I know I’m not the only systems engineer out there who has been disturbed by the obviously idiotic designs going into our planes, trains (probably), and automobiles (Update: Corvette, too is designing their vehicles with similar flaws).
Here’s a ProTip: If you don’t want your system hacked, don’t connect it to the Internet.
There is no reason, NO reason, for the computerized equipment in control of a vehicle to ever be surfaced to a network, much less the Internet. In the plane example provided above, the hacker accessed the vehicle’s flight controls through the in-flight entertainment system. For the love of God, there is NO REASON you should EVER have your flight controls connected to your in-flight entertainment system! WHO DESIGNED THIS STUFF?
People who aren’t in IT are simply not aware of how badly their software (and sometimes hardware) is often designed. Non-IT folks tend to view all IT folks as wizards dealing with arcane understandings unavailable to normal people, but it’s not the case. Computer software and hardware is just machinery, and it simply produces output based on input. There is no mystery to why this stuff functions the way it does; it’s about as logical as it gets.
Knowing that, it’s a simple and obvious matter to understand the following: There should be no possibility that remote input provided to your vehicle generates output that impacts your vehicle’s critical controls. Any software which exerts control over your vehicle’s critical facilities (steering, braking, engine operation, etc.) should not be connected to any networks or other systems.
That the matter is so simple makes it all the more appalling that the companies in charge of designing software which exerts control over your vehicle’s speed and direction are committing such rudimentary, glaring failures. To allow a pathway of control from the Internet to the vehicle’s critical facilities is completely and utterly unacceptable. If more people understood IT better, Jeep would be sued senseless into bankruptcy for recklessly and irresponsibly endangering the lives of their customers. There is no excuse for what they have done, just as there is no excuse for the manufacturer of the plane software which was commandeered through the in-flight entertainment system.
I guess the point of this article is: It’s not impossible to responsibly and reasonably design computerized systems. There will always be some danger added when systems are added, but the amount of danger we’re seeing here is far more outrageous than the public seems to understand.
So I say to everyone who hears of these stories in which vehicles are commandeered in such a manner that could end the lives of the occupants: you should never, ever purchase a vehicle with such a system. It is highly unlikely that the updates the organization has issued will resolve the problem; you can’t remove a hardware-enabled pathway of control with software in a foolproof manner. You need to have these systems physically disconnected from one another.
I hate empty rhetoric as much as the next guy, and I wish there were some way I could testify in front of Congress that this might become law, but I’m just some guy with a blog. Nonetheless, we need to take a stand against this before it gets out of control, because “out of control” in this case means that one day you may not be able to purchase a vehicle whose controls aren’t connected to the Internet. That would be a truly scary world in which zero day threats (which are discovered and made public on a constant basis for nearly every software platform imaginable) are quick and easy tools for murderers.
You won’t find me in an Internet-connected vehicle if I can avoid it at all, that’s for sure. I’ve seen too many big-name companies hawking absolutely horrendous software (which is forced upon end users because of a lack of viable alternatives) ever (in a foreseeable future, that is) to trust a car whose computer system exerts control over the vehicle to such an extent.
The Airgap Solution
I have thought about this for a very brief time, so I’m sure there are better recommendation sets out there, but this seems pretty necessary and obvious to me:
- Every vehicle with a computerized system should have a physical switch which physically disconnects the system from the vehicle.
- There should be a hardware switch that allows the user to physically disconnect (as in, necessary cabling is actually disconnected, preventing software glitches from affecting this functionality) the vehicle’s computer system from the vehicle’s critical systems (engine, braking, steering, etc.). The vehicle should always be capable of functioning in this state.
- In addition, every vehicle should have a physical switch allowing the system responsible for critical vehicle capabilities to be disconnected from the Internet.
- This way, one could acquire firmware updates while the vehicle is parked or off, and disconnect the Internet from the vehicle’s controls at all other times, maybe even leaving completely separate, auxiliary systems (such as entertainment) connected.
- Even further, there could be a separate system that alerts the user prior to operating the vehicle in the event that a critical firmware update is available and the user has not installed it.
It seems pretty obvious to me; we should not have vehicle controls connected to the Internet while they are in use. There is no way to ensure safety in this regard. Consider your Internet-connected machinery to be open to public use; you may be able to trust the system’s design to prevent the public from (mis)using it in most cases, but when it’s your life on the line, you should always engineer the system in such a way that it is simply inaccessible to anyone but those absolutely required to use it.
And there’s nothing like an airgap for that.
The Danger of Media Sensationalism and Public Apathy
This isn’t some tin-foil hat lunacy, either. One huge problem with our modern media outlets is that they perceive sensationalism as critical to their survival. Every day we are subjected to words which, if not taken as hyperbole, would be expected to cause mass hysteria. Headlines blare doom and gloom, and all these stories which begin with portrayals of abject disaster and end with superficial explanations of mundane phenomena dull our senses against actual disastrous problems.
I work with big-name vendors all the time in a very important sector and I bear first-hand witness to (and am often the sole actor standing against) a constant stream of embarrassing, awful, outrageous security failures committed by software designers. Combine that with all the incompetent system engineering and administration out there, and there is simply no mystery regarding the volume and frequency of breaches which occur every day. The manner by which huge organizational systems are compromised is nearly always dependent on simple, glaring oversights.
Just think of it this way: an unbelievable amount of people in this country are intellectually irresponsible. Donald Trump is leading the polls of GOP voters by nearly doubling the polling outcome of the next-highest-scoring candidate. Ask any question of the American public and at least a quarter of them will endorse outrageous stupidity.
Do you think it’s safe to place your lives in their hands?
The sad fact of modern life is that we must engineer our lives with grave consideration for imbecility, malice, and psychosis. Given these constraints, we cannot afford to outfit ourselves with equipment on which our lives depend and which feature publicly-accessible controls.
I dread the day people start wiring computer systems directly into their brains. To anyone with any knowledge at all, such a venture should be prohibitively stupid, but as I wrote above…
It’ll happen, and there will be great suffering and trouble.