Last week, Chris Valasek, who introduces himself as an ethical hacker, gave a speech during Trustech, coming back on how he hacked a Jeep back in 2015. He got into the Uconnect entertainment system of the car thanks to a combination of vulnerabilities in the system and poor network protection, and from there, took control of the car, to the extent he was able to use the brakes and block the steering wheel.
Not only this hack was feasible, but also as the car designers had not set up any means to remotely update the software, making the only possible correction to repeal 1.4 million cars! Chrysler had no other option but to engage in this complex and costly move.
However, all issues are not yet fixed! Even worse, car hacking tools are now available on the web. They allow taking control of the vehicle Controller Area Network (CAN). According to researchers, getting control of the CAN could allow a hacker to send commands to some of the car organs, and eventually to shut off safety mechanisms such as air bags, anti-lock brakes, or door locks. This can be a way to steal cars, if not to blackmail their owners.
Car stealing seems to become easier every day. Beijing researchers say they have set up a pair of “relay hack” for just US$ 22 (EUR 18.50) that allow to listen to the signal between a remote key and the car. Then, it becomes easy to replay the signal. The researchers even reverse-engineered the signals, allowing them to elaborate more attacks. This type of attacks happens worldwide, as demonstrated by a video published online by Birmingham, UK, police department.
Chris Valasek speech evidenced the fundamental conflict of objectives: security is considered hard and expensive while IoT has to be cheap! Proposing to secure only big things like cars and leaving smaller things like light bulbs unsecure does not work, as a set of unsecure objects can be used by hackers to gain control of other items. Fortunately solutions exist! The secure transactions industry can deliver affordable solutions for Internet of Things security. Now, IoT developers need to catch up and adopt them!