Linux Rifles and Skateboard Security - Canaries in the Coal Mine

There were a bunch of recent headlines around the Linux-based smart rifle that some hackers demonstrated the ability to control in a limited fashion remotely and against the user's wishes. The rifle itself is a bit of a curiosity in its own right, and the fact that you have a rifle being hacked certainly causes a bit of a stir, and rightly so. The problem is that the number of these kinds of rifles out there are next to none, and the actual scenario that would have to play out in order for this hack to go so horribly awry is kind of a stretch. Likewise, there are rumblings about an electric skateboard that can be disrupted.

Hackers on both of these projects admit a limited window of opportunity to actually cause harm, and no one is even suggesting that someone in the real world is trying to do any of the bad things that could be done like switch your rifle to an innocent target or to cause your skateboard to grind to a halt in the middle of the street. Instead, they look to educate, and this should be their purpose. The purpose of the media covering them is to get clicks, so they come up with interesting headlines that make the reader think it's entirely possible someone is going to cause them (the reader) to be shot or to be 360 Ollie Kickflipped in the face.

The fact is, companies are putting out new, innovative devices the same way they've always done it - they come up with a neat idea, get it to work, meet whatever regulations they have to, and put it on the market. There is no step that explicitly calls out security in this process. While security professionals would argue that security is supposed to baked into the whole deal, that's not what happens. As a result, you get a flawed platform that puts people at risk. In these two cases, that risk is pretty remote, but it's there.

As we start to integrate more and more things into the Internet of Things (IoT), we give up more and more personal control of the security of our information and the things that run our lives. We trust companies that are integrating the products that we buy to take the necessary steps to secure the product just like we expect a cereal manufacturer to ensure the purity of their ingredients and the car manufacturer to test the safety of their cars.

One of the things that ensures that both the cereal manufacturer and the car manufacturer adhere to these expectations is the government. Now, I'm not in favor of bigger government or increased regulation, so we need to look at alternatives. The government is a big stick that should only threaten industry with its overreaching power to the point that companies start to think and police themselves. What is needed is a consortium, funded by all the players in the IoT space that will produce guidelines and keep updated technical recommendations for implementing new features and Operating Systems. Something like the loose collection of similar-minded security thinkers such as I Am The Cavalry isn't going to be enough. Instead, money has to be spent, and rules need to be written. Think of it as a much, much better designed and run version of Underwriters Laboratories.

For now, we will keep reading about one-off companies who take existing, possibly flawed, code and hand-jam it into their product to get things working and then deal with the security fallout afterward... or possibly never. Like the HVAC guys who install a web-accessible control panel that they really don't know anything about, companies will put people at risk out of sheer ignorance until something is done to fix it. And something should be done now.

Comments

Popular posts from this blog

Elysian Dayglow IPA

The Purge (2013) Security System

I Spit on Your Grave 2 (2013)