The Internet of Things (IoT) Cyber Security and Unfettered Nissan Leaf
Editors note: This is part two of two Small business owners and IT executives should understand the underlying issues surrounding these events including the potential legal and data protection consequences of exposed endpoint devices and encryption backdoors. Part one of the piece is entitled Small Businesses Owners Beware, Cyber Security Is Under Attack
Wikipedia defines the Internet of Things (IoT) as: the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.
Data protection consequences of exposed endpoint devices and encryption backdoors.
IoT Unfettered for the Nissan Leaf
A security researcher demonstrated that communications between Nissan’s smartphone app and its Leaf electric vehicles could be replicated over the Web.
This is because the connection is unauthenticated and requires only knowledge of the vehicle’s personal VIN. The Nissan app, called Nissan Connect EV, can control a car’s climate controls and the monitor the status of the driving range.
Further investigation proved that trip-related data including frequency and distance could also be obtained via unprotected API access queries to the car. Because VINs are displayed in the windshield, a hacker could potentially use these exploits with relative ease.
Nissan was first alerted to these issues on January 23 and is reportedly working on a solution to these issues though none have yet been implemented. The company had removed its app from app stores while it works on a solution and concerned customers should disconnect their cars from app access as a means of preventing tampering.
While the FBI would like us to believe that the implications of a judgment forcing Apple to assist in obtaining access from one or a small number of iPhones is not far reaching, it would set a dangerous and obvious precedent.
Should the federal government force Apple to break iPhone encryption, the very nature of encryption could easily be broken as the government could force backdoors into any and potentially all technologies essentially rendering security useless.
No entity, be it a federal government or anyone else, is effectively able to wholly protect their secrets and unfettered such backdoor access would undoubtedly become the most sought after information by hackers, foreign governments, and competitors.
Once those exploits get loose – and they inevitably would within a short period of time – there would be no way to put the genie back in the bottle. Essentially, security as we know it – however flawed and imperfect it may be – would be a thing of the past.
Access into the insecure Nissan Leaf systems (essentially an IoT device on wheels) demonstrates the concerns facing the burgeoning space.
IoT – and other endpoint devise – developers may be working under some patently false pretenses encouraging them to sidestep enterprise security policies and those need to be put to rest immediately.
Executives must ensure all endpoints are protected and put in policies that address fallacies.
Next- Here are four of the most prevalent fallacies.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.