Jeep Hacker Says IoT Security a Complex Issue - Page 2

Officials with Harman (the tier-one supplier) have not commented on whether they've fixed the problems within the UConnect module, he said.

"They all work together to make the products we all know and love, but they all share responsibility" for security, Valasek said. "These parties need to communicate … to ensure that networks used for their products are aware of each other. We need to put forth an effort to secure things when we design them [and have reviews at the development, implementation and remediation stages]. OTA [over-the-air software] updates are a must."

There are other issues as well, he said. Software can be updated via patches sent over the Internet. However, IoT devices are a combination of hardware and software. While software can be patched, the hardware can't always be changed. In addition, many devices that have been connected are older and already are in use, and work needs to be done to help shore up vulnerabilities.

"This stuff is more than just software," Valasek said of IoT systems. "It's where software meets hardware and that makes security … more complex."

Valasek's talk was followed by a panel discussion focusing on connected cars, with the panelists saying that software in vehicles is nothing new. What is new is the amount of technology in the cars and the connectivity they now offer. Over the years, the growing customer demand for more technology has created conflicts for automakers between features and security, and between capabilities automakers want to put in versus the cost involved, they said.

"We build features for consumers without thinking of security," said Chris Poulin, research strategist for IBM's X-Force R&D team. "We don't build security in when we're building features."

There should be a strong baseline of security that all car makers put into their products, and customers who want more can buy after-market security products, the panelists said. But car makers should be viewed in the same light as operating system vendors, who are expected to have certain levels of security in their offerings, said Joshua Corman, CTO for Sonatype.

Much of what automakers will do "will come down to dollars and cents," Corman said, pointing to the growing interest in enabling OTA software updates. He noted that Fiat Chrysler, after undergoing the expensive process of recalling 1.4 million vehicles, is moving toward enabling such updates.