In my office I build and work with the latest technologies. My company, ZZ Servers, builds and maintains business infrastructures with security as the primary focus. We work to keep systems online while providing the most secure environment possible for businesses to conduct their work and for individuals to keep their data private. I firmly believe we all need to get and stay connected safely.
But when I’m on the road, I’m anything but cutting edge. Cool, perhaps. But not cutting edge. At least from what you can see.
I drive a 50-year-old Volkswagen van, named Opel. It’s a classic, known for its split window and smiley face front-end. Until I have the time to paint it green, it’s gray and white. I’ve owned it for 15 years and the only computers in it are the ones I’ve added myself.
What does this old school car get me besides being the most fun car to drive that was ever created?
For one, a car that can be driven after the nuclear EMP blast takes out all electronics. But even more timely and realistic, Opel is protected against one of the newest and most dangerous security trends now occurring – car hacking.
Now that all vehicles today are computer controlled, security researchers (professional and hackers) are discovering that the interfaces and systems of the car computer systems have no logging or any security controls in place to restrict and protect the car systems.This allows for local and remote attackers to send commands to just about any system controlled by the vehicle computer.
Can you imagine driving and someone taking control of your brakes? It’s possible. And it’s happening.
Car hacking was among the key topics at DEF CON 23, rated among the largest and one of the oldest and continuously running hacker conventions in the world. The hackers descended on Las Vegas from Aug. 6 to 9 at Paris & Bally’s. And ZZ Servers was there.
DEF CON started making headlines even before the event kicked off with announcements that hackers intended to showcase how they can crack a Brink’s safe in less than 60 seconds thanks to a vulnerability in a USB port. The model in question was Brink’s CompuSafe Galileo, which is intended for use in retail stores as a cash management system.
While the idea of cars getting hacked also made deadlines weeks before DEF CON, at DEF CON cybersecurity teams could get more familiar with the concept thanks to conference organizers having cars, tables full of car components ready to play with and presentations on what to do with each piece. Ready for (white hat) hackers to play with, that is.
At DEF CON you could plug in your computer to cars and as a hacker see how easily it is to get in and manipulate the vehicle. Most cars today have some sort of interface ports on them – some more easily accessible than others. Think about a network IP address like in your office. Hack the network and you are in.
It’s the “internet of things.” Most things that are electronically computer controlled are built as devices on a network. You can send orders to all those computer controlled items with commands that the manufacturers never expected would be accessed the way attackers do.
Where this becomes a problem with cars is that once someone is on a network, all things on the network trust each other. That’s very old school computing. Think about the way things run in your office. How many times do you need to input a password to access your files?
As CNET reported earlier this summer, “The list of ways to electronically hijack cars is growing thanks to devices used to monitor drivers’ roadway behavior. Recently, we’ve seen a wave of devices vying for placement in your car’s onboard diagnostics port (known as OBD-II). These little plastic boxes promise to connect your car to the Web, help you boost your fuel economy and even lower insurance rates by reporting your driving habits wirelessly to your insurance company. But some of these little boxes could also be an Achilles’ heel that leave their host cars vulnerable to hacking, warns a group of digital security researchers at the University of California at San Diego.”
According to CNET, “To illustrate, , the researchers equipped a Chevrolet Corvette with one of these driver-monitoring telematics boxes and were able to take control of the vehicle using little more than SMS instructions sent to a specific phone number. The researchers were able to activate the wipers, engage the brakes and even disable the brakes at low speed.”
Car manufacturers are learning they should have some authorization and logging (like a black box for cars) for all elements on a car network.
Until that gets fixed, as was evident at DEF CON, hackers have a much easier time getting onto your care network.
Note where I said above that the only computers in 50-year-old VW van are the ones I’ve added myself. I may be in the middle of building a fully voice activated DVR system in the van, custom lights, cameras – all to be computer controlled – but you’ll need multiple layers of authorization to touch any part of it.
ZZ LESSON OF THE DAY:
Buying a new car? Ask the deader if they allow an over the air update if the manufacturer finds issues they need to address. And if not are updates downloadable & customer installable. Allowing updates enable the manufacturer to fix security issues — much like your phone or computer is fixed now – without hardware updates which would require a full recall like what happened with Chrystler/Jeep when they recently recalled 1.4 million vehicles to fix a bug in their system. Many vehicles may never make it in for the recall update before putting drivers and their passengers at risk.
ABOUT DAVID M. ZENDZIAN, MANAGING PARTNER, ZZ SERVERS
With more than 25 years in the security and systems industry, David M. Zendzian founded ZZ Servers with his brother, a 20-year retired U.S. Navy Chief Technology Specialist, to leverage the latest technologies and bring enterprise class hosting and compliance solutions to all levels of business. Prior to ZZ Servers, Zendzian spent seven years as a PCI QSA / PA-QSA working with companies such as Virgin Mobile, Williams Sonoma, Wells Fargo Bank, U.S. Marine Corps Community Services, Kayak.com and others.
Prior to becoming a QSA, David was Technology Manager for Wells Fargo Bank, Private Client Services (PCS, High-Net worth / Brokerage / Wealth Management) where he managed a team of Security/Network & Server architects that design and deploy every Wells Fargo PCS technology project.
Before Wells Fargo, Zendzian served as CEO & Lead Consultant with DMZ Services where he deployed and maintained enterprise servers and security for a variety of .COM startups including JustGive.org, an online giving portal where he provided critical resources to the partnering between JustGive and American Express to create the American Express giving portal. JustGive generated over $24 million for tens of thousands of nonprofits in 2007.
In the early 1990s, Zendzian was a founding partner in one of the first Internet Service Providers (ISPs) in South Carolina and in 1997 Zendzian founded the first Wireless ISP in the southeast, Air Internet.
Zendzian shares his work and research with the community. publishing “Hack Proofing your Wireless Network” and speaking at security and private corporate conferences on wireless security, mapping through aerial and satellite technologies, PCI compliance and other general security and architecture topics.
As a strong advocate of OpenSource development, Zendzian has provided patches to many projects including updates and a complete solution for hosting, account management and payment interface for the NoCat WiFi hotspot gateway and SASL (Simple Authentication and Security Layer, developed by Carnegie Mellon).