Wednesday, December 28, 2016

IoT saves lives but infosec wants to change that

The cybersecurity industry mocks/criticizes IoT. That's because they are evil and wrong. IoT saves lives. This was demonstrated a couple weeks ago when a terrorist attempted to drive a truck through a Christmas market in German. The truck has an Internet-connected braking system (firmware updates, configuration, telemetry). When it detected the collision, it deployed the brakes, bringing the truck to a stop. Injuries and deaths were a 10th of the similar Nice truck attack earlier in the year.

All the trucks shipped by Scania in the last five years have had mobile phone connectivity to the Internet. Scania pulls back telemetry from trucks, for the purposes of improving drivers, but also to help improve the computerized features of the trucks. They put everything under the microscope, such as how to improve air conditioning to make the trucks more environmentally friendly.

Among their features is the "Autonomous Emergency Braking" system. This is the system that saved lives in Germany.

You can read up on these features on their website, or in their annual report [*].

My point is this: the cybersecurity industry is a bunch of police-state fetishists that want to stop innovation, to solve the "security" problem first before allowing innovation to continue. This will only cost lives. Yes, we desperately need to solve the problem. Almost certainly, the Scania system can trivially be hacked by mediocre hackers. But if Scania had waited first to secure its system before rolling it out in trucks, many more people would now be dead in Germany. Don't listen to cybersecurity professionals who want to stop the IoT revolution -- they just don't care if people die.

Update: Many, such the first comment, point out that the emergency brakes operate independently of the Internet connection, thus disproving this post.

That's silly. That's the case of all IoT devices. The toaster still toasts without Internet. The surveillance camera still records video without Internet. My car, which also has emergency brakes, still stops. In almost no IoT is the Internet connectivity integral to the day-to-day operation. Instead, Internet connectivity is for things like configuration, telemetry, and downloading firmware updates -- as in the case of Scania.

While the brakes don't make their decision based on the current connectivity, connectivity is nonetheless essential to the equation. Scania monitors its fleet of 170,000 trucks and uses that information to make trucks, including braking systems, better.

My car is no more or less Internet connected than the Scania truck, yet hackers have released exploits at hacking conferences for it, and it's listed as a classic example of an IoT device. Before you say a Scania truck isn't an IoT device, you first have to get all those other hackers to stop calling my car an IoT device.


Timo Ollech said...

Umm, the example you give does not prove your point at all. Scania's AEB system works completely independent of any internet connection:

Fabien T said...

OK, we see your point "security shouldn't stop innovation." .
But this article is certainly the worst way to show it.

First, choosing a terrorist attack to make a point about IT security is not showing a great respect to victims.

Then, you take an example where the innovation is a security measure, to show that if time have been wasted to secure the security measure, security could be worst... o_O

What about a confort option like controlling air conditioning of your car remotely ? If a group of hackers take control of the system and make millions of cars go straight in the wall ? have breaks non-working ? Is it good for the sake of innovation ?

In fact, the message has been the same for decades : yes you must innovate, but yes you must ask yourself a simple question : "is it worst the risk ?", it's all about risk analysis and it must be done when live are at stakes (like for autopilot) . And it's the same for a truck whose brakes could be remotely controlled.

darkfader said...

must suck if the very first reply shows you wrote basically BS.
these safety critical systems work so well exactly because no non-forward thinking people are yet allowed into designing them.
stay the fuck out of safety sys with your mindset.

fasfasd2 said...

So the takeaway is don't worry about security until someone finds a way to make it frictionless?

Number 6 said...

There are issues with this opinion that I have, and yes it is your opinion and you are allowed to have it.

1) Over-generalization. To say the whole Infosec field is against IoT is wrong in its own way.
2) It is not about the IoT devices, nor the innovation itself. The companies are putting these devices, which can be life savers, out there without ways of patching a good amount of them, let alone actually deploying patches in a timely fashion, if at all to the devices.

There is a balancing act that has to happen. The majority of infosec people I know use IoT devices all the time, but we know what we are getting into with them. The general public can't. Yes it would be great to bake in security into the devices, use more secure code, have them spend a little more time in QA with the devices, but when you hard bake credentials that cannot be changed, when you leave no way for a device to be updated without purchasing the newest device, you are failing the public and creating the openings for more trouble. Think about it, is Mirai the only thing that can happen, or are there possibilities of worse? Could that chance be lowered just by making something that can be updated and updating it?

Walid Damouny said...

I'm inclined to agree with the author. The whole of the Internet was not secure until it became so. If we said "no wait don't deploy that Internet until it's secure" we wouldn't have what we use today. Remember how much web browsing, email, Twitter and Facebook contributed to the world before they became secure. The difference today is the scale of insecurity that many insecure cookie cutter made IoT devices create. However an imperfect launch of IoT is not a disaster. The whole of the Internet was insecure one day just like the whole of IoT is today. Since most of the Internet is secure I expect IoT to follow suit.

Timo Ollech said...

My point was that it isn't the internet connection itself that performs the actual function. On the other hand, as you say, the truck became an IoT device in the sense that things like the emergency brakes are part of a total system that is connected to the internet for monitoring, installing updates and the like. And that does make it vulnerable. You simply cannot deny this.

Bruce Schneier recently wrote about what he calls class breaks: "Security notions like the precautionary principle­ -- where the potential of harm is so great that we err on the side of not deploying a new technology without proofs of security -- will become more important in a world where an attacker can open all of the door locks or hack all of the power plants. It's not an inherently less secure world, but it's a differently secure world. It's a world where driverless cars are much safer than people-driven cars, until suddenly they're not. We need to build systems that assume the possibility of class breaks -- and maintain security despite them."

In other words, let's continue developing IoT devices while keeping in mind that there are security aspects to consider which didn't matter before connecting a device to the internet.

Can we agree on that?