Do you want a refrigerator that will put milk and broccoli on a shopping list for you? How about a wall safe that can add up how much money is inside, or a car that can stream music from the internet?
All these innovations and more are part of the newest trends in the electronic marketplace. Essentially any product that can be, is being considered as a potential smart device. But is this level of convenience and connectivity really a good idea?
Recently, two security researchers were able to hack into a Jeep Cherokee while it was speeding down the highway. They shut down the engineof this smart car while it was in the path of an 18-wheeler. The driver was a reporter and this was part of a test so no one was actually endangered, but they did it from a couch with only a laptop and an IP address. They used the vehicles network internet address and gained access through the entertainment system.
Chrysler recalled 1.4 million Jeeps to patch this particular vulnerability, but it took the company more than a year, and the recall occurred only after that spectacular publicity stunt on the highway, and after it was requested by the National Highway Traffic Safety Administration. In announcing the software fix, the company said that no defect was found. But Chrysler is far from the only company compromised: BMW, Tesla and General Motors, are just a few automotive brands that have been hacked, with surely more to come.
Dramatic hacks attract the most attention, but the software errors that allow them to occur are everywhere. While complex breaches can take real effort — the Jeep hacker duo spent two years doing research — simple errors in the code can also cause significant failure. Adding software with millions of lines of code to objects greatly increases their potential for harm.
The modern automobile is run by dozens of computers that manufacturers connect using a system that is old and known to be insecure. Yet automakers often use that unstable platform to connect all of the car’s parts. Once a hacker is in, they’re in the engine, steering, transmission and brakes, not just the entertainment system.
For years, security researchers have been warning about the dangers of coupling so many systems to create smart cars. Alarmed researchers have published academic papers, hacked smart cars as demonstrations, and begged the industry to step up. So far, the industry response has been to nod politely and fix exposed flaws without fundamentally changing the way they operate.
In 1965, Ralph Nader published “Unsafe at Any Speed,” documenting car manufacturers’ resistance to spending money on safety features like seatbelts. After public debate and finally some legislation, manufacturers were forced to incorporate safety technologies.
No company wants to be the first to bear the costs of updating the insecure computer systems that run most cars. Last month, a bill with privacy and cybersecurity standards for cars was introduced in the Senate.
This is a good indicator that the issue is crucial but responding to digital threats by patching only the exposed vulnerabilities is like giving an aspirin for a broken leg.
Programs can more reliable and databases more secure. Critical functions on Internet-connected objects should be isolated and external audits mandated to catch problems early. But this will require an initial investment to forestall future problems — the exact opposite of the current corporate impulse. It also may be that not everything needs to be networked, and that the trade-off in vulnerability isn’t worth it. Maybe smart cars are unsafe at any I.P.