by Floren Cabrera F. de Teresa
Our world-wide-web cannot be effectively secured from hacking and much less can we currently secure “embedded devices” in the so-called “Internet-of-things.”
The security architecture of the Internet’s TCP/IP packet and DNS routing networks has largely been exceeded in terms of current capabilities to secure the Internet-of-Things. This is due to the fact a number of structural vulnerabilities exist – some still “zero-day” and others were inadvertently incorporated into the architecture for example of x86 chipsets. Many computer processors can be accessed via MINIX-3 types of utilities in order to easily obtain plain-text user-credentials dumps, directly from most types of x86 chipsets and exposing many mission critical devices to hacking threats.
The most worrisome “threat-model” is that of compromising user-credentials on-line and this has been manifest by an increasing number of “connected car” robberies and car hijackings using user compromised-credentials from typical hacks of mobile or laptop devices. In addition, the automotive industry is ill prepared to respond to this threat, as the “controller area network” (CAN) of cars is wide-open by necessity since there are no standards among many participants in the OEM electronics industry.
Vulnerabilities of the Internet and the “Internet-of-Things.”
- IoT insecurity, low computational power & rigid Tx/Rx protocols
- Network traffic transmission of encryption keys and sensitive plaintext credentials
- IoT data and firmware updates (are not encrypted) and unverified before upload
- Identity of servers is exposed by TCP/IP connection protocols for authentication
- Firmware contains security information exposed in unencrypted traffic
- Poorly implemented TLS 1.3 Standard as per the UK National Cyber Security Centre
- Physical on-premise local services serious Ethernet and USB port vulnerabilities
- Misconfigured SSL/TLS by users in addition to legacy hardware and software
- Credentials at risk of being exposed by downloadable MCU/CPU firmware
- Internet Cloud susceptible to SQL injection, cross-site scripting, request forgery and TLS implicit trust.
UK Automated and Electric Vehicle Bill and Cyber Security
The UK’s 2018 “Automated and Electric Vehicle” Bill poses serious liabilities for Insurance companies in case that an accident should occur without the requisite “critical software uploads and updates” as defined in the new Law. Most current “connected cars” simply use an SMS 3G/4G GSM connection via a mobile network carrier, without any thought for the required “authenticated software and firmware uploads, factory reset” and other features that now since April, are in effect mandated by Law. Therefore, we have a unique opportunity before us if we were able to rapidly deploy our AEBIS hardware/software retrofit solution.
This UK legislation addresses certain key principles of connected car security, most of which cannot be currently met by existing “connected car” entertainment and wireless systems! In other words, there could be up to 9 million vehicles on UK roads that are NOT compliant with UK law. This creates a significant risk exposure for insurance companies, as well as for drivers, who must provide proof effective of secure and authenticated firmware uploads, sanitation of user credentials or factory reboot and other features of security functionalities that current IoT (internet-of-things) automotive devices are simply not prepared to process nor are able to deliver with simple software updates.
Any viable solution that is fully compliant with the new 2018 Automated and Electric Vehicle UK Bill, will require a hardware retrofit module in order to increase the processing power and capabilities of the system to comply with UK new Laws. The insurance industry is particularly exposed to serious liabilities resulting from the current lack of compliance of connected cars.
1. – Retrofit telematics car market in the United Kingdom: there are over 32 million cars in the U.K. with an active secondary used car market valued at over £43 billion and representing over 400,000 trades per year.
2. – Connected car market in the UK, with over 8.5 million connected vehicles that are on the road today. We have traction with one of the top-ranked Venture Capital investors in AI autonomous car in the UK and if we were to deploy our solution with IBM Watson, we could close an important investment.
3. – The fleet market for long-haul lorry drivers and commercial vehicles that are constantly on the road. We are in confidential discussions with the largest fleet operators both in Europe and in America, with lots of traction and a possible sales order for our products. Three are literally millions of unprotected IoT devices, some of which are in mission critical networks. This is an urgent security need, which represents and technical challenge and an opportunity for Quantum Light to capture and together with the right large strategic partner – Helios Energia our parent company is honoured to be an IBM Business Partner. This “Big Play” business case. IoT cybersecurity problems are present for all Internet connected networks, including the IBM Cloud, since most IoT firmware and user data is not encrypted, firmware updates are most commonly not available for most “smart-devices” and those with software updates are not-encrypted and credentials are exposed.
Quantum Light Ltd has developed LightKey(R) in order to help our Clients mitigate the high level of cybersecurity risks and digital-threat environment that we all face today.