Consumers must demand action on unified security standards

Lisa R. Lifshitz

Last month, I wrote about the Internet of Things and how, while it can offer tremendous benefits, all that connectivity can come with risks. In this column, I look at some of the concerns about security flaws in manufactured devices that have recently made headlines.

Wired has recently reported a number of spectacular IoT vulnerabilities, particularly in cars and medical devices.

In July, two computer researchers remotely attacked a Jeep Cherokee equipped with the Uconnect system while the Wired reporter was driving it. Uconnect, an in-vehicle connectivity system sold in as many as 471,000 U.S. vehicles including Chrysler, Dodge, FIAT, Jeep, and Ram vehicles, allows owners to connect to the Internet to interact with their vehicle over their smartphone. It uses the Sprint cellular network and users can conduct certain activities, including accessing entertainment, issuing voice commands, and remotely starting their cars.

By obtaining precise location and vehicle identification information, the researchers could attack the car’s critical systems via its IP address, including turning off its brakes, affecting steering and transmission controls, activating windshield wipers, and taking control of its vehicle information and entertainment systems. They could also take control of the steering of the vehicle in reverse.

Wired’s writer was literally brought to a standstill on the highway when they killed his engine. Alerted to this vulnerability, manufacturer Fiat Chrysler quickly issued a patch and notified consumers via its web site. There is no guarantee, however, that customers will all avail themselves of the fix given that it has to be manually installed from a USB drive by the dealer or the owner him/herself.

It’s not just car parts that are vulnerable. There is considerable exposure for devices that connect to them. In another followup, Wired reported that University of California researchers found a way to turn the two-inch-square dongle  — plugged into cars’ and trucks’ dashboards and used by insurance firms, trucking fleets, and Uber to monitor vehicles’ location, speed, and efficiency — into a deadly security flaw.

By sending carefully crafted text messages to a dongle connected to the dashboard of a 2013 Corvette, the researchers could turn on the Corvette’s windshield wipers and even enable or disable its brakes via the transmission of commands to the car’s CAN bus — the internal network that controls its physical driving components.

Alerted to the problem, the manufacturer of the devices quickly responded with a security patch delivered wirelessly to the Internet-connected gadgets, but vulnerabilities remain with the older models. As well, if a security patch can be delivered wirelessly to vulnerable models, a new hack can equally be delivered to unpatched systems.

Wired also noted the problem involving dongles and mobile devices is fairly widespread — at least one telematics-based insurance provider that relies on on-board diagnostic plug-ins has serious vulnerabilities.

Mobile device dongles were also found to have particular security bugs. Since they are configured to accept commands via SMS, a protocol with virtually no authentication, hackers can rewrite their firmware by sending texts to the devices or simply begin issuing commands to a connected car.

Cars appear to be especially vulnerable given their interconnectivity. Recently, TechInsider reported that one hacker built a device for US$30 that could unlock cars that use keyless entry, exploiting a security vulnerability in car and garage key remotes that has been known for a while.

Wired also recently reported that at least five models of IV drug infusion pumps made by Hospira had a security flaw that allowed hackers to secretly and remotely change the amount of drug that would be administered to a patient.

More than 400,000 of these pumps are currently in hospitals around the globe. Some of these models are no longer sold because of their known quality and safety issues, but the company’s standard and most current models are impacted. As the devices lack any kind of authentication enforcement, security researcher Billy Rios found anyone on the hospital’s network, including hackers over the Internet, could load a new drug library that changed the safety and dosage limits for a drug.

The pumps’ firmware could also be remotely altered, allowing hackers to remotely alter doses given to patients, including raising the dosage above the maximum limit, without activating any kind of alert from the pump. Scary, no?

It’s not just cars or drug pumps that raise concerns. The software in Internet-connected video baby monitors has also been hacked. Internet-connected thermostats have been hit, too. While many publicized attacks are simply proof-of-concept, once the concept has been proved, it can be exploited by others for more nefarious ends.

It doesn’t help that at present there are no industry-wide security standards for IoT devices or standardized security protocols. Instead, there is a wide array of alliances and groups that have created myriad competing standards and protocols (one writer estimated more than 400) around connectivity, interoperability, privacy, and security. These include such groups as the Industrial Internet Consortium, the AllSeen Alliance, the Open Interconnect Consortium, the Object Management Group®, Thread, and HomeKit.

Experts do not foresee the emergence of unified standards until at least 2017.

To date, it appears in Canada the dialogue relating to the IoT has often focused on privacy issues (for example, the “Connected Car Report” and the OPC Privacy Priorities 2015-2020, published June 2015), which acknowledged emerging issues relating to IoT and expressly the role of the IoT in the “body as information.” As a consumer, I remain even more concerned by the potential security risks of the IoT.

Consumers must demand, through direct action and via government intervention, the implementation of reasonable security best practices along the lines of those recommendations advocated by the U.S. Federal Trade Commission and the legislation proposed by American Senator Ed Markey, which I mentioned last month.

In the meantime, I am rather glad that I do not own a car.