How Copyright Laws are Turning the Internet of Things into a National Security Risk: Part II
To read part I of this post, click here.
Over the summer, Jeep and Chrysler made headlines when they mandated a recall of recent model vehicles when it was discovered that their operating systems were susceptible to a remote attack. Researchers were able to not only manipulate the car’s GPS and console, but essentially take full control of the vehicle and braking system without being in close proximity. The researchers, Charlie Miller and Chris Valasek, exposed the various vulnerabilities more than nine months prior to Chrysler issuing a public recall.[1]
When cars and trucks equipped with “hotspot” capabilities entered the market, passengers were promised the luxury of Internet access wherever they went. But while convenient, the technology presented a new attack vector, and these vehicles essentially become attack beacons for other wifi-enabled automobiles as well. Theoretically attackers within close proximity of hotspot-enabled cars in a traffic jam could attack, infiltrate and gain control away from numerous surrounding drivers. But the proximity issue is only necessary for the initial instillation of malicious software. An attacker could simply pass potential victims on the freeway and plant malware on their brand new cars, then wait hours, days or weeks before launching an attack on the car’s system.
As it stands now, copyright law leaves open the door for manufacturers to gather intelligence against consumers and then sell that data to third-party associates without the consumer’s knowledge or approval. Newer model products from farm equipment manufacturers come equipped with operating systems that, while conducting regular use, also gather data from a farmer’s land which is sent and stored in the cloud.[2] This data then corresponds with weather data obtained from the equipment stationed in farm-heavy areas, and automatically can manipulate or restructure mechanical operations of their machines, such as depths to which seeds should be planted in the soil based on rainfall and soil density.
As writer Dan Charles noted in a recent article , this cross-connection of data essentially controls when and where a farmer’s crops should be planted for them to flourish. Of course, for this data to connect in the first place, the farmer has to sign up for the service. However, one of the main threats that many farmers did not consider when they signed up is that this data correlation then allows other companies and organizations to more thoroughly judge the exact buying price of a crop based upon the data from the harvesting process.[3] Likewise, this data can then be put into the hands of investors, lenders or others with financial stake in the land or farming business. And with current DRMs , the monitoring of farming equipment is not able to be shut down or altered through patches or updates.
As I noted in my previous post discussing current concerns and issues with DRMs, the Digital Millennium Copyright Act of 2000 was primarily created to combat music and media pirating, which clearly ignores our new Internet-connected reality where anything and everything is wifi-enabled. The obvious opposition to weakening the copyright laws as they pertain to devices and their operating systems can open the door to potential misuse or manipulation by bad actors. However, that door remains open anyways.
Opening a product to the masses presents its own issues, as well, pushing the boundary from improved security into the realm of exploitation. Allowing continued refinement of security workarounds can enable the common user to be able to manipulate a device beyond its intended use, which can lead to serious harm. In a few recorded cases, medical patients have successfully hacked morphine pumps, and in an attempt to ease their pain between allowed doses, enabled them to overdose and die.
Another threat to weakening DRM comes under the banner of open source. A great example of this threat comes from the mobile market place. Certain products and apps may be far less monitored from select sources and user-created apps are widely available. Malicious mobile applications are far more rampant in certain mobile markets than in a more-secure, vendor controlled marketplace. As has been the case since the internet itself become publicly available, if there is an avenue for corruption or misuse for profit, it will be used by someone to achieve such a result.
[1] http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
[2] http://www.npr.org/sections/thesalt/2014/01/21/264577744/should-farmers-give-john-deere-and-monsanto-their-data
[3] https://www.techdirt.com/articles/20140101/03380625737/will-monsanto-become-nsa-agriculture.shtml
This post was written by Casey Moles, Government Analyst with Thomson Reuters.