My favorite new MediaPost publication is the IoT (Internet of Things) Daily. They haven’t asked me to talk about this at all; I promise. But it’s so cool. It’s the one talking about
all the bright shiny things, like
residents at a senior community wearing sensors so they don’t go wandering
off, or a
male grooming service adding virtual reality to its offering.
On Wednesday, though, there
was a headline that really stopped me in my tracks. Or rather, a headline about somebody stopping something in its tracks: the specific someone being hackers, and the thing they stopped in its tracks
being a jeep going 70 miles per hour.
This story is terrifying -- and the
substance of it isn’t even that bad. These weren’t “14-year-olds-in-their-parents’-basement” hackers playing the most heart attack-inducing prank ever; they were
well-known hackers specifically “conducting car-hacking research to determine if an attacker could gain wireless control to vehicles via the internet.” The driver wasn’t some
unsuspecting dupe; it was Wired writer Andy Greenberg, the hackers’ self-described “digital crash-test
dummy.”
advertisement
advertisement
No, it wasn’t the event that was so scary; it was the implications. It’s bad enough when your MacBook gets hacked. It’s worse when the computer being hacked is
the one you drive in, or fly in. Networked machines control every piece of critical infrastructure we have, from air traffic control to sewage treatment, and we are shockingly unprepared to protect
their vulnerabilities.
Way back in 1997, a teenage boy was able to hack into the Worcester, Mass. airport and
disable “phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the tower's main radio transmitter and
another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The hacking also knocked out phone service to 600 homes in the
nearby town of Rutland.”
Our security has gotten more sophisticated since then, but the risks have also gotten exponentially greater. By the end of this year, 13 billion things will be connected to the Internet. 13 billion
possible access points. 13 billion vulnerabilities.
Two years ago, Dick Cheney revealed that he had the wireless functionality of his pacemaker disabled because it could plausibly have been
hacked. In a Washington Post piece on the topic, Andrea Peterson
summed up the issue: “Security Researchers have long warned that the IT security on medical devices is lacking and malware runs ‘rampant’ in hospital environments. Often, medical
software tends to be older and more vulnerable than consumer tech because updating the software might risk running afoul of their Food and Drug Administration approval. So somewhat ironically,
regulation in place to ensure the safety of medical devices ends up being an excuse for those systems to remain static, and thus less secure. That is especially worrisome because more and more of the
medical devices people depend on to stay alive are becoming networked into the so-called ‘Internet of things.’”
So what should we do about this? At Singularity University in March, Marc Goodman, the author of "Future Crimes,” laid out a series of
challenges:
- To Silicon Valley, to stop with the culture of “Just ship it” and start being accountable when insecurity approaches negligence.
- To data management
folks everywhere, to encrypt everything. There is no reason not to encrypt patient records, employee records, and the like.
- To government, to create a National Cyber Reserve Corps, bringing
in and training 100,000 people to be prepared for disaster so we’re not training them during a disaster.
- And to someone like X-Prize Foundation, to
create a $20 million cash prize designed to crowd-source cybersecurity solutions.
It’s doubtful there’s any one answer. But it’s clear that, if we don’t take
this stuff seriously, a hacked Jeep may just be the least of our worries.