Securing Connected Cars..

A relatively short post.. hopefully some car manufacturers are reading..

IoT security and car / vehicle security are hot topics at the moment.  From the Jeep hack to Tesla, there have already been examples where cars can be ‘hacked’.  These have demonstrated that control can be taken, not just of relatively benign functions like climate or the stereo, but of actual ‘car’ controls like steering and brakes.

In addition to this, if you use, or read reviews of most cars entertainment / infotainment systems, they are pretty poor in terms or UI and capabilities.  Hands up if the maps on your phone beat your cars GPS / navigation system.

This seems to be a clear symptom of manufactures wanting to have their cake and eat it.  What I mean is minimal changes to the architecture, implementation and security of the software and hardware (computer) that runs the car while simultaneously wanting to connect it to the internet for clever features and updates.

In the world of mobile phones, and indeed traditional computing there is a concept of trusted or secure execution environments.  These vary in implementation, but the premise is a hardware protected trusted environment for executing sensitive activities while less sensitive activities run on the normal operating system and less secure / more open environment.

If you follow this blog you’ll have seen that I have actually argued we can make a software only solution more than secure enough for payments.  This however differs from cars on two very important ways;

  1. I propose we monitor the software at all times it is in use to ensure the payment is legitimate and secure.  I am not sure any car manufacturer wants to monitor the software in all its cars, all the time, in real time.
  2. People are unlikely to die.  This is not being overly dramatic; a failed payment or fraudulent payment likely involves a call to your bank and minor inconvenience.  If the ‘driving’ parts of your car can be hacked there is a very real risk of serious injury or the loss of life.

How do we solve this, and still provide convenience?

I propose that the car computer effectively be split into two discrete components.

The first being secure and dealing with anything to do with controlling the car such as the engine, brakes, steering etc.  This should be in secure environment that ideally can only be updated at a garage using a physical connection and certificates etc.  This could potentially be remotely updated, but that should be weighed against the risks.

The second being the ‘fun’ part.  This would include the whole infotainment system, music, climate, navigation* etc.  These components can then be updated remotely, ideally still with reasonable security such as encrypted communication and certificates etc.

This split would allow manufacturers to update the UI, navigation etc much more frequently with relatively low risk.

I’m hoping that car manufacturers will move in this or a similarly secure direction soon.  If they do not, I fear something bad will happen.  This will not only be bad for those involved, but will lead to strong regulation and prove (again) that companies must be regulated to do the right thing.

It’s time to stop hiding behind supply chain or what ever the excuse is and to protect your customers and the general public.  Either that or stop making connected cars!

Concepts similar to this likely apply to a wide range of IoT ‘things’.

K

 

*You could make an argument for not having navigation here, as it is possible to direct people the wrong way which could be dangerous, but I’d suggest less imminently dangerous, and I’m definitely not proposing no security for the ‘infotainment’ stuff!

 

Securing IoT payments

There is a lot of discussion around IoT security, much focussed on patching, maintaining / updating etc etc.

Given the volume of discussion in this space I’ll not write something likely replicating other conversations.

 

What I am interested in is whether we can enable secure and trusted automated payments from IoT devices.  If we can solve this we can trust a lot of non payment behaviours as well.

Assuming we can improve those basics enough to make wider use of IoT devices safe (enough), payments will surely follow.  We may well see a growth in IoT driven payments before we are happy the IoT is safe enough – we are already seeing hackable cars and their associated mobile applications (http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/).  A lack of safety and security is clearly not holding back the IoT tide!

 

One of the benefits of consumer IoT devices is that they will be able to automatically order things.  Examples could be replacing themselves or components as they wear out, or restocking consumables as they run low – think of coffee machine buying coffee or fridge restocking etc.

Is it possible to simply and effectively secure (automated) payments from IoT devices? Or for that matter any device..

There are multiple potential issues including;

  • Did you authorise the payment?
  • Is the ‘thing’ really yours and acting on your behalf?
  • Where is the ‘thing’ located, and where should the goods be sent to?
  • Do you want / need what ever is being purchased?
  • How could malicious people;
    • Make money (cash out) from this?
    • Cause harm, and to what level? – from slight nuisance to real harm..

 

How can we mitigate the risk from these issues to enable secure IoT payments?

 

I’d propose that it is possible to do this, using a combination of three things;

  • Some rules and metadata about the device and what it is allowed to do
  • Certificates that link the device to you and an address
  • Something to make this data and all transactions immutable, such as a blockchain implementations

 

How would these work together?

For most consumer devices it will be relatively easy to set rules about the device in terms of what it is, and what it is allowed to do.  For a simple example, a light bulb can only order a single lightbulb to the address it is registered to.  For a slightly more complex example, a fridge could have rules around only being able to order items you have previously ordered and set as ‘replace me’, only to the registered address at agreed times, and only if there was space in the fridge for them.

As long as these rules are immutable, e.g. by being held in a blockchain, they chances of a criminal cashing out are extremely limited.  The ability to cause harm is also limited as you could potentially make a lightbulb order 1 lightbulb, or make the fridge order something you wanted replaced that would fit into the fridge..

Using an extremely scalable certificate management would allow identity and location to be stored with each device.  Consider something like a root cert and child certs model.  You are your own root cert, then all you devices get a child cert that links to you and has added information like address.  These could be managed, replaced and revoked as you would expect.  Securely managed certificates, potentially stored as part of the blockchain would enable the device (‘thing’) to be linked to the owner, location and by inference the owners payment instrument and permission to replace / order items.  The permissions associated with the device around what the owner has allowed it to do would also be stored in the blockchain.

 

By utilising relatively simples rules for each device, that the owner can set and agree, we are able to ensure it only performs sensible actions.

By using the existing certificate model, just in a massively scalable architecture we are able to link the devices to owners, locations and payment instruments.

Finally by utilising blockchain and it’s properties, we are able to immutably store these things, with clear permissions and a full audit trail for any changes and transactions.

 

I’ve obviously simplified this for the purposes of this blog post, but hopefully the idea is clear.  It would definitely be great to hear your thoughts on this.  I may write a longer more detailed overview and incorporating a wider range of inputs would definitely add value!

 

K

IoT does not equal IoT

I was at a PETRAS IoT (Internet of Things) event recently and a question I was asked at lunchtime got me thinking.

The question was;

“Do you think cloud is secure”

My response quite obviously was that the question needed a lot more context. Which cloud?  In what sense? Secure enough for what? Etc. etc.

 

We are falling into the same trap of thinking of IoT as a ‘thing’.  All IoT devices may share some traits, in the same way as the are certain traits a hosted service must have for it to be called a cloud service.

However all IoT devices clearly cannot and should not be lumped into one big category.

 

As my interest is in security I’ll use that as an example.

Consider the level of security required around a simple consumer device like a lightbulb.  It may have a few capabilities like on / off / dim and potentially being able to purchase one replacement lightbulb to your address.  You may also want some features in place to prevent actually logging onto it other than to perform on / off stuff, and to prevent it from enumerating your home network.

Now consider the security required around a medical device such as a pacemaker or insulin provider for a diabetic..  A while ago someone demonstrated they could hack a Bluetooth insulin device and make it release all of it’s insulin at once.  Obviously this was done while the device was not  connected to a person!

In the above examples, as long as there are some sensible rules in place, the threat vector from the lightbulb is very limited, and the value to criminals is effectively zero.

However in the healthcare example, an security issue could lead to immediate risk to life – imagine the scenario of pay xx bit coins or I affect your insulin supply, or stop your pacemaker.. – Thus demonstrating not only risk to life, but also a clear avenue to profit for the criminal.

 

We 100% need to work to improve the security and manageability of IoT devices across the board.  However we need to start segmenting this into different sectors and levels of threat / risk / value.

 

This will allow sensible dialogue about what is appropriate for different circumstances.  It is likely this will allow faster and appropriately secure progress.

For example if a framework for security and risk management of consumer devices such as lights, fridges, toasters etc. could likely be arrived at.  This would allow progress to be made in this space to provide consumers wider benefits from IoT, but without being mired in wider conversations about what is appropriate for healthcare or transport IoT  etc.

 

So this post has two points;

  • When something is massive and wide ranging such as cloud or IoT, it is fine to use this as a concept but we need to stop talking about them as a single thing when we think about security etc. as there is not a single solution or set of requirements.
  • IoT – we need to define distinct, but not too narrow, use cases, e.g. healthcare, consumer, transport etc.  Following this we can agree sensible and appropriate frameworks and requirements for things like security, management, payments..

 

I’ve been mulling over a high level concept for securing IoT payments and the consumer space, that I’ll flesh out and share in an upcoming post.  It would be great to hear your thoughts on this and how we can best manage / secure the various types and use cases of IoT.

K