The Connected Car As A Microcosm Of The New Threat Landscape
The Internet of Things (IoT) is a hot phrase right now, and every vendor is talking about the huge potential of continual connectivity and interaction with smart devices to optimize the asset and transform the customer experience. The potential is undeniably huge and developers are right to be excited, but it’s not all "hugs and puppies."
As S&R professionals, we have to balance the excitement of innovation with pragmatism and caution, and the IoT is a turmoil of innovation right now. With so much change, it can be difficult to focus in on the key issues, so let's choose an area where there has been a lot of discussion and hype for years (or even decades) but not much in the way of actual consumer adoption; let's use the "connected car" as an example to crystalize a few of the risk scenarios.
Picture courtesy of Dave Gray on Flikr
Today’s cars operate on computers, and mechanical functionality breaks down when the computer is not there to manage it. It’s not quite an aerodynamically unstable plane, such as the B-2, or indeed most modern fighter jets, which are kept in the sky by instantaneous computer feedback and corrections, but it’s not dissimilar. As we move toward the connected car, think through these scenarios:
- Drivers are incentivized to “jailbreak” the car. It's already possible to tweak your car's operating parameters to achieve greater acceleration or fuel efficiency, and the opportunities will only increase; imagine a driver wanted a different HUD setup, or increased steering sensitivity, for example. Drivers will be tempted to tamper with existing controls to achieve the drive they desire, and these changes may put the car into an unsafe mode. It’s possible to push liability onto the driver at that point for any problems, but when technology issues become safety critical, it’s not easy to distance your brand from any catastrophe.
- Technology failures are commonplace now; with IoT the risk is escalated. We’ve seen that software upgrades and new applications are rarely deployed to common use technology, such as desktops, without teething problems. When your endpoint is traveling at 70 mph on a crowded highway, that’s not the time to find out that the software upgrade has a flaw, or that it corrupted an essential feature. What’s that you say? Just reboot it to fix that "failed brake" problem….?
- Contextual data fundamentally undermines privacy. As the connected car travels around, connecting with local traffic information services, road toll systems, GPS systems, other cars, and parking services, so the contextual information builds up. Drive through a built-up zone too fast? Car parked at the golf course on a sick day? Just ran that last red light? Accelerate away from the stop sign too fast? The systems will know and the data will be available to someone, perhaps the app developer, perhaps your insurer, perhaps the authorities.
- Hacking becomes about physical, not data, theft. Recently, a UK university showed that it had developed a system that could unlock a range of prestigious cars wirelessly and without the assigned keys. A gag order stopped publication of the exploit, but the threat is real. Weak or vulnerable authentication protocols mean that IoT risks transfer into the physical world and real assets become susceptible to cyberthreats. Patching the control systems may help, but that depends on the car’s key technology. The ability of exploits to propagate almost instantaneously means that many thousands of vehicles could be vulnerable for some time before solutions are deployed. "Patch Tuesday" for connected cars is a real, not theoretical, nightmare, but can physical assets wait that long for protection?
The topic of IoT and security is a vast and complex tale, and one that will affect your life sooner rather than later; that’s why Forrester is researching this topic with some vigor. I will be speaking more on security and the IoT at Forrester's Forum For Technology Management Leaders in London on June 12-13. Hope to see you there!