Rafael Morillo, Chief Marketing Officer at Amplía)))
It is famous now how you can do a car hack and could be trending topic in social media these days. Some hackers were able to manipulate, remotely, several features of a Jeep while driving. I read this article “Hackers remotely kill a jeep in the highway” while media was paying a lot of attention to it, probably because it affected a first-class brand, widely used. Very interesting read with description on the hack, that go from the wipers to the transmission and breaks. Lessons learned from this car hack:
Lesson n.1: Minimize communication from the infotainment system to the vehicle’s core system. Entertainment and core functions should be in different systems and different networks, but this is not completely possible due to basic features like reading consumption on the display or adapting the lighting behavior. Solving this flaw will only be possible if designers think of security and then in functionality.
Lesson n.2: Isolate internet applications from the rest of the system. Again, a good design will have to avoid that the application capable of downloading songs or traffic status can access the firmware where access to the CAN bus is granted. This disables OTA updates, which indeed is helpful, but the question is if it is worth it at this point.
Lesson n.3: Do not allow any kind of firmware to be uploaded. Obvious, but not taken into consideration this time. The ability to upgrade the firmware is a basic capability for a car these days. But the hackers being able to put any kind of software inside is a big mistake. Moreover, the signing procedure should also be complete, and security being at maximum.
Lesson n.4: Public networks and private networks. Having vehicles connected to the internet opens doors to potential hacks. Although being connected is needed to have online content, there is the change of having car makers use private VPNs and offer internal access to services. My humble suggestion is to enable different isolated accesses: one private for access to critical services, and on the public for entertainment and traffic.
Lesson n.5: After sales upgrade performance. In the case study mentioned, the carmaker decided to patch the car using a USB stick. This implies that there might be vehicles that will never get the patch, simply because they don’t understand the procedure, or simply they fail to receive the update. OTA upgrades, if existing, should be done automatically and securely following strict workflows and authorisations. This will speed up patching for preventing future problems.
Conclusions Thanks to this research, the automaker has fixed and recalled all the vehicles, other carmakers have increased the awareness on security, governments have launched programs and intend to create specific regulations, and overall concerns on security has increased. This doesn’t mean that we are secure now, but at least the potential dangers have been identified, and all the Internet of Things community is now, maybe more than ever, aware of security thanks to this kind of example. But time will take until we are all secure using connected objects since there are many hackers, many systems, and many options.
Companies moving to the Internet of Things will have to do as we have done until now: have a special unit dedicated to security, either to prevent, detect and correct flaws. Then the company workflows must be designed to answer back quickly to the threat and avoid unwanted situations.
How could you avoid having your devices hacked? Do you see the need of using an IoT platform to solve security issues? If you want to know more about how we provide these solutions and how we help your business, fill this form or contact us.