Charlie Miller has been hacking computers and phones for over a decade. His ends aren’t nefarious, however: he’s a security researcher working to expose vulnerabilities that will ultimately make our systems safer.
In order to raise public consciousness of the issues at stake, he’s been hoping to hack something less techy and abstract that would resonate with everyone.
“I wanted to do something that my grandmother would understand,” he says.
For better or for worse, Mr. Miller has found such a target: cars.
Over the past two years, he and fellow researcher Chris Valasek have figured out how to “control hundreds of thousands of vehicles remotely,” which includes tracking vehicles by location; accessing their locks, blinkers, wipers, radios and navigation; and even controlling brakes and steering in some situations.
Their decision to announce these discoveries led to some criticism from within the auto industry, but within days Fiat Chrysler had recalled 1.4 million vehicles over the security issue.
This car-hacking case illustrates the complex challenges we face as more and more of our devices are going online and communicating with each other.
The much-hyped Internet of Things has promised to bring unprecedented convenience to all aspects of our lives. In our new “smart” houses, the fridge will notice we’re almost out of milk and place a new order to arrive on our doorstep. The thermostat will learn our habits and talk to motion sensors in order to automatically adjust the temperature. A set of misplaced keys will tell us via text message where in the house it is hiding.
The Internet of Things also has implications much larger than the household—smart grids and cities, smart cars connected to road infrastructure, all working together to decrease emissions, inefficiencies and congestion.
But the potential security vulnerabilities that come with this increasingly connected world pose serious concerns. As PC Mag put it: “Installing antivirus on your PC is a no-brainer, but what can you do when the device to be protected is a toy, or a toaster?”
Hackers with more malicious intent than Mr. Miller are already busy breaking into our homes virtually. Baby monitors, for example, have been hacked thanks to vulnerabilities in the camera’s software, resulting in strangers yelling obscenities at sleeping babies.
Many worry about what else might be at risk. One CTO called the situation a “time bomb” waiting to explode because many of the firms manufacturing the devices aren’t spending nearly enough on security. Another executive added that most of these companies have traditionally focused on the physical product side and “barely have IT staff.” Many devices being sold use unencrypted connections, which increases risk.
Personal privacy may be at stake too. When our devices are connected, data can flow both ways. What information about us and our intimate habits will be sent out and to whom?
Some are calling for uniform standards to address these issues. The FTC has dabbled in the business of punishing negligent operations, but it remains unclear what the expectations should be and how they should be enforced.
The National Security Telecommunications Advisory Committee is one group that has called for a systematic response. It issued a report directly to the President, saying that “there is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
An executive at the manufacturer of hacked baby monitors, on the other hand, argues that the current climate of fear is unwarranted:
“Hackers breaking into them is not any different from a house being broken into even though the door was locked. I can complain to the lock manufacturer, but they’ll say the lock isn’t perfect. It doesn’t mean the company is bad or the product is bad or that people shouldn’t have door locks. People are going to keep getting these home automation products because the benefits outweigh the risks. But when the lock is picked, we need to use that as an opportunity to improve the locks moving forward.”
Overall, it’s unlikely that our houses will start to adopt an overbearing personality and refuse to let us go outside, as was the case in the 1999 Disney Channel Original Movie Smart House. But security will certainly be a major issue for the Internet of Things as we continue our rush to connect as many devices as possible.