Hidden hazards behind the wheel?

Security vulnerabilities in the IoT are immune to industry sector and the risk is very real across the board, including connected cars.

Self-driving vehicles are likely to be on the streets by 2021. Autonomous cars embody a hugely complex proposition with basic building blocks including sensors, cameras, LiDARs, mapping, algorithms and artificial intelligence.

Accordingly, automotive chipmakers are vying to create electronic super-chips for the next-generation of autonomous car platforms. Mobileye’s vision recognition system became one of the first practical manifestations of the advanced driver assistance system or ADAS. The EyeQ system-on-chip (SoC), which ran an image processing algorithm, was at the heart of this camera system first launched in 2006 for the aftermarket.

The fifth generation EyeQ5 is much more than a vision processor, more a central processing platform for cameras, sensors, LiDARs, and radars, while consuming under 5W.

But a word of caution from the medical sector: following a discovery by researchers at security firm Rapid 7, pharmaceutical firm Johnson & Johnson has warned diabetic patients that a security vulnerability discovered in its Animas OneTouch Ping insulin pumps could be exploited by hackers and cause a potentially fatal overdose (although the company says there have been no reported attacks and describes the risk as ‘extremely low’).

Launched in 2008, the Animas OneTouch Ping pump allows diabetic patients to give themselves a dose of insulin using a Wi-Fi remote control that wirelessly communicates with the insulin pump using an unencrypted radio frequency communication system.

Jay Radcliff, a diabetic and researcher at Rapid7, discovered the vulnerabilities back in April and disclosed them in a blog post published on 28 September. Radcliff found that hackers could potentially hijack communications between the pump and its radio frequency remote from up to 25 feet away, allowing a malicious intruder to potentially administer unauthorised additional doses of the diabetes drug.

“It is typical to see embedded, IOT and medical devices entering the market with security weaknesses,” comments Chris Day, security researcher at MWR Infosecurity. “Although we would expect these devices to be secure, in many instances there is neither an explicit requirement from customers or regulatory bodies on security. In the medical domain current regulation has limited security obligations regarding implant security, though this is changing and improving. It is also true that embedded, IOT and medical devices are receiving increasing levels of attention from the whitehat security community, which will hopefully encourage improvements in the security of these devices.”

Given the move towards self-driving cars, these lessons from the medical industry must be heeded in the automotive sector.

Andy Pye
Latest posts by Andy Pye (see all)