On July 24th, 2015 Fiat Chrysler made something very real that people watching the IoT boom had been warning about for a while. Namely, the trend by many companies to release IoT products without a clear software upgrade path will have consequences.
As has been widely reported in the press, Fiat Chrysler has announced they will be recalling 1.4 million cars due to a demonstration (publicly published in a terrifying article in Wired) by two security researchers on how they could remotely control a car. This was done by exploiting a vulnerability in the connected Uconnect system released on some Chrysler vehicles in the US. Since the system isn’t designed to be upgraded software over the Internet connection, owners of the Chrysler vehicles will have to upgrade the software via a USB drive. As the US Department of Transportation has pointedly reminded Fiat Chrysler, automotive recalls aren’t a simple process. OEMs must diligently work to find all the owners of their cars, an expensive process which can still miss many owners and leave them with potentially unsafe vehicles.
One immediate lesson from the Fiat Chrysler hacking is that any IoT manufacturer which puts out a product not easily upgradeable over the Internet is sitting on a potential security time bomb. This is not actually all that new; there are millions of home router products which need periodic software upgrades which rarely happen.
While the consumer IoT market is still relatively immature, already there are millions of consumers who have fitness monitors and smart watches on their bodies as well as connected televisions, thermostats, security cameras and other products in their homes. Most cars on the market today also offer some sort of connected infotainment experience.
One likely outcome of the news is IoT device manufacturers should move to automated connected updates. Yet, as the number of IoT devices consumers own multiplies, how will they keep track of the devices which can be upgraded in this manner and which ones will need to work with manually? How will they know when their devices need to be upgraded? Furthermore, the security researchers indicated they could track the GPS position of the hacked cars. How will consumers keep track of and manage the privacy implications of their devices, something most people can’t do in today’s smartphone app environment?
All this points to the need for managed services to help consumers manage their IoT device security and privacy without overwhelming them with choices. This is not exactly new, already there are services which help PC users keep their software update. However, given the complexities of the variety of devices and technologies IoT represents, the next generation of managed security and privacy services is going to need to be very smart and easy to use.