The news shocked the car and tech industries: Two hackers accessed the control systems inside a Jeep Cherokee — and they weren’t anywhere near the driver’s seat.
Using a vulnerability they found in the SUV’s WiFi-enabled control system that utilized a cellular connection via Sprint, the hackers were able to control almost everything from the brakes and steering to the door locks, according to a report released this July. They could potentially override a driver from some 70 miles away.
Fiat Chrysler recalled well over 1 million vehicles due to the findings. Part of the problem was that the company couldn’t develop a patch to fix the issue.
The Internet of Things is everywhere, from our kitchens to our backpacks to our garages. And yet, as the technology develops, so do potentially dangerous security holes, and it’s not limited to hacking a single machine — some of these connected devices could potentially put a whole network at risk.
This summer, several agencies have banded together to create best practices to help both manufacturers and customers navigate this new arena of growth and risk.
The Online Trust Alliance (OTA) Internet of Things (IoT) Working Group that includes ADT, Microsoft, Symantec, TRUSTe and Verisign released a framework for security for IoT connected devices that aims to encourage companies to share security information and best practices as well as a code of conduct, and create criteria by which firms should judge security.
“We’re focusing on three pillars,” Craig Spiezle, OTA’s executive director and president said earlier this year. “Privacy, security and sustainability. By sustainability, we mean lifecycle issues beyond the traditional product warranty. Such as, how will it be patched? What happens if the company is no longer in business?”
As an example of this, two other experts found an outdated browser that had a known vulnerability linked to the high-end Tesla cars. Who is responsible for the patch? And what would happen if Tesla went out of business?
Providers, Spiezle says, “must look at security and privacy simultaneously. Second, they need to look at the flow of data and touch points, and hold their partners and service providers accountable.”
It’s not enough, in other words, to monitor product development. Companies also need to monitor the development and assessments of all their vendors.
Bob Wang, founder and CEO of the company that produces the table-top electronic pressure cooker Instant Pot, recently released a Bluetooth-enabled device, which allows mobile devices to “talk” to the cooker and program basic heat and cooling steps. Some have questioned the usability of the Bluetooth, and WiFi connectivity may have potential. But WiFi capability rushed to market could create a breach that allows a hacker access to a homeowner’s network — on all of that home’s devices — Wang says. Or worse, allow hackers to worm into the Instant Pot servers and potentially all of the homes connected to that server.
And that’s just for one piece of equipment, in a relative handful of homes, that takes up less space than most microwaves. Multiply that potential out to almost every home tool or appliance, from keyless locks to refrigerators that Tweet, and the future may seem exciting — and petrifying — without some kind of protocol or safety net.
The formal IoT framework should be finalized around mid-November.