This spring I bought a new Kia Forte that came with a whole lot of electronic goodies including Bluetooth synchronization, voice command, and driver programmable features galore. And evidently, the potential to be hacked.
This is old news now, but security researchers were able to hack a Jeep Cherokee through the on-board Internet connectivity feature called “UConnect.”
“They were able to change the temperature of the air conditioning, turn on the windshield wipers and blast the wiper fluid to blur the glass, and even disable the brakes, turn off the transmission, take control of the steering, and display their faces onto the dashboard’s screen.”
The idea of having some attacker taking over and driving my vehicle while I’m in it is a fairly scary concept.
This year’s big technology meme is “The Internet of Things” or IoT. Please remember that this really means the Internet of HACKABLE Things. That cool web cam that lets you monitor your home on your smart phone may be displayed online on sites like insecam.org, as discussed on my earlier post.
Remembering that the guys and gals who wrote all this cool software are the same guys and gals who wrote the last batch of software to be found full of security holes. The unfortunate truth is that most programmers dislike programming for security, find it to be bothersome, or just don’t know how. Writing secure code involves a practice known as SecDevOps, which a few enlightened software developers are beginning to use.
What can you do about it? Well, not a lot. But when you receive that email from your new IoT toy manufacturer advising you to upgrade the software or firmware in your device, please do so. And remember, if your device seems to be hacked the easiest solution is to turn the thing off!Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com