According to David Pogue, since hacking a car is “nearly impossible,” we shouldn’t talk about it anymore.
That, my friends, is precisely what’s wrong with security and security awareness today. Flying to the moon is nearly impossible, after all, and you could easily kill yourself trying. David Pogue has never done it. But Neil Armstrong and Buzz Aldrin did.
I’ve run up against attitudes like Pogue’s before. I’m paraphrasing, but the attitude was that since an unpatched sytem had run for years with nothing bad happening–not that they had any way of knowing whether anything bad had happened–it could run at least that long without anything bad happening.
I’ve also worked in a shop that has a very different attitude, and I think part of the reason for it is because everyone in the company watches Kevin Mitnick Security Awareness training every year. Every other training I’ve ever seen covers that same material, but in this particular video, Mitnick sits down with two computers and hacks one computer from the other. It’s edited for length and doesn’t show the whole process, but it shows enough to demonstrate that this isn’t something theoretical–it happens every day. It probably doesn’t hurt that when they introduce Mitnick, they mention he served time in prison for hacking and he still looks a little shady, and more than a little bit thrilled when he carries out each demonstration and it works. And in the video, there’s little or no indication on the attacked computer that anything is wrong.
This is a point that Pogue misses entirely. If someone out there is hacking cars, they’re not going to do it in the way that Charlie Miller and Chris Valasek did it. Miller and Valasek wanted it to be noticeable. A good hacker is like a good spy, lurking, working slowly and methodically, taking care to blend in to what else is going on in order to stay there longer. Persistence isn’t goal #1, but it’s what makes all other goals possible.
Sticking one’s head in the sand is a very dangerous thing. Half a decade ago, a coworker and friend and mentor–and later, very briefly, my boss–displayed a garage-built wifi-hacking drone at Black Hat and Defcon. Prior to taking it on the hacking conference circuit, he and his collaborator had far more critics than friends. They said what he was doing was impractical or illegal or that nobody would care, among other things.
Today, flying drones is a popular hobby. At the moment, not only can you buy a drone for less than $100, but you can have your choice from 17 different models. They don’t hack wifi, but my friend will tell you that wasn’t the hard part. Getting the drone to get into the air and stay in the air was the hard part. Now you can buy something off the shelf that flies just fine and add the hacking bits–or there’s plenty of mischief you can do with the camera, and the cheapest camera-equipped drone on the list costs $41.
All of this would have happened with or without my coworker-turned-boss building a drone. But since he and his friend did build it, and displayed it and talked about it, we at least got some warning about what’s possible, and we’ve had some time to prepare for it.
That’s what car hacking is all about now. What’s possible now is a lot less important than what’s going to be possible five years from now.