Thursday, June 22, 2017

Just because Hollywood makes it scary, doesn't mean it isn't real or really scary

I was reading an article from Dark Reading that came through my inbox, and it looked pretty interesting from the start...but it took me about 2 seconds to overcome his 'severe limitation' scenario with Bluetooth and cars.

How about a cell phone or smart phone attached to the car somewhere? That sure extends my ability to have an extended range persistence platform to be within range of your local Bluetooth. There are tons of other ways that these type exploits exhibit themselves. My car has a nav system, so there is a cell phone somewhere in the mix of that system and makes my car pretty much online all the time.

Yeah, Hollywood takes liberties with cyber issues and science issues, but it's a common shortcut in storytelling. Give the audience enough to get the general point across and don't delve too deeply into the details, because they don't care. It's not relevant to the story. Does that mean that there isn't risk there? Absolutely not. There is no question that there is risk there.  But the real question when it comes to these CIA/NSA (et. al.) scenarios is this; am I a high enough value target for someone to come after me in this way? For most of us, the answer is a resounding 'no.' However, there are a myriad of other scenarios where these type exploits can be leveraged for lesser destructive means, like say...a suspicious spouse, or an overly aggressive background check. 

These devices were never created with security as a design requirement. So why should it be a surprise that they have a poor track record when put to the test? To say there is low risk with things like IoT and connected cars is doing just what Hollywood is doing. Telling part of the story to make a point. Bad guys don't take no for an answer when it comes to accessing something that they want. The question you need to ask is "Is there anything in this that makes it worth their while to come after (usually this means money) or any common scenarios where I could inadvertently come into the line of fire?" Just because someone isn't at war with you, specifically, doesn't mean you won't become collateral damage. A few worms (as a delivery mechanism) have made a resurgence of late and just because we thought they were all but dead doesn't remove them as a viable means of propagation under the right conditions.

It gets a lot scarier when it comes to things like medical devices and 'SCADA,' just look to Ukraine...oh yeah, that was in the news this week too