There’s been a lot in the media about self-driving cars recently. But what seems to be lacking from the media coverage is an assessment of the threat from lax cyber security.
Self-driving cars would appear to be inevitable as every major motor manufacturer and other big names like Google are investing big money in them. Live tests are already being carried out everywhere, including three locations in the UK.
These vehicles are also in the vanguard of the overall movement referred to as the “Internet of Things” (IoT). We are moving toward a world where even the simplest devices will be connected to the internet so that they can talk to you and each other.
The classic IoT example is the internet fridge, which will be able to detect that an item needs topping up and order it from your chosen online supermarket. It will be delivered - in the not too distant future by a drone or driverless van - and the only thing you’ll have to do is put it in the fridge. No one would be surprised if a house robot took care of that as well, before too long.
So far so good, right?
The one factor that doesn’t seem to be getting enough attention is the cyber security aspect. Although it’s early days, things don’t look too good.
With all new developments there’s a temptation to rush ahead and do the funky stuff while putting boring, non-core activities like security and encryption on the back burner. That is why we have so many problems with viruses, trojans and ransomware on our computers - there are too many loopholes from poorly designed systems that constantly have to be patched.
It took even a company of such vast experience and resources as Microsoft years to realise that releasing badly designed software, then having to issue update after update to fix the loopholes, was an unwelcome drain on time and money.
It seems to be getting worse rather than better, possibly because companies that don’t have a track record in developing software, let alone secure software, aren’t aware of the dangers and the need to design security into software from the beginning.
Already, Chrysler have had to recall 1.4 million vehicles after benevolent hackers demonstrated to a journalist that the cars could be controlled (to an extent) from a wirelessly connected laptop.
It is assumed that the greater benefits of driverless cars will come when they are in the majority and can communicate with each other. This will allow them to travel much closer together than human-driven cars, so congestion is expected to be massively eased.
Let’s hope there’s significant improvements in encryption and cyber security before that happens, or the consequences will be too horrible even to imagine.
Back at home there have been similar issues with early examples of IoT devices.
Late last year major parts of the internet slowed to a crawl as a massive attack disabled a key component of the internet - servers belonging to a web traffic management company. As a result many popular websites like Spotify, Google, Twitter, Netflix, Reddit and many others were unavailable for the best part of a day, although the effect was much worse in the US than in the UK.
Hackers (not benevolent ones this time) had managed to access thousands of web-enabled digital video recorders and security cameras. IoT devices effectively have small computers embedded in them, so anything that can be done to a PC or a laptop can probably be done to an IoT device if you can access it.
The hackers created a “zombie army” of these devices which was then used to attack the traffic management company, leading to the outages.
The reason the hackers were able to get into all of these devices was that the DVRs and cameras were all given the same default administration usernames and passwords when they were made - it’s cheaper and easier.
To software engineers this a basic problem that has existed for decades. They know to immediately change login details on new equipment, but it’s a bit much expecting ordinary members of the public both to know about it and to be able to do it.
The hope is that companies making these devices will up their game and that the events discussed here will serve as an early warning. On the other hand, are companies more likely to focus on cost and get their products to market as quickly as possible, without paying even the most basic attention to cyber security?
If you are concerned that your safety and privacy might be at risk then please contact us at www.247Investigtions.co.uk for advice and perhaps to arrange a cyber security risk assessment. The contact form is protected by the new encryption certificate on our site, which we have installed because we value customer privacy, discretion and security.