It Wasn’t an Equifax Toaster That Stole 145M People’s Personal Data

It wasn’t an Equifax Toaster That Stole 145 Million People’s Personal Data

The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news?  Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key takeaways from security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. 

While there were many great presentations at FLIGHT this year, Miller and  Valasek’s keynote was a highlight. The two security experts, best-known for remotely hacking a Jeep (once with a WIRED reporter aboard as unhappy passenger), covered subjects ranging from autonomous vehicles to IoT security in a freewheeling hour-long session that had the audience both laughing as well as somberly contemplating the future of software security in an increasingly connected, increasingly insecure, world.

Connected Car Security Report

“The problem is, great security is expensive,” noted Miller. “At some point, you need to ship product and accept the fact you can’t secure every potential vulnerability.”

“It’s never going to be cost effective to build world-class security into every connected device,” Valasek added. “Device makers can’t sell great security as a product feature and pass the cost on to the customer. An IoT toothbrush with a secure platform would cost millions to develop and maintain. Given that you have a need for it, if you’re going to buy a connected toothbrush, are you going to spend your money on a $400 toothbrush with state-of-the art security, or a $4 toothbrush with ‘good’ security?”

The Miller/Valasek team feel the media, public, and security researchers themselves spend too much time worrying about the security issues of low-priority devices and not enough on the security of things such as automobiles and medical devices. “There is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks,”  they said. “Prioritizing which needs more security is the challenge.”

Speaking of car security, what about that Jeep hack? Miller and Valasek related that breaking into the Jeep’s CAN-BUS and then reaching the head unit was neither easy nor quick, taking the researchers several months to accomplish, and not a task the average black hat hacker would be likely to undertake. But having said that, Miller and  Valasek feel autonomous vehicles present an upcoming special, dangerous challenge. “Autonomous vehicles are the next-level thing to worry about in hacking cars,” Miller said.

The difference between yesterday’s hacked Jeep and today’s autonomous vehicles? “Autonomous vehicles are being specifically designed for outside input,” Miller said. “In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint gave us access to the car’s head unit. With self-driving cars, everyone already knows there’s a pathway in. And our Jeep had a steering wheel and brake pedal to fall back on. Without either of those you’re screwed if your car gets hacked.”

Their concluding advice? “It’s fun to talk about hacking IoT devices,” said Miller. “But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks such as server breaches.”

“It’s not internet-enabled lightbulbs that you have to worry about,” Valasek added. “After all, it wasn’t an Equifax toaster that led to 145 million people getting their personal data leaked.”

Threat Check for Struts

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Container Tech, Data Centre Security & 2018's Biggest Security Threat

| Dec 8, 2017

Black Duck senior technology evangelist Tim Mackey talks containers this week at DevSecCon and elaborates on his presentation, “When Good Containers Go Bad,” with IT Pro, Cloud Pro and Data Centre News.  Black Duck VP of Security Strategy Mike Pittenger shares his thoughts on the biggest security

| MORE >

Record Vulns in 2017 and Predictions for Open Source in 2018

| Dec 1, 2017

We enter the last month of 2017 with two reports that should give pause: The National Vulnerability Database, has documented more than 13,400 vulnerabilities so far this year, more than double the database logged in all of 2016. Plus, as unbelievable as it sounds, more than 90 percent of firms

| MORE >

You Can’t Beat Hackers and the Pentagon Moves into Open Source

| Nov 17, 2017

We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And

| MORE >