I recently broke the key fob for my car. It was just one of those days. I was late for work. It was raining. The kids were dashing ahead trying to cross the street through busy traffic. I was carrying too many things and ended up dropping my keys. Before I realized they’d fallen, I stepped on the fob and crushed it, rendering it useless. Without a working fob, I had to go old school and use the actual key.
It’s easy enough to fix by ordering a new fob, reprogramming it with a series of keyed ignition turns and button presses.
This reminded me of keyless ignition systems and the raft of thefts occurring. IEEE even noted that some insurance companies have been known to refuse coverage when these vehicles aren’t parked in a ‘secure location.’
But wait a minute. Isn’t a car supposed to be a secure entity that’s capable of protecting itself in an environment where theft is a common problem? The insurance companies are claiming that the car needs to be secured by an additional mechanism? That doesn’t make sense.
The reason is due to the keyless ignition systems that are vulnerable to quick and cheap attack methods that can be used to steal a car. A group of German researchers is reporting that someone can enter and start a keyless ignition system and drive away with a car, all for under $300.
The attack is carried out using two radios that essentially get in-between the key fob and the car, replaying the signals. Thieves are able to drive off because the cars do not require the continued presence of the radio signals from the key once the car starts. The flaws here are twofold:
The current state of security within the Internet of Things resembles the insurance company response—just add another layer of security after the fact to secure your device. In the rush to get new technologies to the market and pushing the envelope with new features, significant security flaws in IoT devices are emerging. Far too frequently, the recommendation from the Thing-manufacturer is the same as the insurance company—put it behind a firewall to keep it secure because it can’t secure itself.
That’s the wrong design philosophy. Cars should be resistant to theft. Similarly, Things on the Internet should be resistant to attack.
We’ve all come to trust that our cars will remain where we leave them until we return to retrieve them. We have the same expectations for the integrity and availability of the Things we bring into our networks. The same principles that Synopsys has been talking about for 10+ years need to be applied to Things while they’re being built. One of those principles is to ensure secure default configurations.
Fortunately, my car came with what I now recognize as a secure default—requiring the physical presence of the key to enter, start, and continue running. Keyless entry and ignition systems have missed this same security posture.
It makes me wonder about the software and the default settings on all those Things on the Internet. How secure are they? I’ve got my suspicions. I only hope I’m wrong.
Dan Lyon is a principal consultant at Synopsys. As the Embedded Security practice lead, he provides unique security solutions on many different critical systems in a variety of industries, including automotive, government identity, financial, industrial control, medical device, pharmaceutical, and healthcare. Dan has contributed to AAMI’s Medical Device Security working group, IEEE’s Building Code for Medical Device Software Security, and the Archimedes Center for Medical Device Security. Dan holds BA degrees in Mathematics and Computer Science from Luther College, five active certifications through GIAC, and frequently contributes to articles on Internet of Things security.