Cybersecurity, Youthful Ingenuity and Car Hacks
Cybersecurity for embedded systems has come onto the limelight in recent years. The connected systems in vehicles have pulled this as a primary focus. If these systems are compromised, no one is safe on or near the roadways. With the emphasis on this, a bit of history is warranted. Without a quick baseline of where we began, the present trajectory does not mean as much to us. Just over four years ago, there was an astounding event. About this same time, the infamous Jeep hack occurred. This was a well-financed, researched endeavor. There was another interesting event involving ingenuity and the cost of two movie tickets.
Curiosity Pushing Creativeness or Ingenuity is the Mother of Invention
In 2015, a 14-year-old boy decided to fiddle around with a vehicle’s embedded system. The creative mind thought through the attack and figured it would be a great way to spend his time. A person, generally, is not able to simply walk up to a vehicle and miraculously hack it. There has to be some form of research to even attempt this. The young researcher when to the local (at the time) Radio Shack and purchased $15 of electronics. The equipment was openly available to anyone with the money, and did not require anything special. He was able to use this to unlock and start a connected vehicle. The target vehicle was not manufactured by a new, small automaker with little experience, however, just the opposite.
What makes this significant?
There has been many different vehicle attacks and compromises published over the years. These vary from the basic to the attacks requiring multiple steps and everything to line up perfectly. This particular attack was different. This shifted the attack theory. The industry easily could be caught up in applying technology. They have to purchase the newest equipment and use this wherever possible to highlight the capabilities for the investors and industry. The “look at what we can do” is warranted in certain environments. This works to advance technology and capabilities in pertinent circumstances.
This sounds wonderful, however, certain parties become wrapped up in equating the expense with testing and cybersecurity. Dependent on the circumstances, it may be acceptable to spend $200-$300 on equipment to create a new testing device, instead of $3,500 for something which may or may not work well given your use. With this, your business may distinctly not spend a mass amount, if the business does not need to. As with independent labs and testing facilities, the real focus should be the mission-to independently test the products using what is needed. A successful test and attack are based on the results, not necessarily the amount spent on the equipment. It is notable with certain tests; high end equipment is required. This is however not the case with all the circumstances. At time simple ingenuity is more pertinent.
Bigelow, P. (2015, February 15). A 14-year-old hacker caught the auto industry by surprise. Retrieved from https://www.autoblog.com/2015/02/18/14-year-old-hacker-caught-industry-by-surprise-featured/
King, L. (2015, February 23). 14-year-old hacks connected cars with pocket money. Retrieved from https://www.forbes.com/sites/leaking/2015/02/23/14-year-old-hacks-connected-cars-with-pocket-money/#69286a702f81
Lavrinc, D. (2015, February 15). How a 14-year-old hacked a car with $15 worth of radio shack parts. Retrieved from https://jalopnik.com/how-a-14-year-old-hacked-a-car-with-15worth-of-radio-1686620075
Mearian, L. (2015, February 20). With $15 in radio shack parts, 14-year-old hacks car. Retrieved from https://www.computerworld.com/article/2886830/with-15-in-radio-shack-parts-14-year-old-hacks-a-car.html
Vijay. (2015, February 20). 14 year old hacks car with homespun kit with circuits bought from radio shack. Retrieved from https://www.techworm.net/2015/02/14-year-old-hacks-car-with-homespun-kit-with-circuits-bought-from-radio-shack.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.