I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are:
- Safety by Design
- Third-Party Collaboration
- Evidence Capture
- Security Updates
- Segmentation & Isolation
When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an update mechanism? More and more systems are moving toward auto-update functionality, but is this the best idea?
Shellshock has moved me to agree with the need, and investment in the security of that update mechanism is prudent. Consider the number of systems, embedded or otherwise, that are running some form of Linux or other UNIX variant. I don’t think its unreasonable to assume that there are still devices running on the 1.2 Linux kernel, performing some task (perhaps SCADA related), and probably cannot be updated. Those systems are probably also vulnerable in other ways, but they definitely are going to have an issue with Shellshock.
Systems of the present and future must be built to take advantage of any number of available methods to stay up to date with security patches. With the Internet of Things movement in full swing, you won’t be able to escape a device with some kind of operating system on it that will need to be updated when new security problems are found. Consider the sheer number of devices vulnerable to Shellshock, and then think about the ones that may not be able to be updated. Given the right circumstances, there is a possibility of impact to human life.
What are your thoughts on the framework? Discuss in the comments below!