The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news? Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key takeaways from security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference.
While there were many great presentations at FLIGHT this year, Miller and Valasek’s keynote was a highlight. The two security experts, best-known for remotely hacking a Jeep (once with a WIRED reporter aboard as unhappy passenger), covered subjects ranging from autonomous vehicles to IoT security in a freewheeling hour-long session that had the audience both laughing as well as somberly contemplating the future of software security in an increasingly connected, increasingly insecure, world.
“The problem is, great security is expensive,” noted Miller. “At some point, you need to ship product and accept the fact you can’t secure every potential vulnerability.”
“It’s never going to be cost effective to build world-class security into every connected device,” Valasek added. “Device makers can’t sell great security as a product feature and pass the cost on to the customer. An IoT toothbrush with a secure platform would cost millions to develop and maintain. Given that you have a need for it, if you’re going to buy a connected toothbrush, are you going to spend your money on a $400 toothbrush with state-of-the art security, or a $4 toothbrush with ‘good’ security?”
The Miller/Valasek team feel the media, public, and security researchers themselves spend too much time worrying about the security issues of low-priority devices and not enough on the security of things such as automobiles and medical devices. “There is a big difference between an insecure connected toaster and security cameras hijacked to carry out DDoS attacks,” they said. “Prioritizing which needs more security is the challenge.”
Speaking of car security, what about that Jeep hack? Miller and Valasek related that breaking into the Jeep’s CAN-BUS and then reaching the head unit was neither easy nor quick, taking the researchers several months to accomplish, and not a task the average black hat hacker would be likely to undertake. But having said that, Miller and Valasek feel autonomous vehicles present an upcoming special, dangerous challenge. “Autonomous vehicles are the next-level thing to worry about in hacking cars,” Miller said.
The difference between yesterday’s hacked Jeep and today’s autonomous vehicles? “Autonomous vehicles are being specifically designed for outside input,” Miller said. “In 2014 it was an accident our Jeep’s CAN-BUS had so much access to the car’s functions and that Sprint gave us access to the car’s head unit. With self-driving cars, everyone already knows there’s a pathway in. And our Jeep had a steering wheel and brake pedal to fall back on. Without either of those you’re screwed if your car gets hacked.”
Their concluding advice? “It’s fun to talk about hacking IoT devices,” said Miller. “But, don’t let it distract you from protecting against the real way your enterprise could get hacked. Focus on real attacks such as server breaches.”
“It’s not internet-enabled lightbulbs that you have to worry about,” Valasek added. “After all, it wasn’t an Equifax toaster that led to 145 million people getting their personal data leaked.”