IoT Security - Are you a Chrysler or a Tesla?

IoT Security - Are you a Chrysler or a Tesla?

In July 2015, the US auto manufacturer Chrysler recalled 1.4 million vehicles. It did so because of a software vulnerability that led to security researchers taking control of dashboard functions, steering, transmission and brakes.

Stories like this make it clear that, as the Internet of Things grows, we need to think harder about IoT security.

Chrysler’s Security Story

Consultancy firm Gartner predicts the number of connected “things” will increase to 25 billion by 2020, a quarter of a billion of which will be vehicles.

With this kind of growth on the horizon, the way manufacturers respond to these early warnings is vital.

Chrysler initially buried the news in a press release on its website, before Wired raised awareness of the story. It capitulated a week later, adding additional security over its carrier’s network and announcing the recall. All owners were notified and asked to either download a patch over the Internet or to install the patch from a USBdrive that was posted to them.

It is interesting to compare Chrysler’s response to that of fellow US auto manufacturer Tesla, which found itself at the centre of a similar security hack just a month later.

Tesla’s Security Story

The contrast was marked from the beginning: the Tesla hackers required physical access to the car to initiate their hack; poor network security did not provide an “in” as it did in the Chrysler attack.

Perhaps most importantly, Tesla’s hackers did not gain control of the vehicle’s critical drive systems, thanks to the gateway Tesla engineered between its infotainment and drive systems. Tesla is reportedly working to strengthen these separations and the gateway itself.

When the security concerns were bought to Tesla’s attention, the company worked with the hackers to effect fixes and then remotely pushed out a patch to all vehicles. Owners simply had to click “yes” when the software update was pushed out to them in order for the fixes to be installed.

The security experts who hacked the vehicles praised Tesla for its OTA patch process. They also praised Tesla for thinking ahead about what might happen if a security breach resulted in systems being compromised; engineering the car to handle a sudden power loss gracefully and ensuring the driver retained control of steering and brakes.

“If one or two companies are doing [security] well, then shining the light on them… helps to raise the overall bar for the entire industry,” the security researchers told Wired.

What Can We Learn from these Contrasting Stories?

The security hacks that affected these two vehicle manufacturers were not malign; they were conducted by security researchers. But their activity makes it clear how important security is in every Internet of Things project.

And the contrasting nature of those stories amply demonstrates how security now has the potential to become a key source of competitive advantage.

The cautionary tales about Chrysler and Tesla demonstrate five key areas where security (and service) differed:

  • Network and end-point security
  • Device and application security
  • Contingency planning
  • Culture and the response to identified weaknesses (an awareness of the need to act fast!)
  • Delivery of solutions (fast and simple through remote updates).

When you begin to think about an Internet of Things implementation, we need to consider all five of these areas because they are going to be integral to any IoT deployment.

The question is: Are you a Chrysler or a Tesla?


Download Protecting Smart Devices and Applications whitepaper

Guidance on security throughout your IoT ecosystem.

  • How to encrypt your data and network traffic (and why that’s just the start of IoT security)
  • Why your IoT is not nearly as secure as the cloud system it runs on
  • Best practices in authorization, auditing, secure software development, and more