It Wasn’t an Equifax Toaster That Stole 145M People’s Personal Data

It wasn’t an Equifax Toaster That Stole 145 Million People’s Personal Data

The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news?  Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key takeaways from security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. 

While there were many great presentations at FLIGHT this year, Miller and  Valasek’s keynote was a highlight. The two security experts, best-known for remotely hacking a Jeep (once with a WIRED reporter aboard as unhappy passenger), covered subjects ranging from autonomous vehicles to IoT security in a freewheeling hour-long session that had the audience both laughing as well as somberly contemplating the future of software security in an increasingly connected, increasingly insecure, world.

Connected Car Security Report

“The problem is, great security is expensive,” noted Miller. “At some point, you need to ship product and accept the fact you can’t secure every potential vulnerability.”

“It’s never going to be cost effective to build world-class security into every connected device,” Valasek added. “Device makers can’t sell great security as a product feature and pass the cost on to the customer. An IoT toothbrush with a secure platform would cost millions to develop and maintain. Given that you have a need for it, if you’re going to buy a connected toothbrush, are you going to spend your money on a $400 toothbrush with state-of-the art security, or a $4 toothbrush with ‘good’ security?”

The Miller/Valasek team feel the media, public, and security researchers themselves spend too much time worrying about the security issues of low-priority devices and not enough on the security of things such as automobiles and medical devices. “There is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks,”  they said. “Prioritizing which needs more security is the challenge.”

Speaking of car security, what about that Jeep hack? Miller and Valasek related that breaking into the Jeep’s CAN-BUS and then reaching the head unit was neither easy nor quick, taking the researchers several months to accomplish, and not a task the average black hat hacker would be likely to undertake. But having said that, Miller and  Valasek feel autonomous vehicles present an upcoming special, dangerous challenge. “Autonomous vehicles are the next-level thing to worry about in hacking cars,” Miller said.

The difference between yesterday’s hacked Jeep and today’s autonomous vehicles? “Autonomous vehicles are being specifically designed for outside input,” Miller said. “In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint gave us access to the car’s head unit. With self-driving cars, everyone already knows there’s a pathway in. And our Jeep had a steering wheel and brake pedal to fall back on. Without either of those you’re screwed if your car gets hacked.”

Their concluding advice? “It’s fun to talk about hacking IoT devices,” said Miller. “But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks such as server breaches.”

“It’s not internet-enabled lightbulbs that you have to worry about,” Valasek added. “After all, it wasn’t an Equifax toaster that led to 145 million people getting their personal data leaked.”

8 Takeaways from NIST’s Application Container Security Guide

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Who Owns Linux? TRITON Attack, App Security Testing, Future of GDPR

| Mar 16, 2018

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both

| MORE >

SCA for DevOps, DHS Security, Securing Open Source for GDPR, CVE Gap

| Mar 9, 2018

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the

| MORE >

AppSec for DevOps, Open Source vs Proprietary, Malicious AIs & GDPR

| Mar 2, 2018

Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software

| MORE >