Spy Car: Hacked Vehicles and Potential Internet of Things Regulation

The terrifying remote hack of a Jeep on the highway, as reported by Andy Greenberg in Wiredmagazine , seemingly validates the pervasive, yet vague, fears that many consumers have about the digitalization of our everyday lives. Charlie Miller and Chris Valasek’s demonstration of their ability to control the car’s motor management system, remotely cut the brakes or disable the accelerator, and in certain circumstances, turn the steering wheel, all served as a reality check as to what the future of the Internet of Things might hold.

Additionally, the car hack enables surveillance. Currently, the GPS coordinates of a targeted car can be tracked, its speed measured and its route followed. It is not hard to imagine geolocation and other personal information (e.g., contacts from the dashboard) combined with physical hacks to further increase the threat to drivers.

Hackable Cars
While the 2014 Jeep Cherokee was the focus of this particular attack (apparently accomplished by using relatively inexpensive off-the-shelf components connected to a laptop and broadcasting the malicious data), all cars connected to the Internet are vulnerable to varying degrees. Those models with the most computerized functions, and the fewest networks used are the most hackable. For example, if a car’s engine, braking systems , Bluetooth, telematics and radio functions all run on the same network, it can make it easier for an attacker to gain control of the car’s computerized physical operations .

As Miller notes in the Wired article, “When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works.”

As a result of this hack, FIAT/Chrysler issued a recall for 1.4 million cars for a software update. The upgrade must be manually loaded at a car dealer, and cannot be remotely distributed over the Internet.

Physical versus Informational Hacks
While physical security in a hacked car is the predominant issue that comes to mind for clear reasons of immediate potential danger, hackers can also obtain tremendous amounts of data about the car and the driver’s driving style, speed, and locations. This pervasive data collection is likely to be more valuable to hackers in the longer term. As opposed to a hack over the car controls, which may become immediately obvious to the car’s occupants, a data hack may go unnoticed (for years).

Greenberg uses as an example the ability to track vehicle location and destination searches enabled through a car hack, which points to the level of informational detail that may be obtained by hackers. Building up a database from this information allows hackers to determine where a person lives, works, worships and shops. Over time, they can build an understanding of a network of family and friends; and even predict where the driver will go. Other information that can be obtained from a connected car includes biometric data, telephone calls and browsing history.

The legal landscape
In response to growing evidence that vehicle manufacturers are not prepared to protect the networks they increasingly rely on, with potentially fatal consequences for consumers, regulators are evaluating the protections provided by the legal landscape:

  • US Senators have introduced the Security and Privacy in Your Car Act of 2015 , which would require the development of privacy and security standards by relevant government agencies.
  • In the EU, there are currently no initiatives to pass laws specific to the connected car. Instead, the applicable laws are understood to be the EU Data Protection Directive (soon Regulation) and Telecom Laws. These laws will need to be interpreted in relation to connected cars—for example, assessing whether there should be restrictions on vehicle-to-vehicle data transfer. Recently the Article 29 Working Group, which is composed of EU national Data Protection Authorities, issued an opinion on the Internet of Things, including a reference to connected cars and privacy.

To demonstrate to governments that new regulations are not necessary, car companies are developing industry standards. Two trade groups, the Association of Global Automakers and the Alliance of Automobile Manufacturers, have agreed to a set of privacy-enhancing principles effective in model year 2017.

Whether developing new laws, interpreting existing ones, or relying on industry standards, one thing is clear: customers must be able to trust their connected cars, or the “drivable smartphone” of the future is not going to go very far.

Sarah Pipes, CIPP, CIPT
Senior Advisor and Data Protection Specialist, KPMG in Belgium

Sarah will speak at the 2015 ISACA EuroCACS/ISRM Conference on Privacy Challenges in the Internet of Things, with co-presenter Ronald Koorn, Partner, KPMG in The Netherlands.

[ISACA Now Blog]

8 Security Essentials for Managing Business Operations

  

Date : 7 Sep 2015

Organisation : (ISC)2

Writer : Chuan-Wei Hoo

 

According to the 2015 (ISC)² Global Information Security Workforce Study, 62 percent of nearly 14,000 respondents believe that their organizations have too few information security professionals. Signs of strain within security operations due to the workforce shortage are materializing while companies and organizations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyberattacks. The strategies of investing in security technologies, personnel and outsourcing will be insufficient to materially reduce the workforce shortage instantly. An expansion of security awareness and accountability throughout the organization is required. A more impactful approach is to embed real security accountability into other departments; and for the IT and security departments to function more collaboratively. Solving the problem will not just require the orchestration of information security leaders, but all cyber-enabled organizations to elevate the level of importance and ownership of security amongst all employees. Here are some key security essentials that everyone at a business operations should observe.

1. Asset Security — protect the company jewels
Every company has information that it considers to be crown jewels. Perhaps it’s scientific and technical data or documents regarding possible mergers and acquisitions, or clients’ non-public financial information. This is why we must address the policies and processes around the collection, handling and protection of information throughout its lifecycle. Each enterprise should carry out an inventory, with the critical data getting special treatment. Each priority item should be guarded, tracked and encrypted as if the company’s survival hinged on it. In some cases, it may. The concepts, principles, structures and standards used to monitor and secure assets is crucial to the enforcement of various levels of confidentiality, integrity and availability.

2. Security and Risk Management — build a risk-aware culture
The idea is elementary. Every person within an organization can infect it; whether it’s from clicking a dubious attachment or failing to install a security patch on a smart phone. So the effort to create a secure enterprise must include everyone. Building a risk-aware culture involves setting out the risks and goals, and then spreading the word throughout the entire company. But the important change is cultural. Think of the knee-jerk reaction — the horror — that many experience if they see a parent yammering on a cell phone while a child runs into the street. The information security leaders who try to nurture risk-aware cultures should have a broad spectrum understanding of general information security and risk management topics, beginning with the fundamental security principles of confidentiality, availability and integrity.

3. Software Development Security — embed security in design
Imagine if the auto companies manufactured their cars without seat belts or airbags, and then added them later, following scares or accidents. It would be both senseless and outrageously expensive. Similarly, one of the biggest vulnerabilities in information systems — and wastes of money — comes from implementing services first, and then adding security on as an afterthought. The only solution is to build in security from beginning, and to carry out regular automated tests to track compliance. This also saves money. If it costs an extra $60 to build a security feature into an application, it may cost up to 100 times as much — $6,000 — to add it later.

4. Communication and Network Security — establish secure communication channels
Consider urban crime. Policing would be far easier if every vehicle in a city carried a unique radio tag and traveled only along a handful of thoroughfares, each of them lined with sensors. The same is true of data. Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware. Cybercriminals are constantly probing for weaknesses. Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must not be left up to individuals or autonomous groups. They must all be subject to centralized management and enforcement. And the streams of data within an enterprise have to be classified, each one with its own risk profile and routed solely to its circle of users. Securing the workforce means vanquishing chaos and replacing it with confidence.

5. Identity and Access Management — track who’s who
Say a contractor gets hired full time. Six months pass and he/she gets a promotion. A year later, a competitor swoops in and hires him/her. How does the system treat that person over time? It must first give him/her limited access to data, then open more doors before finally cutting him/her off. This is managing the identity lifecycle. It’s vital. Companies that mismanage it are operating in the dark and could be vulnerable to intrusions. This risk can be addressed by implementing meticulous systems to identify the people, manage their permissions and revoke them as soon as they depart.

6. Security Assessment and Testing — patrol the neighborhood
Say a contractor needs access to the system. How do you make sure he/she has the right passwords? Leave them on a notepad? Send them on a text message? Such improvisation has risk. An enterprise’s culture of security must extend beyond company walls to establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago. And the logic is the same: Security, like excellence, should be infused in the entire ecosystem. The ruinous effects of carelessness in one company can convulse entire sectors of society.

7. Security Operations — manage incidents and respond
Say that two similar security incidents take place: One in Brazil, the other in Pittsburgh. They may be related. But without the security intelligence needed to link them, an important pattern — one that could indicate a potential incident — may go unnoticed. A company-wide effort to implement intelligent analytics and automated response capabilities is essential. Creating an automated and unified system will enable an enterprise to monitor its operations — and respond quickly.

8. Security Engineering — access and mitigate vulnerabilities
It happens all the time. People stick with old software programs because they know them, and they’re comfortable. But managing updates on a hodgepodge of software can be next to impossible. Additionally, software companies sometimes stop making patches for old programs. Cyber criminals know this all too well. In a secure system, administrators can keep track of every program that’s running, be confident that it’s current, and have a comprehensive system in place to install updates and patches as they’re released. Balance managing risk and enabling innovation. The administrator and/or security leaders should know the practice of building information systems and related architecture that continue to deliver the required functionality in the face of threats that may be caused by malicious acts, human error, hardware failure and natural disasters.

To download a copy of 2015 (ISC)2 Global Information Security Workforce Study, please go to www.isc2cares.org/IndustryResearch/GISWS/

[Cyber Security Information Portal]

Palo Alto Networks and AirWatch Mobile Security Alliance

In an earlier blog post I mentioned that the challenge for securing mobile devices has been formidable for many organizations. The limitations that arise out of classical approaches and assumptions towards security have led to many dead ends in the era of BYOD.

By working with AirWatch by VMware, we have developed a number of technical integration points that address the challenge for securing BYOD by providing ways to secure business apps and data and stop threats while still respecting the boundaries of privacy of personal data and traffic. This type of work is only possible by bringing together our engineering teams to design features in our respective products and develop the necessary APIs to exchange the information and make the best policy decisions.

Palo Alto Networks and AirWatch by VMware have a close partnership that makes this type of interaction possible. This week, we are at AirWatch Connect 2015 in Atlanta, and proud to highlight yet another development in our relationship.

AirWatch announced the AirWatch Mobile Security Alliance, an initiative that highlights the growing concerns over mobile threats and provides AirWatch customers with trusted, tested and integrated options to provide protection. Palo Alto Networks is as a member of the AirWatch Mobile Security Alliance, and customers who depend on AirWatch to manage their mobile devices can use integration with Palo Alto Networks to inspect business traffic, stop known and unknown mobile threats, and identify mobile devices that are already infected with malware.

At AirWatch Connect, the Mobile Security Alliance is front and center as one of the major focuses around security. If you’re here at the conference, be sure to see the announcement at the keynote session and stop by and see us at the Mobility Expo. If not, you can learn more about the partnership from www.paloaltonetworks.com/airwatch. I look forward to seeing you here in Atlanta!

[Palo Alto Networks Blog]

English
Exit mobile version