Forget LoJack, it's 2015. If you want to protect your car — and your enterprise's secure data — it's about time you add it to the list of devices your AppSec program protects. The recent BMW security flaw announcement proves that even manufacturers acknowledge this brave new world of software vulnerability. It might sound crazy, but the era of computer hackers stealing cars is upon us.
Picture this: You return to the downtown garage where you parked your car overnight, only to find it's not there. There's no broken glass, no skid marks from a trailer dragging it away — no evidence that anyone did any of the things old-school thieves do to steal cars. Where'd it go, and, more importantly, what does that mean for you and your enterprise?
This isn't a whacked-out Y2K movie starring Ashton Kutcher, it's a 2015 scenario that almost happened. Thankfully, BMW patched the security issue before brand-new cars started getting unlocked en masse, but the fact that this news went public means it's only a matter of time until hackers find another exploit or bug before manufacturers do.
As more devices are turned "smart," a firm's security focus has to shift from crowbars and ski masks to RFID scanners and hackers. For example, if your employees' e-mail gets pushed to their Wi-Fi-enabled car navigation systems, can hackers exploit a security flaw and enter your company's network? Can they unlock cars as nonchalantly as the rightful owners do and rifle through their contents without setting off alarms or looking suspicious? Soon, AppSec won't just mean Angry Birds on company phones: It will mean push notifications in cars, watches, shoes and glasses. Is your firm ready for that?
This brave new Internet of Things world is scary for anyone involved with network security. The vulnerability in the BMW security flaw also affected Minis and Rolls-Royces — which means cars of all prices and sizes were subject to SIM-card hacks. By intercepting the data transmission between smartphones and the connectivity features of BMW's newest cars, hackers were able to unlock doors and activate "a range of other services including real-time traffic information, online entertainment and air-conditioning."
Imagine a mobile IT guy who drives around with enterprise hardware in his car. Soon he could be forced to explain to management how $20,000 worth of servers and printers went missing from his trunk without any evidence of a break-in. The recent BMW bug turned out to be harmless enough, but as the Internet and cars become more intertwined, the potential for disaster grows.
When employees are given more and more smart devices, the number of potential targets for hackers increases. Smartwatches are still in their novelty gimmick phase, but soon they'll be the gold-plated norm. What wearable or drivable device will come next? And are you ready to make sure it's part of a secure network?
As more third-party applications request permissions for access to e-mail, contact lists and other secure functions, make sure your security solution is vetting all of them. It's easier to protect against the next wave of smart vulnerabilities than you think, but it's also way too easy to forget that watches are newer devices, and that they haven't necessarily been pen tested as thoroughly as most trusted enterprise applications. Let the BMW security flaw be a warning, not a prophecy for the way things go for your firm in 2015.
Photo Source: Flickr