We are now in the final week of Cybersecurity Awareness Month, 2020. The theme for this week is to look at the future of connected devices, specifically:
"how technological innovations, such as 5G, might impact consumers’ and business’ online experiences (e.g. faster speeds and data transmission, larger attack surface for hackers), as well as how people/infrastructure can adapt to the continuous evolution of the connected devices moving forward."
I am quoting there from the guidelines on the National Cybersecurity Alliance website. They go on to say: "No matter what the future holds, however, every user needs to be empowered to do their part." So what does that mean in practice? I will try to answer that question this week, beginning with this article, written for day 26 of Cybersecurity Awareness Month.
But first, we need some context, and if you like to get your context via video, watch this short one from the StaySafeOnline website. It makes the important point that "as technologies evolve, so will the behaviors and tactics of cyber criminals."
I captured this image from the video because it suggests a cool way of researching people's attitudes to technology. First, we show our subjects a clip of this, without the text, then you ask what they saw. Most people will probably say something like: it's a person using a smartphone app to adjust the temperature of something, maybe a room somewhere.
Now we ask our subjects second question: Assume this is a person changing the temperature of a room somewhere and give me all the reasons you can think of for doing this? If none of the answers involve some sort of negative reason—such as "annoying the person in that room" or "proving to the owner of the room that you have taken control of their heating system"—then I suggest that this group of subjects needs more cybersecurity awareness training.
Why do I say that? Because protecting technology from abuse requires us to think about what could possibly go wrong. In fact, what could possibly go wrong is something of a mantra for people working in cybersecurity. Because if you're not thinking about what could possibly go wrong with any given piece of hardware or software or combinations thereof, you're probably not going to do a good job of preventing it actually going wrong.
Of course, what could possibly go wrong is used in contexts other than cyber, often with a question mark. You can sometimes find the hashtag #WCPGW trending. I used it when I tweeted my response to this Apple announcement a few months ago: "The digital car key on your compatible iPhone allows you to conveniently and securely lock, unlock, and even start your BMW." I mean WCPGW!
Still think it's just me be a cranky curmudgeon? Look at what happens when we Google can thieves steal keyless cars. Right away we see that:
Criminals can easily steal top keyless-car models using cheap equipment that's available online ... The study looked at 237 models of cars that can be started with an electronic rather than mechanical key, and found thieves could unlock 230 of them without much difficulty. (Fortune, 28 Jan 2019)
Of course, technophilic tech bros may discount Fortune magazine as just a bunch of cynical old white dudes, but the facts speak for themselves, and so does the app, the one that my local police force uses to let folks know whenever a car is stolen without keys.
Which brings us back to cybersecurity awareness, which for millions of people now includes their keyless cars. If you are one of them, here are the top five security tips from a leading UK locksmith:
- Use a blocking pouch
- Turn off keyless fob's wireless signal
- Use a steering wheel lock or car alarm
- Re-programme your keys
- Park defensively
Jackware: a case study in future threats
Bearing all of the above in mind, you can maybe understand why, back in 2016, I tried to raise awareness of a future cyber-threat that I called jackware, a threat that was not "real" at the time, but one which will—I firmly believe—become real under the "right" circumstances.
Here's how I first described jackware on this blog: "Think of jackware as a specialized form of ransomware. With ransomware, the malicious code encrypts your documents and demands a ransom to unlock them. The goal of jackware would be to lock up a car or other piece of equipment until you pay up."
A formal definition of jackware would be: malicious software that seeks to take control of a device, the primary purpose of which is not data processing or communications, for example: your car. In my original article I said jackware would become particularly dangerous when there are more self-driving cars and vehicle-to-vehicle networks; and I suggested this nightmare scenario:
"You're in a self-driving car. There's a drive-by infection, silent but effective. Suddenly the doors are locked with you inside. You're being driven to a destination not of your choosing. A voice comes on the in-car audio and calmly informs you of how much Bitcoin it's going to take to get you out of this mess.
Not long after I wrote that, the possibility of jackware began to generate media attention, in both automotive and IT news outlets. Here are the top 10 articles that address it, only two of which were written by me:
- Jackware: When connected cars meet ransomware
- Motor Mouth: Will your self-driving car kidnap you?
- Ransomware: The Next Big Automotive Cybersecurity Threat?
- Prepare for the day when a hacker takes over your self-driving car and kidnaps you enroute
- How Safe Are Cars from Hackers?
- Heard of Jackware? When connected cars meet ransomware
- Jackware hits the big screen in #Fast8: Fate of the Furious
- ‘Who the hell hacked my car?’ Is jackware (ransomware for connected cars) inevitable?
- Ransomware + IoT = Jackware?: the evolution of ransomware attacks
- Why Data Security is More Important Than Ever
As of today, the nightmare scenario that I described in 2016 has not played out in real life (assuming you don't count the Fast and Furious movies as real life). But even though the automotive industry is taking cybersecurity a lot more seriously today than it did 10 or even five years ago, nothing I have seen or heard in the last four years leads me to think jackware will never happen.
To be clear, I have been actively tracking this issue. I attended a 2018 talk by the two guys who infamously hacked a Jeep in 2015. I discussed the practical aspects of ransomware with several experts under Chatham House rules, including award-winning researchers at UCSD who were already alerting the automotive industry to weaknesses in vehicle computer systems back in 2010 (and have recently been recognized for their pioneering work).
My point is that the technology industry has such a long history of getting security wrong—which was the point of the list shown earlier—that there has to be a presumption of failure, perhaps more kindly described as an eventual inadequacy relative to threats. That is what I was getting when I gave this quote in Car and Driver:
"The computer systems are designed, features are designed, products are brought to market, and people adopt them. On the other side, hackers speculate, probe, develop a proof of concept, [criminals] attack, and then finally monetize the threat.”
When you add to the equation the incredibly low probability of capture and sanction that criminals currently face when monetizing the exploitation of vulnerabilities in technology, and the abject failure of world governments—so far—when it comes to agreeing upon ethical norms in cyberspace, you can see why I am so concerned about the future of cybersecurity.
But what can we do about this?
 |
| Keyless Fob Pouch 6,648 reviews, 4.5 stars Amazon UK |
#BeCyberSmart
No comments:
Post a Comment