rarely learn from the past. Thankfully, “The Internet of Things” has caught the eye of Congress. A recent Senate Commerce, Science and Transportation Committee hearing began to explore and question these security vulnerabilities.
The second article brings to light the known vulnerabilities within today’s “connected” vehicles. With computers monitoring and controlling virtually every system within the modern car, hackers are proving that dangerous security gaps can easily be exploited with terrifying results.
A study recently sponsored by the office of a US Senator showed that security vulnerabilities were present in nearly every vehicle on the market today. The study included data from 16 automobile manufacturers, and it showed just how dangerous a hacker could be.
It’s proven that a hacker could:
- Cause sudden acceleration
- Turn the vehicle
- Deactivate the brakes
- Honk the horn
- Turn the headlights on and off
- Modify the readings of gauges and speedometer
So how could a hacker and their malware get into a modern vehicle? There are a number of possibilities. A hacker could use a direct Bluetooth connection, a system like GM’s OnStar, an android phone that’s paired with the car infected with malware, or even a CD or DVD placed in the vehicle’s entertainment system.
“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the report said.
The implications are pretty freighting. There is some good new though. Car makers are beginning to see the need for increased security within their vehicles, including widespread data security standards put in place across the entire automobile industry.
Whether it is with coffee makers or with cars, will humans ever learn from history? After all, if there is vulnerability, it’s only a matter of time before it’s exploited by someone. We can only hope that the new advent of “Awareness in All Directions,” as described in Dan’s trend article, The Magnificent Seven 2015, will cause providers of newer technologies to implement the “security afterthought” faster than in the past!
The above is what we call an “Article Review.” It is part of our attempt to help our readers find excellent reading materials to back up important technology risk management concepts. We try not to include articles that are merely news or additional news about mainstream issues. Instead, we try to highlight articles that our “typical clients” should be sure to read, or that are about concepts “outside the mainstream media.” infotex does not intend to endorse views represented by the writers of the articles we review, nor do we try to keep our Clients aware of EVERYTHING. For example, if a particular story concept is being reported upon in many different media sources, infotex usually chooses to ignore the story concept altogether, unless we can find a “unique take” on the story concept.