RSS Alerts

Share

More services

John Walker

Job title:
CEO, Secure Bastion LTD

Areas of expertise:
Professor John Walker: FBCS CITP CISM CRISC ITPC

Biography:
CEO of Secure-Bastion Ltd, Practicing Expert Witness, Visiting Professor Nottingham Trent University. Fellow of the BCS, & hold CITP (BCS), CISM CRISC (ISACA), UK Government ITPC. Chair of the London ISACA Chapter Security Advisory Group (SAG) , ENISA CEI Listed Expert, & Editorial Board Member of CSRI.

Tag Cloud

hackingSecurityWiFicloudComplianceDavid Harleycloud securityMalware

Bloggers

Blog

Computer says NO

It was back in 1999 I worked for General Motors (GM), when the topic of internet enabled automobiles entered my professional vocabulary. Around that era, GM were researching the future scene of the motor-car, leveraging a technology called OnStar. At that time, being one of only a few security professionals with GM, I remember raising the topic of the ‘S’ word – and with some trepidation, I dared to mention ‘security’, and if such on-line enabled vehicles would require some form of security, or even a Firewall – the breadth, and depth of astonished looks I received are still burnt into my head to this day – what a wild statement to make!

The fact of the matter is however, in 2012, the time of AoIP (Anything on Internet Protocol) we are maximising the use of technology to potentially reach out to all forms of transportation, to manage, deliver services, and as such, within the constraints of the technology, and imagination, do just about anything – and we now take for granted the presence of an on-board computer sitting under the hood, which is in, or can enjoy a conversation with some remote service, diagnostics, or controlling technology.

Whilst I was considering this topic to write-up for Infosecurity, I experienced, what I can only describe as an unpleasant and dangerous event, which I understand was partly down to the on-board computer arriving at its own conclusion. On New Year’s Eve, being the good father, I wondered off into the wilds of Leicestershire to drop my daughter off at a party. When driving back home, I joined a dual carriageway, and noticing the traffic was moving fast, so I gentry accelerated away to join the traffic. It was at this stage when the engine ‘burbled’ and in order to rectify this fault, I applied more pressure, and wow.  The car suddenly surged forward with force, and notwithstanding I had taken my foot off the accelerator, I was up, and well over 100 mph in a few seconds – the next thing encountered was a bang, and then another, and only at this stage did the vehicle ‘allow’ me to slow down – so two turbo-chargers later, and one engine, (the very nice AA man informed me that this was a well know fault with the vehicle of type), and I have since learned that the on-board computer may have been doing more driving than I!  This may well be the last Jaguar I will ever own, but that’s another story…

Now with this as a backdrop, consider the recent revelation made by hackers, who claim they could break into the on-car interconnected network, and tamper with the controlling systems, adjusting performance, and the security of the vehicle. Imagine if they [The Hackers} could gain unauthorised access to the vehicle, and turn on, or worse still, turn off some of those lifesaving capabilities we rely on to bring our transportation to a halt! And it’s not just cars. Could you, in your wildest dreams come up with a scenario in which a passenger carrying aircraft would facilitate a bridge between its controlling operational systems, and the passenger enabled smart offerings of communication – it did, and was reported a number of years back.

So for me, in my humble opinion, this is where I stand. 1) If an on-board computer is installed, or, if the vehicle travels at more than 1 mile per hour, or gains a height of more than 5 feet, time has arrived in which security, and the associated components both local, and remote infrastructure are accommodated by the same rules as are expected with more common-garden systems and applications, and following the rules for secure coding. Not wishing to push my luck, but where such addressable, reachable computerised systems are installed inside vehicles, I would expect them to be subject to Penetration Testing, as one would with any other computerised asset.

For me, I really don’t care, a computer-is-a-computer, and if it serves up any potential to open up to malicious manipulation, that makes it a critical asset in my book, and my assertion would be that 'security will be accommodated'. When I hit that brake expect the vehicle to stop, and not announce over the quadraphonic speakers, ‘Computer says NO’.

 

Posted 13/01/2012 by John Walker

Tagged under:OnStar,GM,Hackers

RE: Computer says NO
Posted 13/01/2012 by Orlando Scott-Cowley
There's already been attempts to prove the concept through tyre pressure monitor systems, given their wireless nature. More recently the use of cell phone enabled systems like on-star to hack back into the car. Take something like the Chevy Volt - a car with 10 million lines of code. Lets say there's one vulnerability for every 100,000 lines of code; that's quite a few holes. This is only going to get worse. War driving will take on a whole new meaning.

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012