CAMBRIDGE, Mass.—Chris Valasek and Charlie Miller made headlines last month when they demonstrated at two security conferences how they were able to hack into a moving Jeep Cherokee, remotely taking control of the vehicle.
Their hacks led to Fiat Chrysler Automobiles to recall 1.4 million vehicles to fix the vulnerability, and put an even greater spotlight on the complex issue of security and the Internet of things (IoT). During a keynote address at the second annual Security of Things conference here Sept. 10, Valasek used the work he and Miller did to talk about the challenges presented by the need to secure the tens of billions of devices that will make up IoT over the next several years, the responsibility that all players involved in the development of a connected product have in addressing security and the need for more security professionals to test these products.
The job of security people is not to embarrass the companies whose products they hack, Valasek said.
“Information security people are the shepherds of the Internet,” he said. “We’ll show you when you messed up” and help businesses fix the problems.
Much of the focus during the morning portion of the conference—sponsored by The Security Ledger news site and the Christian Science Monitor’s Passcode security site—focused on the multiple issues surrounding securing the increasingly connected cars that are coming onto the roads and the growing challenges facing automakers. Valasek’s address was followed by a panel discussion about security and automakers.
The interest in connected vehicles is not surprising: According to Godfrey Chua, principal analyst with Machina Research, connected cars will represent 52 percent of the machine-to-machine (M2M) cellular connections in 2024, ranking at the top of the list. Connected cars mirror much of IoT, where security is top of mind, Chua said during the conference.
“It is a key friction point in the industry right now,” he said. “Security is clearly a multifaceted issue.”
Valasek came to the conference with several messages: that IoT security is a more complex and complicated challenge than many understand, and that responsibility lies with all parties involved in the development of a connected device—from the component makers to the OEMs to the wireless network vendors. And that in a world where there will be 27 billion M2M connections by 2024, hackers like himself play an important role in shining a light on vulnerabilities and helping improve security.
He pointed to the recent work by a Northeastern University graduate who found vulnerabilities in the mircrochips used in Furbys, intelligent toys that could communicate with each other. The work the student did may not have had the reach of the hack of the moving car, but such work is important, Valasek said. Other connected devices may also have used the same microchips with the same vulnerabilities as the Furby toys, he said. In addition, work on small items like the toy can encourage security professionals to take on larger challenges.
“Some hacks don’t really impact safety and security, but learning how to do it is smart,” Valasek said. “High-impact research can stem from low-impact research.”
In the work involving the Jeep Cherokees, Valasek and Miller—both of whom late last month joined Uber’s Advanced Technology Center—showed how they could remotely take control of the vehicles by exploiting a vulnerability in their UConnect communications module developed by Harman and sold to Fiat Chrysler. Using a “burner” phone bought at Wal-Mart that they used as a wireless hotspot, the two were able to get into the cars’ entertainment systems through a CAN bus that also gave them access to other systems in the automobile, enabling them to not only see data on the cars’ speed and location, but also to control such workings as blinkers, windshield wipers, radios, steering and braking.
Their work raised a number of issues regarding security and IoT, Valasek said. One was the need for manufacturers of connected devices to engineer security into the design of the machines rather than bolting it on later. In addition, the responsibility for security goes beyond just the OEM. Fiat Chrysler (the OEM) recalled the 1.4 million cars to fix what he called air-gapped connection between the CAN buses running the entertainment system and the other aspects of the car, and Sprint (the carrier) shut down open ports that enabled Valasek and Miller to use the burner phone to gain wireless access to the vehicles.
(Fiat Chrysler on Sept. 10 recalled another 7,810 SUVs sold in the United States due to software-related vulnerabilities.)
Jeep Hacker Says IoT Security a Complex Issue
Officials with Harman (the tier-one supplier) have not commented on whether they’ve fixed the problems within the UConnect module, he said.
“They all work together to make the products we all know and love, but they all share responsibility” for security, Valasek said. “These parties need to communicate … to ensure that networks used for their products are aware of each other. We need to put forth an effort to secure things when we design them [and have reviews at the development, implementation and remediation stages]. OTA [over-the-air software] updates are a must.”
There are other issues as well, he said. Software can be updated via patches sent over the Internet. However, IoT devices are a combination of hardware and software. While software can be patched, the hardware can’t always be changed. In addition, many devices that have been connected are older and already are in use, and work needs to be done to help shore up vulnerabilities.
“This stuff is more than just software,” Valasek said of IoT systems. “It’s where software meets hardware and that makes security … more complex.”
Valasek’s talk was followed by a panel discussion focusing on connected cars, with the panelists saying that software in vehicles is nothing new. What is new is the amount of technology in the cars and the connectivity they now offer. Over the years, the growing customer demand for more technology has created conflicts for automakers between features and security, and between capabilities automakers want to put in versus the cost involved, they said.
“We build features for consumers without thinking of security,” said Chris Poulin, research strategist for IBM’s X-Force R&D team. “We don’t build security in when we’re building features.”
There should be a strong baseline of security that all car makers put into their products, and customers who want more can buy after-market security products, the panelists said. But car makers should be viewed in the same light as operating system vendors, who are expected to have certain levels of security in their offerings, said Joshua Corman, CTO for Sonatype.
Much of what automakers will do “will come down to dollars and cents,” Corman said, pointing to the growing interest in enabling OTA software updates. He noted that Fiat Chrysler, after undergoing the expensive process of recalling 1.4 million vehicles, is moving toward enabling such updates.