After car hack, Internet of Things looks riskier

Network engineers Charlie Miller and Chris Valasek are displayed on the navigation screen of a Jeep Cherokee, which the duo successfully hacked.
Whitney Curtis/New York Times
Network engineers Charlie Miller and Chris Valasek are displayed on the navigation screen of a Jeep Cherokee, which the duo successfully hacked.

Last month’s revelation that hackers could remotely seize control of over a million Chrysler automobiles has delivered a stark warning that life in an ultra-networked world could be very dangerous, indeed.

“I think it is a seminal moment,” said Paddy Srinivasan, vice president at LogMeIn Inc., a Boston company in the forefront of building the “Internet of Things,” the ongoing effort to tie household appliances and nearly everything else to the Web. “These new devices need a fresh approach and a new way of thinking about security, and that is the missing piece.”

At the end of July, two network engineers, Charlie Miller and Chris Valasek, used an Internet-connected computer to take control of a Chrysler Jeep Cherokee driving down a highway in St. Louis. As a reporter for the technology magazine Wired sat helpless in the driver’s seat, Miller and Valasek activated the windshield wipers, turned the radio and air conditioning up full blast, and disengaged the car’s transmission to make the vehicle undriveable — all from Miller’s basement, 10 miles away.

Within days, Chrysler’s parent company, FCA US LLC, recalled 1.4 million vehicles that were susceptible to the same kind of Internet attack.

The following week, computer security researcher Samy Kamkar revealed that he had hacked the OnStar communications system found in many General Motors cars. By attaching a small Wi-Fi receiver to a vehicle, Kamkar could remotely learn the car’s location, unlock its doors, or start its engine. General Motors said it has issued a fix that will solve the problem.

“Cybersecurity is an absolute top priority for automakers,” said Wade Newton, a spokesman for the Alliance of Automobile Manufacturers, a trade group representing the world’s largest car makers. The alliance, he said, is creating a new program for sharing and analyzing information on digital security threats.

But Kathleen Fisher, a computer science professor at Tufts University, warned that automotive computer networks are inherently weak and difficult to secure. Nearly all cars use a networking technology called the “controller area network bus,” or CAN bus, developed by the German auto parts maker Robert Bosch GmbH in the 1980s. “The CAN bus is hopelessly insecure,” Fisher said. It was developed decades before cars were connected to the Internet and lacks features to block malware programs or reject commands from unauthorized intruders.

Fisher said it will take years and cost millions to develop more secure vehicle networking systems, and no company will do this unless its competitors do the same.

She favors legislation recently introduced by US Senator Edward J. Markey, Democrat of Massachusetts, that would set ­data security and privacy standards for all cars sold in the United States.

The hacking of the Jeep was unusually scary, but many other networked devices could be plagued by similar vulnerabilities. Many people are installing Internet-connected thermostats, front doors that can be unlocked from a thousand miles away, or security cameras that beam live images to a homeowner’s phone.

Boston and other cities are installing networked parking meters that can direct drivers to unused parking spaces.

Any of these gadgets, and many more, could be ripe targets for online vandals or criminals.

“[With] any of these things in the Internet of Things, the considerations are the same,” said Rob Sadowski, director of technology solutions at RSA, the digital security company owned by the Hopkinton data storage giant EMC Corp. “How do I make sure I’m the ­only one using this? How do I know there aren’t bad guys attacking it?”

Srinivasan said the low-cost chips used in many Internet of Things devices lack built-in security features, such as hard-wired encryption, that could reduce the risk of attack. So these systems are only as secure as the software running on them, and illicit code injected by an intruder could cause serious problems.

For instance, “if you can reverse engineer a parking meter, you can inject false data so that everybody in the city believes that there are no parking spaces available,” Srinivasan said.

LogMeIn’s Internet of Things system, Xively, seeks to prevent such attacks by ignoring all incoming messages. Instead, a Xively chip gets its instructions only by regularly checking a specific Internet address. In addition, every instruction must include an encrypted digital signature to prove it came from an authorized source.

But it is unclear whether Xively will work as advertised. And there are many more Internet of Things systems that are only now being widely deployed. As with the hacked Jeep, it may take some high-profile cyberattacks to reveal how vulnerable they are.

Something similar happened with Microsoft Corp.’s Windows operating system, which wasn’t originally built with Internet security in mind. At the turn of the 21st century, a series of Internet malware programs like SQL Slammer, Blaster, and Code Red infected millions of Windows computers worldwide. The attacks threatened Microsoft’s reputation and its revenues. So in 2002, Microsoft halted all new development on Windows and spent two months fixing security bugs and training its software engineers how to write safer code. The effort paid off; while still imperfect, newer versions of Windows are far harder to crack.

Sadowski said he believes that Internet of Things developers would benefit from the same kind of crisis mentality. “I think we do need a rallying cry like that,” he said. “Many of the developers are probably thinking features first, security second.  . . . What we really need to do is educate the developers and the users as to the potential risks.”

Hiawatha Bray is a technology reporter for the Boston Globe. E-mail him at [email protected].
Follow Hiawatha on Twitter - Facebook - Google+