Here are two unavoidable facts of modern life: every computerized device is vulnerable to malware, and anything connected to the Internet can be hacked. In other words, any “smart” device (read: anything computerized and connected) is vulnerable -- including smartphones, smart TVs, smart thermostats, smart cameras, smart home security systems and smart cars.
Indeed, the vehicle hacking problem is bad enough that researchers already rate new cars not only according to their fuel efficiency or safety records, but also by how easily hackers might gain control of their key systems, including steering and brakes.
In February, Senator Ed Markey (D-Mass.) of the Senate Commerce, Science and Transportation Committee released a committee report titled Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.
To produce the report, Markey's office asked 19 different vehicle manufacturers about their cars' vulnerabilities, and 16 of them responded.
The results were dismal: “The responses from the automobile manufacturers show a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless Internet access, but has not addressed the real possibilities of hacker infiltration into vehicle systems. The report also details the widespread collection of driver and vehicle information, without privacy protections for how that information is shared and used.”
In other words, “unauthorized” access by hackers isn't the only problem with those vehicles; there's also the huge amount of information made available to “authorized” agents of the manufacturers. Or, in the dry language of senatorial press releases: “Additional concerns came from the rise of navigation and other features that record and send location or driving history information.”
Almost all new vehicles are hackable
If consumers are worried about privacy or hacking-security matters, can they vote with their wallets, and buy vehicles without such vulnerabilities? Probably not: as of mid-2015, nearly 100% of new vehicles on the market are hackable – and over 50% transmit data. Where do you travel and when, how fast do you drive and where do you stop along the way … of course your car “knows” these things about you already, and there's a good chance the car's manufacturer and/or any sufficiently motivated hacker knows this too.
Earlier this week, we warned you about a common privacy-protection mistake made by rental-car drivers: if you connect your phone or other smart device with the car's systems, whoever rents the car after you can potentially find your personal information, unless you remember to delete it all.
Health records in jeopardy
And of course, automobiles and their related systems aren't the only modern necessities designed to be hackable – a long-running but only recently discovered security breach at the federal Office of Personnel Management (which handles the hugely important national-security task of vetting security clearance holders) put the personal (and often blackmail-worthy) information of over 22 million current and former clearance-holders into the hands of hackers believed to have Chinese government backing (though China's government has consistently denied this).
Those hackers are also believed to be responsible for the four major medical-themed hackings discovered in the past year: last August's hacking of a for-profit hospital network, and the health-insurance hackings that hit Anthem, Premera Blue Cross, and CareFirst Blue Cross/Blue Shield.
In late May, Larry Ponemon, of the Ponemon Institute, and Rick Kam, of ID Experts, wrote an op-ed going so far as to suggest that these “escalating cyberattacks threaten U.S. healthcare systems. … Imagine a hostile nation-state with your psychiatric records. Or an organized crime ring with your child’s medical file. Or a disgruntled employee with your medical insurance information.”
Indeed, if you're an American, the four medical hackings uncovered this past year mean there's already a 1 in 3 chance your health records have been hacked – and remember that Anthem, Premera, and CareFirst almost certainly are not the only health-insurance providers to have been hacked, merely the only ones to have discovered and admitted it thus far. And of course, it's not just medical records at risk; Internet-connected “smart” medical devices can be hacked, too.
Perhaps none of this is surprising. After all, the Internet (formerly known as the “information superhighway”) was originally designed for research scientists at different universities to share data with each other – in other words, making it easier to share information in a high-trust environment.
The problem is that this same tool is now regularly used in low-trust environments to handle everything from personal finance to national security, even though that tool still isn't remotely secure (evidence: the near-constant stream of “major hacking” stories you see if you pay any attention to the news).
Encrypting your files
There is one fairly easy way to make the Internet more secure: use encryption to encode your files so that decoding them is impossible without the encryption key. Until 2012, the FBI recommended that all Americans use encryption to keep the data on their mobile devices safe from hackers; but when James Comey took over as FBI director the following year the Bureau changed its tune. Comey thinks that encryption will only benefit criminals, and has gone so far as to ask Congress to make it illegal.
An old adage says that installing belated security measures is like “locking the barn door after the horse is already stolen.” But for today's insecure-Internet era, maybe the cliché needs a little updating:
“Locking the barn door? That might be a good idea. Maybe we can assign a Task Force to study the matter during the next fiscal quarter. But first, we need to focus on replacing all those missing horses. And while we're at it, why not store even more of our valuables in the horse barn? Sure would be a shame to waste all that newly vacant stable space, after all.”