Speaking to TrustedReviews this week, Alexander Moiseev, Kaspersky Europe's Managing Director, has warned that your car is at serious risk of being hacked. He is, however, wrong and I'm going to explain why.
Kaspersky Lab and Mr Moiseev may well insist that the threats to the automotive industry are very real, and very much here and now; and while I don't dispute that there are concerns I do think there is a very real element of Mandy Rice-Davies Applies about the entire debate. With the demise, albeit a long and drawn out death, of desktop AntiVirus as the golden goose of the IT security industry, it should come as no real surprise when that industry looks for alternative areas to occupy. Transport is one of the much hyped, I would argue over-hyped, areas currently doing the rounds. The more the 'threat' is talked up, the more there will be a demand from consumers for 'protection' and vehicle manufacturers will turn to vendors to supply it.
That is far from my campervan being hackable now, or ever, matter of fact.
In that TrustedReviews interview, Mr Moiseev likens IT security not being involved in the design and development process of cars to having a house with no roof and putting bars on the windows to protect from theft. He argues that we don't have to wait for the autonomous self-driving Google Car for the hacking threat to materialize, and says our cars today are already at risk from, wait for it, parking assist modules and in-car microphones. Talking of the parking assist module he says "I don’t need anything else to drive the car, and this is a piece of software" and goes on to warn "this is accessible, people could change this software." Except people are not accessing it, are not changing the software and are not crashing cars as a result. I imagine we may have heard about it if they were. Unless it's the ultimate in stealth lulz or some kind of James Bond special ops thing in which case, obviously, it would never make the press. As for the microphones, these are dangerous because if you get access to that you get access to what is being spoken about in the car. Mr Moiseev talks about mega VIPs with "tonnes of bodyguards" and who "visits rooms which are completely secured" yet is left exposed by the potentially hacked mic in his car. First, I would imagine the target footprint here is pretty small, anyone who wants to hear the conversations in my car are more than welcome and I am afraid they would be very disappointed at the return on their investment. Even allowing for the fact that there are high profile targets, if their existing security teams were worth diddly then they would already be on top of the in-car situation. If they really need help with dealing with a potentially hacked in-car system, as opposed to a bug planted there, then I'm happy to offer a simple solution for free: disconnect the mic, or cover it with tape. Sorted. Next.
My biggest beef with what Mr Kaspersky Labs has to say is when he states that the real problem right now is that "nobody can tell you for sure that those threats are not active." No, that is no the real problem. I can tell you for sure, 100%, that my van has not been hacked and is totally secure. It has no microphone (unless someone has hacked my smartphone - quite another subject) and the only parking assist I have is from my wife (who I would gladly have hacked if it shut her up and let me get on with the job of parking.) Nope, the real problem is that the automotive security threat continues to get talked up, a classic case of introducing Fear, Uncertainty and Doubt into the market. We need to get rid of the FUD and strip this particular threat vehicle back to the bare metal so we can determine exactly what we are dealing with; then start giving sensible quotes for repair work.
I've said it before and I will say it again: Cyber-criminals are driven by profit. If someone were to develop exploitable code for a vulnerability within an in-car system, that would then be sold back to the manufacturer via blackmail or a bug bounty. I'm all for security vendors and others in the security industry to be involved in making cars safer by design, especially as they become ever increasingly more technically complex. But the FUD fact, the exaggeration factor, the marketing factor - call it what you will - does nobody any favours if you ask me. I'm all; for the likes of BT, for example, launching the Assure Ethical Hacking for Vehicles service which seems to take a more measured view and is designed to test how exposed connected automobiles actually are to cyber-attack and so help manufacturers and security vendors develop solutions to any weak points that are discovered.