Securing Connected Cars..

A relatively short post.. hopefully some car manufacturers are reading..

IoT security and car / vehicle security are hot topics at the moment.  From the Jeep hack to Tesla, there have already been examples where cars can be ‘hacked’.  These have demonstrated that control can be taken, not just of relatively benign functions like climate or the stereo, but of actual ‘car’ controls like steering and brakes.

In addition to this, if you use, or read reviews of most cars entertainment / infotainment systems, they are pretty poor in terms or UI and capabilities.  Hands up if the maps on your phone beat your cars GPS / navigation system.

This seems to be a clear symptom of manufactures wanting to have their cake and eat it.  What I mean is minimal changes to the architecture, implementation and security of the software and hardware (computer) that runs the car while simultaneously wanting to connect it to the internet for clever features and updates.

In the world of mobile phones, and indeed traditional computing there is a concept of trusted or secure execution environments.  These vary in implementation, but the premise is a hardware protected trusted environment for executing sensitive activities while less sensitive activities run on the normal operating system and less secure / more open environment.

If you follow this blog you’ll have seen that I have actually argued we can make a software only solution more than secure enough for payments.  This however differs from cars on two very important ways;

  1. I propose we monitor the software at all times it is in use to ensure the payment is legitimate and secure.  I am not sure any car manufacturer wants to monitor the software in all its cars, all the time, in real time.
  2. People are unlikely to die.  This is not being overly dramatic; a failed payment or fraudulent payment likely involves a call to your bank and minor inconvenience.  If the ‘driving’ parts of your car can be hacked there is a very real risk of serious injury or the loss of life.

How do we solve this, and still provide convenience?

I propose that the car computer effectively be split into two discrete components.

The first being secure and dealing with anything to do with controlling the car such as the engine, brakes, steering etc.  This should be in secure environment that ideally can only be updated at a garage using a physical connection and certificates etc.  This could potentially be remotely updated, but that should be weighed against the risks.

The second being the ‘fun’ part.  This would include the whole infotainment system, music, climate, navigation* etc.  These components can then be updated remotely, ideally still with reasonable security such as encrypted communication and certificates etc.

This split would allow manufacturers to update the UI, navigation etc much more frequently with relatively low risk.

I’m hoping that car manufacturers will move in this or a similarly secure direction soon.  If they do not, I fear something bad will happen.  This will not only be bad for those involved, but will lead to strong regulation and prove (again) that companies must be regulated to do the right thing.

It’s time to stop hiding behind supply chain or what ever the excuse is and to protect your customers and the general public.  Either that or stop making connected cars!

Concepts similar to this likely apply to a wide range of IoT ‘things’.

K

 

*You could make an argument for not having navigation here, as it is possible to direct people the wrong way which could be dangerous, but I’d suggest less imminently dangerous, and I’m definitely not proposing no security for the ‘infotainment’ stuff!

 

2017 Security Predictions and Themes

More of the same..

Simple attacks due to un-patched systems, mis-configurations, ‘standard’ app issues like SQL injection and Cross Site Scripting, phishing links etc. will continue to be the cause of the vast majority of breaches.

Advanced attacks will still make the headlines, even when just in terms of ‘it could have been xx nation using advanced methods’..  Advanced attacks will still be heavily promoted by vendors to sell products and services.

DDoS will continue to get bigger due to the increasing proliferation of insecure connected devices (cue first IoT reference!).

Big data and analytics will continue to be big.  Security use cases such as behaviour analysis across all the log data will continue to mature and start to show the value of “big data” from a security monitoring perspective.  Will need to work on moving from just behaviour monitoring in logs and alerting, to proactive blocking.  ‘Big data’ should start to become the ‘big brain’ that instructs the enforcement tools like IPS and end point agents (they will obviously continue to do their normal job as well).

IoT. I am waiting (note I don’t want there to be one!) for a serious incident in this space.  Not just the DDoS stuff, but actual direct harm to people from the hacking of cars or medical equipment.  This will shortly be followed by a LOT of knee jerk regulation.  No idea if this will happen in 2017 or later.  Unless something fundamental changes in how the devices covered in the wide IoT umbrella are developed, deployed and managed it will.

  • As a side note, we should stop just referring to IoT and start prefixing it with what we are actually referring to, in the same way as you have SaaS, IaaS, GovCloud etc. etc. for cloud ‘things’.  IoT is far to broad, and also has far too many different applications that will have vastly different security implications and requirements.

Blockchain.  Like IoT, no predictions list would be complete without something blockchain in it.  We are already seeing blockchain use cases expanding from currency to DRM and music management etc.  This will continue, it’s very much in the ‘hypecycle’ at the moment with everyone rushing to be at the front with use cases and ‘thought leadership’.  It would be great to see some really beneficial use cases – could a blockchain be used to track and guarantee that charity finances or food or medical supplies went to the right people?

Automation.  Combine environments that are becoming more complex and more dynamic (think DevOps, agile, containers, cloud etc.), increasing numbers of attacks, along with the much reported skills shortage and you have a perfect storm!  Automation will be key for organisations to stay secure.  Automating more of the basic security tasks will also enable better careers for the SecOps guys – they will have more time to focus on more advanced security issues and hunting for threats etc.

Simplification.  In a similar vein to the above, simplification must be a key strategy I’m talking from a security perspective, but this generally makes sense as well!  How many security conversations have started or ended talking about implementing a tool / solution?  We should be having more conversations about how we can rationalise the tooling we use.  How we can meet the security requirements of our organisation with the minimum set of tools and processes.  Thus with the maximum simplicity.

Likely millions of things will happen, that we can’t predict, but these are the current themes I am thinking about.

It would be great to hear your thoughts on the key security themes for 2017!

K

Securing IoT payments

There is a lot of discussion around IoT security, much focussed on patching, maintaining / updating etc etc.

Given the volume of discussion in this space I’ll not write something likely replicating other conversations.

 

What I am interested in is whether we can enable secure and trusted automated payments from IoT devices.  If we can solve this we can trust a lot of non payment behaviours as well.

Assuming we can improve those basics enough to make wider use of IoT devices safe (enough), payments will surely follow.  We may well see a growth in IoT driven payments before we are happy the IoT is safe enough – we are already seeing hackable cars and their associated mobile applications (http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/).  A lack of safety and security is clearly not holding back the IoT tide!

 

One of the benefits of consumer IoT devices is that they will be able to automatically order things.  Examples could be replacing themselves or components as they wear out, or restocking consumables as they run low – think of coffee machine buying coffee or fridge restocking etc.

Is it possible to simply and effectively secure (automated) payments from IoT devices? Or for that matter any device..

There are multiple potential issues including;

  • Did you authorise the payment?
  • Is the ‘thing’ really yours and acting on your behalf?
  • Where is the ‘thing’ located, and where should the goods be sent to?
  • Do you want / need what ever is being purchased?
  • How could malicious people;
    • Make money (cash out) from this?
    • Cause harm, and to what level? – from slight nuisance to real harm..

 

How can we mitigate the risk from these issues to enable secure IoT payments?

 

I’d propose that it is possible to do this, using a combination of three things;

  • Some rules and metadata about the device and what it is allowed to do
  • Certificates that link the device to you and an address
  • Something to make this data and all transactions immutable, such as a blockchain implementations

 

How would these work together?

For most consumer devices it will be relatively easy to set rules about the device in terms of what it is, and what it is allowed to do.  For a simple example, a light bulb can only order a single lightbulb to the address it is registered to.  For a slightly more complex example, a fridge could have rules around only being able to order items you have previously ordered and set as ‘replace me’, only to the registered address at agreed times, and only if there was space in the fridge for them.

As long as these rules are immutable, e.g. by being held in a blockchain, they chances of a criminal cashing out are extremely limited.  The ability to cause harm is also limited as you could potentially make a lightbulb order 1 lightbulb, or make the fridge order something you wanted replaced that would fit into the fridge..

Using an extremely scalable certificate management would allow identity and location to be stored with each device.  Consider something like a root cert and child certs model.  You are your own root cert, then all you devices get a child cert that links to you and has added information like address.  These could be managed, replaced and revoked as you would expect.  Securely managed certificates, potentially stored as part of the blockchain would enable the device (‘thing’) to be linked to the owner, location and by inference the owners payment instrument and permission to replace / order items.  The permissions associated with the device around what the owner has allowed it to do would also be stored in the blockchain.

 

By utilising relatively simples rules for each device, that the owner can set and agree, we are able to ensure it only performs sensible actions.

By using the existing certificate model, just in a massively scalable architecture we are able to link the devices to owners, locations and payment instruments.

Finally by utilising blockchain and it’s properties, we are able to immutably store these things, with clear permissions and a full audit trail for any changes and transactions.

 

I’ve obviously simplified this for the purposes of this blog post, but hopefully the idea is clear.  It would definitely be great to hear your thoughts on this.  I may write a longer more detailed overview and incorporating a wider range of inputs would definitely add value!

 

K

IoT does not equal IoT

I was at a PETRAS IoT (Internet of Things) event recently and a question I was asked at lunchtime got me thinking.

The question was;

“Do you think cloud is secure”

My response quite obviously was that the question needed a lot more context. Which cloud?  In what sense? Secure enough for what? Etc. etc.

 

We are falling into the same trap of thinking of IoT as a ‘thing’.  All IoT devices may share some traits, in the same way as the are certain traits a hosted service must have for it to be called a cloud service.

However all IoT devices clearly cannot and should not be lumped into one big category.

 

As my interest is in security I’ll use that as an example.

Consider the level of security required around a simple consumer device like a lightbulb.  It may have a few capabilities like on / off / dim and potentially being able to purchase one replacement lightbulb to your address.  You may also want some features in place to prevent actually logging onto it other than to perform on / off stuff, and to prevent it from enumerating your home network.

Now consider the security required around a medical device such as a pacemaker or insulin provider for a diabetic..  A while ago someone demonstrated they could hack a Bluetooth insulin device and make it release all of it’s insulin at once.  Obviously this was done while the device was not  connected to a person!

In the above examples, as long as there are some sensible rules in place, the threat vector from the lightbulb is very limited, and the value to criminals is effectively zero.

However in the healthcare example, an security issue could lead to immediate risk to life – imagine the scenario of pay xx bit coins or I affect your insulin supply, or stop your pacemaker.. – Thus demonstrating not only risk to life, but also a clear avenue to profit for the criminal.

 

We 100% need to work to improve the security and manageability of IoT devices across the board.  However we need to start segmenting this into different sectors and levels of threat / risk / value.

 

This will allow sensible dialogue about what is appropriate for different circumstances.  It is likely this will allow faster and appropriately secure progress.

For example if a framework for security and risk management of consumer devices such as lights, fridges, toasters etc. could likely be arrived at.  This would allow progress to be made in this space to provide consumers wider benefits from IoT, but without being mired in wider conversations about what is appropriate for healthcare or transport IoT  etc.

 

So this post has two points;

  • When something is massive and wide ranging such as cloud or IoT, it is fine to use this as a concept but we need to stop talking about them as a single thing when we think about security etc. as there is not a single solution or set of requirements.
  • IoT – we need to define distinct, but not too narrow, use cases, e.g. healthcare, consumer, transport etc.  Following this we can agree sensible and appropriate frameworks and requirements for things like security, management, payments..

 

I’ve been mulling over a high level concept for securing IoT payments and the consumer space, that I’ll flesh out and share in an upcoming post.  It would be great to hear your thoughts on this and how we can best manage / secure the various types and use cases of IoT.

K

Bruce Schneier keynote from the ISF conference

I recently attended, and presented at the ISF annual congress in Berlin.  One of the highlights of the conference was the keynote talk from Bruce Schneier.

The talk focussed on some of the current developments in IT, the internet, machine learning, IoT (Internet of Things), and what these may mean for IT security and basically everyone’s safety and security.

My notes from the talk are below, they are relatively rough, but I thought worth sharing as there are some great points and things to think about!

Internet now Senses, Sees and Acts – definition of a Robot?

Does this mean we are building a world size robot?

It’s a distributed robot…

Combination of;

Mobile, cloud, persistent computing, big data, IoT

And Autonomy..

 

This means – Computer security becomes Everything security…!

That means that all the things we understand from patching and vulnerabilities to security vs. complexity to network effects become relevant to everyone / everything.

As computers become more integrated with real life – medical, cars etc.  We likely move from confidentiality being the most important part of the security ‘triad’ to safety..

How do we deal with things like;

Algorithms that choose where police go or who gets parole?

How can we allow police to safely stop a car, vs. criminals being able to stop any car?

 

Tech / security arms races;

  • Spam
  • Click jacking
  • Ad blocking
  • Credit card fraud
  • ATM fraud

 

5 trends affect this security arms race (currently, may change in the longer term);

  1. Attack is easier than defence
    1. For a bunch of reasons, like complexity
  2. New vulnerabilities in the interconnections
    1. The more you connect things, the more vulnerabilities in one thing can affect another
    2. E.g. recent massive DDoS – was from cameras etc. – so vulnerabilities in these led to massive impacts elsewhere
  3. More critical systems mean more power to attackers
    1. Internet allows criminals to scale
    2. Allows attacks from anywhere / everywhere – e.g. I live in the UK, so don’t care about burglars living in Germany.  But with connected systems I can be attacked from anywhere.
    3. You don’t have to worry about the average attacker, you always have to worry about the best, as the best guy will be the one writing the tools..
  4. The economics of computer security don’t trickle down to the Internet of Things
    1. E.g. how do we secure and patch the billions of very low value devices
    2. Computers and phones – updated all the time, staff at MS etc employed just to patch
    3. Low cost embedded systems – written somewhere, dev / company moves on.  Some can’t even be patched.  So the only way to patch is to throw away and replace.  Is this a viable patch strategy?
    4. We also regularly replace things like phones and computers – this provides improved security and ensures updates.
    5. IoT stuff isn’t like this.  How often do you replace your DVR, your home thermostat etc?? 5 years, 10 years? Never??
    6. Owner and producer of these devices don’t care about the issues.
  5. Copy write laws, make it very hard to do security research on these devices
    1. It can be illegal to circumvent the security of these devices, even for research.
    2. Criminals don’t care, obviously.
    3. Criminals will do the ‘research’ and will hack the devices.
    4. Researchers likely will not do the work if they will be threatened and unable to publish the research..
    5. How will we ever improve?

How to fix this;

  • Do it right in the first place
  • Agile security- rapid prototyping, fix failures fast

 

Doesn’t work – Chrysler recalled >1M cars to update software

Does work – Tesla – remotely updated software of all cars

 

Technology and Law must work together or both will fail

Example – Snowden papers showed that technology could circumvent the law, as well as the other way round

Need clear government policies on this

Do we need a new regulator for this stuff?

What regulations do we need?

Does this need to be international, not national?

Governments will get involved, can we lead this to help drive sensible and usable regulations?

 

Main points

  • IoT changes everything – computers impacting the world in a physical manner
    • Less off switches
    • Not designed just growing
  • Threats getting worse in several dimensions
  • This is all coming, fast.  Government involvement is coming
  • We need to get ahead of this – we need to start making serious choices.  We need relevant, workable laws.  We have moral and ethical choices to make.
    • We need to change how we code.
      • When software didn’t matter we let developers code how they wanted and how they saw the world..  Bugs just get fixed later.
      • Now when lives more and more st stake we need society to decide what is OK, and hold developers to account.
  • We need to bring together policy makers and technologists!

 

Government response will be fast and likely unplanned – e.g. ransomware against cars – millions of people cant get into cars.  OR power plant goes offline.

This will lead to very fast and possibly badly thought out action, and regulations

Hence the need for us to get ahead of this!

We wont get to choose – once lives at stake you don’t get to decide if you’re regulated.  Airlines, drug companies etc.  Don’t get to say hay don’t regulate us..  Once internet / IoT etc as important as drug companies it will have now choice but to be regulated.

 

Do we really need to connect everything together?

E.g. could some systems (SCADA for example) connect to a SCADA only network?  Not a new internet, just secure / controlled networks for some systems?

Does believe we will solve this, but it is challenging 🙂  He is actually optimistic about this!

 

I’m sure you will agree, some great thinking points.  We live in very interesting times, IT security is going to become increasingly critical as more and more systems that genuinely and immediately affect life become connected to the same internet as everything else.

What are your thoughts?  Can we safely and securely enable all of these interconnected systems?

K