BMW recently announced that it had to patch some of its new cars to fix a security flaw which affected its ConnectedDrive software. This flaw became apparent after German researchers demonstrated how they could spoof a mobile signal, intercept all the communications, and gain access to the car's computer system. In order to patch the flaw, BMW enabled the secure Hypertext Transfer Protocol (HTTPS), which essentially adds a security layer to the standard HTTP to encrypt the communications. Although this solves one of the problems and the communication is now encrypted, it's still important to note that it can still be intercepted.
You could argue that this is Info Security basics; encrypting everything and assuming that no network is secure is a good place to start. The fact that BMW engineers missed this vital step, although baffling, is actually not all that surprising. With consumer demand at an all-time high, and with software developers being pushed to release new software with the most up-to-date features, it seems that security is taking a back seat.
As we see more and more devices coming connected to the internet, it's important to remember that security needs to be one of the main considerations, and not an afterthought, like in the case of BMW's ConnectedDrive software. If you install Java on your computer, you will be greeted by a nice splash screen from Oracle telling you how 3 billion devices now run Java, which can include phones, parking meters, ATMs, set top boxes and more. Leaving aside the fact that Java is responsible for a high proportion of security patches; the wider trend is that we are seeing more and more insecure connected devices.
The topic of cars is covered a lot in the media today, especially with new developments, such as the "connected car". Although security flaws have been pointed out in connected vehicles, it is worth remembering that your car does not have to be connected to anything to be vulnerable. In 2010, Yoshi Kohno, from the University of Washington, demonstrated that a car could be compromised by injecting malicious code via an Audio CD or the radio signal received by the car. His team were able to completely take over all of the on-board computers in the car and by doing so could track its location, listen to conversations and even apply or disable the breaks.
The main issue is that all these on-board computers are connected within the car. They all run software, which, even with the best will in the world, is vulnerable. Your car radio is not a transistor radio any more, it is a computer that uses a piece of code to decode the radio signal and play your music - this is vulnerable! By getting someone to tune into your station you can own their car; in much the same way that spyware gets you to go to an infected website to infect your computer.
Car manufacturers in particular should know better than to leave things to chance. They are dealing with people's lives every day and already have very robust test models and threat models to trial their car's safety features. If they can create lights that shine around corners, cars that drive themselves and that deploy lifesaving equipment in the event of an accident, surely they can secure the on-board computers in their cars?
If they don't get their act together, imagine what could happen. We have seen Sony's PlayStation and Microsoft's Xbox Live networks taken down as a result of huge Direct Denial of Service (DDOS) attacks recently. Imagine if a group of attackers were able to infect all cars of a particular manufacturer in London and the malware activates itself when the car gets to a specific location or goes above a certain speed. By doing this, the hackers could then ensure that, one day in London, all the cars stop! No one knows why, traffic comes to a standstill, buses can't move and the city grinds to a halt. Then the new hacker group tells the media they did it and unless the car company pays them lots of money they won't re-activate the cars. Will it take a circumstance like this for manufacturers to get the message? Imagine the economic impact, the political fallout and the consequences for that car manufacturer?
The message to car manufacturers is to please get your act together and secure all your software and software developers - take your foot off the pedal, slow down and build in security from the start.