Last month, we published an article about the Chrysler car hack, and what it meant for the reality of network security and network performance management in the Internet of Things (IoT) era. As you probably realised, we weren’t the only ones covering the story – several major tech news websites, including The Verge, ZDNet and Wired ran articles about it, and conversation around how the hack was dealt with and what the long-term implications might be is still very much alive. But what are the major talking points that have emerged since the story broke a little over a month ago, and what does this mean about the future of network performance management and network security?
Chrysler’s ‘recall’ of affected vehicles leaves a lot to be desired.
Within two weeks of the remote attack on the Cherokee, Chrysler released a quiet press statement announcing that they would be ‘recalling’ up to 1.4 million potentially affected vehicles – a significantly higher number than the 470,000-odd that Valasek and Miller (the two hackers behind the operation) had initially estimated. But the ‘recall’ that Chrysler had in mind was more of a firmware update than a traditional recall, as it could only be installed physically. This meant that Cherokee owners had three options: bring their vehicle in to a Chrysler dealership to have the update installed, download the update onto a flash drive and manually install it, or wait for Chrysler to send a USB drive with the update through the mail.
Is Chrysler trying to solve a permanent problem with a temporary solution?
All of these scenarios are problematic from a security standpoint, but the third is particularly worrying – mailed USB drives could easily be intercepted or lost, and there’s the tacit assumption that the user will know exactly how to go about updating the vehicle when it arrives. Aside from what could happen once the drive is delivered, there’s also the potential that some users might not install the software, or not get around to bringing their vehicle into a dealership. With as many as 1.4 million affected customers, this is a very real possibility – and if even one unpatched car is still on the grid, it could have dire consequences to safety. Dave Kennedy, chief executive at TrustedSec, said the following in an article on ZDNet: “Right now none of them
[car manufacturers] have a good solution to do mass updates…I think they will from here on out, but this is an industry which hasn’t typically needed security in the cars until it became interconnected.”
Car manufacturers should learn a lesson from Chrysler’s mistake.
As the title of an article on Verge acutely points out, “The scariest thing about the Chrysler hack is how hard it was to patch.” It’s pretty clear that the hack caught Chrysler off-guard, and it’s understandable that the automotive giant might have been pressed for time when it came to implementing a solution. However, it’s hard to shake the feeling that their response is more concerned with sweeping the incident under the rug than it is about provisioning the security of their cars in the future. In the press statement, Chrysler went on to claim that “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” that “no defect has been found”, and that the automotive company was acting out of an “abundance of caution”. While it’s true that Miller and Valasek spent a year preparing to hack the vehicle, the point is moot. Valasek and Miller proved that it can be done. It’s naïve to assume that hackers with less honourable goals would also take the time attempt a similar hack. The other problem with this statement is that, in Chrysler’s opinion, no defect was found. When an exploit exists that can result in real physical harm or even death, shouldn’t it fit into anyone’s definition of what constitutes a ‘defect’?
In retrospect, how important will this milestone be?
There are two factors to bear in mind here: We’re on the cusp of an IoT revolution. In the coming years, we’ll see more and more of our ‘offline’ world coming online. Miller and Valasek’s hack was far more than just a game or an ego trip – it’s a foreshadowing of what could happen if we don’t make network security and network performance management a priority as we enter the IoT era. Secondly, according to Gartner’s 2015 Hype Cycle Report, we’re rapidly approaching the mainstream adoption of automated vehicles. With the news that new legislation on vehicle cyber security is being taken to the US Senate, it looks like Valasek and Miller might be getting the results they wanted, but only time will tell how well-prepared we are for the reality of security threats in a truly interconnected world.
IRIS provides network performance management software that is scalable, flexible and powerful. To find out more about the variety of services we offer, visit our website and read more about our Network Management Software. If you’d like to know more about running a stable, consistently available network, please download our free eBook today.