Catching up on recent events and seeing that the Tesla model S is the latest in the line of vehicles to be researched and hacked, I remember one headline a couple of months ago catching my attention:
"Car Hackers Could Face Life In Prison!"
Which doesn’t seem to be a proportional response and I had to investigate the ‘meat’ of this bold headline. It refers to proposed US Michigan State legislation, and a bill sponsored by two state senators probably intended to protect the fledgling connected and autonomous vehicle industry within the state. Anyone falling foul of the bill could face up to life in prison.
"I hope that we never have to use it," Kowall said. "That's why the penalties are what they are. The potential for severe injury and death are pretty high."
State Senator Kowall is one of the sponsoring senators and his comment says it all. I can't help but feel that it's another knee-jerk reaction to the symptom, not the cause. I’m reminded of a number of previous car-related hacks that the Jeep Cherokee hack demonstration kicked-off, July last year. It highlighted the risk inherent in designing systems without really understanding the threats scenario against the vulnerabilities, unintentionally designed into the vehicle's interconnected and seemingly unrelated systems. Gone are the days when wire was just wire and it seems that the auto industry is still stuck in a time of propriety obscurity, rather than considering the secure design of interconnected, safety critical components. Disappointingly, FCA (the owners of Jeep) chose to spin the message rather than acknowledge that FCA's code was "a bit rubbish" and that their design process, software development and testing processes most likely lacked a critical component... Anyone? Glow with a halo of self-righteousness if you sagely answered correctly, ‘Security’!
"To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."
"...the vulnerabilities uncovered by Miller and Valasek in their laboratory tests."
Both of the above are quoted from the FCA blog, and what a great job they've done there to dress up the turkey! A good job it wasn't a hack against a ‘real’ Jeep Cherokee, just a ‘laboratory mock up’. Hold up, wasn't it Miller's Jeep Cherokee they used?...
"Some of these people are pretty clever," Kowall said. "As opposed to waiting for something bad to happen, we're going to be proactive on this and try to keep up with technology."
This made me cringe and displayed the lack of understanding required to adequately deal with such issues. I want to make it clear that I’m not justifying malicious hacking activities, but this is creating law for the sake of it - cue hand rubbing lawyers, the only winners here. Sure, prosecute the alleged infringement, but equally prosecute any blatant negligence too.
"Lengthy attack", "difficult", "propriety", "air gap"; are all words and phrases used by the spin doctors in the obfuscation of the facts. "Doh!" (To quote one of my favourite animated TV characters, with alarmingly similar characteristics and thought patterns.)
I had hoped to think better of Tesla, but they too had a stab at spin. I’m clearly paraphrasing, but claiming ‘didn’t we do well by issuing a timely patch!’ doesn’t fill me with the confidence that they understand that architecturally you just shouldn’t be able to get close to safety critical components through the infotainment system! Hands up all those happy with the prospect of autonomous vehicles driving down the road, carrying those dear to you, given the lack of basic understanding that led to this kind of security vulnerability?
All of which nicely takes me back to the subject of my article, education!
Education is a fundamental force for good, a huge learning opportunity across the board and should be a mandatory weapon in the arsenal when it comes to risk reduction activities, especially it seems within the automotive industry. Education, training and awareness should not be limited to just the parties involved in the design and creation. Other should be considered in need too:
- Educate and not just about security! Security teams, system architects, software developers, system designers, software and security testers, the communications team and management, in their various guises. All of which badly need to be trained to understand their responsibility to the public and do things both safer and better, I'd be more likely to buy from organisations that put their hands up, say ‘mea culpa’ but then go on to demonstrate improvement.
- Educate the public. We make a lot of assumptions that safety critical systems are secure and resilient, we believe for some reason that corporations have our best interests at heart. Sadly, for the majority, it just isn't true. During business risk analysis, we humans are reduced to a dollar figure and a human life doesn't equate to much on paper. We, the public, must get used to asking corporations to prove their commitment, shunning brands that aren't willing to disclose or constructively deal with challenges to their security posture.
- Educate the politicians being lobbied by large corporations. Not all hackers are malicious, and quite frankly I'd like a third party to check any manufacturers homework, especially where the safety of my family may be in question! Again, I’m talking about ethical testing, not malicious attacking.
So there you have it. If you got this far, I'd like to know your thoughts. Do you believe we all should shoulder the burden of responsibility and, through a basic understanding of the risks, be in a position to influence manufacturers of cars and other devices, which could cause us injury simply because it was cheaper and easier to blame someone else for discovering the flaw, the flaw that shouldn’t have been present in the first place?
O.k. I led you there! Or, the alternative:
Be morally outraged that humans would be inquisitive enough to expose risks we’d rather not know are present in the devices manufacturers tell us are getting safer every day!
I appreciate I’ve just painted a very polarised picture, but I believe mediocrity should not be tolerated in safety critical systems and through this bias want others to realise it too!