The recent reported Mitsubishi Outlander hybrid having its on-board Wifi hacked is another reminder of the increasingly complex world of the digital era needing better standards in consumer protection and professional practices.
With Cars now increasingly having on-board connectivity to the internet beyond just entertainment but also to the operations of the car itself is a feature of the connected ecosystem of things called "the internet of things" . But, while public Wi-Fi to email and websites is one thing , access to mission critical systems in any situation be it a building, operating theater or transport vehicle is a whole different set of risk and security issues.
In the case of the Mitsubishi reported alarm system hack, the reported failures of poorly configured Wi-Fi Security access has occurred in other high-profile cases in the past couple years including the hacking the in-flight entertainment system in 2015 by a security research on United Airlines flight to hacking nearly 100 networked traffic lights in Michigan by another security researcher with a laptop in 2014 enabling changing the state of light commands at will.
This is not a failure of the system itself and its many benefits of better automation of car energy consumption, reducing carbon emissions and protection for drivers and public. All these hacks exploited poor design of public appliance, aircraft or vehicle systems security design. In all these cases the entry point has been compromised it allowed the hacker to gain access to other systems onboard that could include and threaten human safety.
This illustrates two critical issues of "system of systems"; firstly to isolate access points to devices and systems that are used by the public as much as you would with secure private systems such as bank accounts or personal medical records. If professional researchers are finding this then equally hackers will also find these weaknesses.
Secondly critically is the lack of audit and professional checking of these systems by manufacturers who while may not know all the possible attack vectors and weaknesses, becomes more an issue of corporate incompetence when basic mistakes such as poor Wi-Fi setup and a lack of resilience in encryption procedures have not been followed.
My point about system-of-systems (SoSi) in my note. For Business and IT architects this is a key practice that systems engineering may miss if not doing integration testing correctly. The meaning of any terms loosely banded about like holistically should be defined this way. Other point about fail-safe security architecture is kind of correct in the sense that professional engineering with missing critical systems will follow rigorous failure mode design practices, for example, jet engines design to heart pacemakers. It is just this practice is not followed through on lesser complex systems thinking. This drives a need for some better security standards for Internet of Things integration testing that is missing currently.
There are several international standards afoot in the IoT space, the GDPR regulation of EU Commission for May 2018 is only mostly around personal data and not the device layer.
ISO are only starting the Technical WGs on IoT reference models ISO/IEC JTC 1/SWG 5 Internet of Things (IoT) ISO/IEC AMI 30141 - Internet of Things Reference Architecture (IoT RA) and ISO/IWD 18575 - Internet of Things (iOT) in the Supply chain - Products & product packages. Several Vendors such as IBM, Microsoft, Cisco and many others have promoted the IoT awareness but the standards bodies consortiums such as the Industrial Internet Consortiums and several others are still needing more connection with security specialist Groups. Its always amazes me how security groups tend to cluster as a SIG when it needs to be fully integrated with RAs. In the IoT era and beyond we need Ecosystem thinking standards
Consumers should expect better as just having products and packaging saying it is safe to use is clearly a long way off from where sophisticated products are today and heading and must be applied to the increasingly complex world of the Internet of Things.
1. http://www.bbc.co.uk/news/technology-36444586
2. https://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/
3. http://www.networkworld.com/article/2466551/microsoft-subnet/hacking-traffic-lights-with-a-laptop-is-easy.html
GDPG General Data Protection Regulation - EU May 25 2018 Compliance target
IoT Internet of Things
RA Reference Architecture
SIG Special Interest Group