IoT Security Lines Are Thin and Dicey

Just like dynamite or a scythe, technological tools and advancements can come in handy when used properly or they can inflict serious damage when they’re misused or fall into the hands of someone intent on wreaking havoc.

A couple of things we can all count on is that there’s no end to the constant expansion of new “productivity” applications developed and embraced by companies and that there is always someone or someones out there looking for an opening, a weakness to exploit.

At this intersection of security, 5G and automation we find yet another reminder that technology doesn’t always wait for the authorities or common sense to catch up and sometimes the supposed “bad guys” are often the first and best hope of preventing a catastrophe birthed from the desire to monetize data at any cost.

According to a pretty eye-opening Motherboard report, a hacker going by the moniker “L&M” was able to access thousands of GPS tracker app accounts – reportedly more than 7,000 iTrack users and 20,000-plus ProTrack users – to monitor tens of thousands of vehicles as they traveled up and down the highways and byways in places like India, South Africa and the Philippines.

In some cases, the hacker claimed, he or she could have remotely shut down the engines of vehicles that were either stopped or moving at 12 miles per hour or slower. At any time and for any reason, this person or anyone similarly motivated could have caused a massive traffic jam in Johannesburg or delayed the delivery of a critical document or piece of equipment in Mumbai from the comfort of the neighborhood Starbucks.

“By reverse-engineering ProTrack and iTrack Android apps,” the report said, “L&M said he realized that all customers are given a default password of 123456 when they sign up.”

This hacker, who then reached out to both of the GPS tracking companies asking for a “reward” for bringing this vulnerability to their attention, then wrote a script that used millions of usernames and the default password to access user accounts to monitor all their comings and goings and, theoretically, could have killed the vehicles’ engines when stopped or traveling a low speed.

An owner of one of the companies using the compromised GPS tracking app for its fleet pretty much summed it up by when he said “that makes it more dangerous. (The hacker) can actually mess around with … our clients and customers.”

Which brings us back around to 5G, automation and security in at the dawn of the Internet of Things (IoT). Perhaps the most vaunted and desired feature that the soon-to-be, uber-connected future promises is a way to alleviate traffic congestion, eliminate automobile accidents and, perhaps, replace human drivers with driverless alternatives.

Spending on these so-called “smart” cities – where everything from weather and road conditions to available parking spots will be accessible from our phones – is projected to soar past $158 billion by 2020.

This expansion is global and extensive. Currently, according to IDC, the Asia/Pacific region accounts for 42% of global smart city spending, outpacing North and South America (33%) and Europe/Middle East/Africa (25%). Fifty-three cities, led by the likes of Singapore, Tokyo, London, Shanghai and New York City, account for roughly 15% of all smart city spending budgets right now.

More telling and potentially more troubling is how the top two most common use cases today and for the foreseeable future for these ubiquitous data-collecting and sharing tools – wearables for police officers and connected-vehicle-to-anything communications (V2X) – are integral to citizens’ actual, physical security.

The U.S. Department of Transportation makes it clear this is more than a passing fad, stating that it is “the Department’s view that V2X technologies have the potential for significant transportation safety and mobility benefits, both on their own and as complementary technologies when combined with in-vehicle sensors supporting the integration of automated vehicles and other innovative applications.”

As it pertains to policing, the National Institute of Justice commissioned the RAND Corporation to study the long-term technical issues, implications and challenges of wearables such as body-worn cameras out in the field. The report’s conclusion was comprehensive, direct and instructive.

“Many problems will have to be faced by agencies that adopt integrated vest systems, including officer privacy, citizen privacy, data security, additional personnel and skills required to manage and maintain systems, the cost and cultural barriers to change,” the report found. “Discussion and analysis on these very real problems are, however, beyond the scope of this report.”

As hacker “L&M” makes abundantly clear, the most forward-thinking and innovative companies looking to capitalize on the benefits of these tools are also the first to suffer its indignities. The hacker claims no vehicle engines were shuttered during the intrusion and that one or both of the affected companies made some sort of acceptable “arrangement” after being notified of their vulnerabilities.

An argument could be made that “L&M” is some combination of a white and a black hat hacker. While it’s true that this person did notify the GPS tracking companies of the exploit, the notification came with an outstretched hand.

So what happens when the next hacker accesses a cop’s body camera or a vehicle’s ignition system or a metropolitan city’s transit agency with intentions that are anything but gray?

is president and senior analyst for BPO Media, which publishes The Imaging Channel and Workflow magazines. As a market analyst and industry consultant, Ames has worked for prominent consulting firms including KPMG and has more than 15 years experience in the imaging industry covering technology and business sectors. Ames has lived and worked in the United States, Southeast Asia and Europe and enjoys being a part of a global industry and community.