A public service announcement from our good friends at the FBI, warns that motor vehicles are increasingly vulnerable to remote exploits, which in the wake of the bad-ass research from Chris Valasek and Charlie Miller shouldn’t be shocking.
What struck me, is that the security advice the FBI is offering drivers was identical to the advice cybersecurity experts have been giving to–well just about everyone. As more of your car intertwines with software to provide things like automatic wipers, ABS and even bluetooth audio, the more it becomes susceptible to cyber attacks we traditionally associated with software on servers rather four-wheeled auto-mobiles.
So it would seem obvious that a car with more software bells and whistle would be less secure than a simple ‘hardware only’ car, and from one point of view that’s true.
But should you rush out to buy a 10 year old Honda Civic with no connectivity to the outside world?
It depends.
If you’re buying the car for your family and the you’re more likely to be in a road accident than you are to be hacked by guys like Charlie Miller–you’re better off buying a newer car with modern safety features even if it makes you susceptible to certain attacks. You certainly wouldn’t want to be in an accident in a car without airbags, or crumple zones built to protect passengers.
Compromising security in the name of safety isn’t something people are comfortable doing, but you never deal with absolutes here.
Security is always a compromise, sometimes you give up convenience, sometimes you give up money, in some cases you even give up safety. Buying a newer car presents a bigger attack surface for ‘hackers’ to target you, but buying an older car presents a bigger risk for when you get into an accident, and because accidents are more likely than hacks, the choice seems straightforward.
However, before we begin to balance security vs. something else, we need to define the term security–and that’s not a straightforward process.
The definition of what is secure, begs the question–secure from what? You need to identify your attacker and their methods, before you can secure your defences. Going back to the car example, a newer car with more connectivity to the internet might be susceptible to hackers like Charlie Miller, but could also have shatter-proof windows which may offer better protections from parang wielding car jackers. Which of those two attackers are you more likely to encounter?
Think about the gated-guarded communities that have poped up all over Malaysia, sure these neighbourhoods provide security from the opportunistic criminals, like the wandering thief on his motorbike looking for expensive shoes you left outside your home. But they provide almost no extra security from a skilled attacker who employs both patience, knowledge and occasional violence to get the job done. For them, Nepalese guards who wave in everyone at the entrance present little deterrence.
So when we talk about FBI vs. Apple, people tend to conflate it as a case of security vs. privacy or even broader as security vs. liberty. But before we broadly frame this question, we need to define which liberty are we affecting, and what security are we augmenting.
The FBI is an investigative body, charged with investigating federal crimes. If their powers and capabilities are restricted by either technology or law, they presumably would be less effective in catching criminals. Hence, if Apple designs smartphones that nobody (even the FBI) can’t access, criminals will remain free and our collective security suffers as a result. In other words, unless we give up some personal privacy, we cannot get the security of knowing criminals are behind bars.
But what about other attackers, like cyber-criminals and state sponsored attackers?
The NSA, who have the wholly different task of national security, feel that if Apple designs smartphones that even the FBI can’t access, it means Russian cyber-criminals and Chinese state sponsored attackers won’t have access as well(or at least have a much harder time gaining access). And since nearly every federal employee carries a smartphone, the collective national security of the country is better protected by protecting the privacy of individual citizens.
Two different attackers result in two different definitions of security.
The latter example actually posits a scenario where liberty and security go hand in hand, where we get more of both simultaneously, win-win.
We also haven’t ventured into the territory where the government is the attacker. For many citizens living in despotic regimes that is a real and present evil. If Apple builds phones that ‘protects’ criminals from the likes of the FBI, those same phones protect journalist and human rights activist from their repressive governments.
It’s another version of collateral freedom, we all use the same internet, and protections we grant ordinary law-abiding citizens are the same protections we grant criminals. But since that are far more good people than evil bad guys, that’s an effective comprimise–it isn’t perfect, but a rational decision to take.
The alternative is to remove the protections from criminals, but at the same time deny them to ordinary citizens as well. That’s just not rational.
I would be disingenuous if I didn’t point out that in some cases we do need to give up liberty for safety. We have to allow police officers to carry out their duties, we grant the government powers to imprison the criminals among us, and we remove the ‘liberty’ parents have when it comes to vaccinating their children–all in the name of security.
The point of this post is stimulate you to think more deeply about the liberties we sometimes sacrifice in the name of security, for example we offer ourselves for groping at airport security for the ‘comfort’ of others, there’s only a tiny miniscule chance that our particular flight were chosen for a terrorist attack, but we think of this as security. Security Bruce Schneier puts it wonderfully:
Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach. Since 9/11, two—or maybe three—things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and—possibly—sky marshals. Everything else—all the security measures that affect privacy—is just security theater and a waste of effort.
-Bruce Schneier
That reinforced cockpit door that protects pilots from terrorist also protected Andreas Lubitz when he took the helm of German Wings flight 9525 and crashed it into the french countryside killing himself and all 150 souls board.
Security entirely depends on who your adversary is and how they will carry out their attacks.
TL;DR
I drive a 3rd generation Prius, which has bluetooth audio, so that I can play my podcast from my phone through my car audio. That same audio headset can display the ‘state’ of the hybrid drive train–whether it’s driven by battery or the engine, so that would mean the CAM bus on my car is exposed to the outside world via a Bluetooth connection. I accept this risk because I enjoy pod-cast too much, and that the Prius was the cheapest NCAP 5-star car I could buy, I compromised security over safety.