Monocultures and automobiles

Monocultures and automobiles

Summary: Many have expressed concern about the use of networking technology in automobiles. Radio frequency identification chips (aka RFID chips) are common in the keychain "fobs" millions around the world use to open their cars.

SHARE:
TOPICS: Security
7

Many have expressed concern about the use of networking technology in automobiles. Radio frequency identification chips (aka RFID chips) are common in the keychain "fobs" millions around the world use to open their cars. They're easy to use, and I've practically forgotten what it's like to have to put a key in my door to open it, but I'm not surprised that graduate students at Johns Hopkins University hacked into a Ford Escape using its a radio-frequency car key.

What piqued my interest, though, was the growing use of Bluetooth in high-end cars, as a recent article in Forbes ("Grand Theft Microchip," May 9, 2005) noted:

...Bluetooth networks are becoming a standard way to connect the car's stereo with the driver's phone and MP3 players. Half of Acura's fleet lets you wirelessly transfer a call between phone and car with a button on the steering wheel.

This is clearly cool stuff, and sure sign that convergence isn't just a buzz word bandied about at technology shows and marketing junkets. On the other hand, the more technology coalesces around a single standard (presuming more gets networked besides the radio), the more monoculture risks of the sort identified by Bruce Schneier come to the fore. Bluetooth viruses aren't just of academic interest. The "Cabir" test virus proved that such things are very possible, and other researchers have identified more vulnerabilities besides those used in Cabir.

Cost and benefit analysis should apply here, however. Diversification is the solution to monoculture risks. However, few would advocate diversifying beyond HTTP to encompass 10 or 20 networking protocols for Internet-based data interchange. We would be "more secure" in that those not using HTTP wouldn't be exposed to risks associated with HTTP networks (such as bugs in Web browsers that use HTTP as their networking protocol), but the costs of such a draconian solution, in terms of a less functional Web, less compatibility, and more development and maintenance effort would surely outweigh the risk.

The same applies to the creation of software and protocol "monocultures" in cars. Balkanized technology islands typifying early efforts at computing integration into automobiles pose less risks, but offer fewer integration opportunities. The development of monocultures, in other words, is critical if automobiles are going to be a part of the networked world alongside other "devices" in our lives.

So, when I read scare articles about the impending doom awaiting us from hijacked Hummers, I take it with a grain of salt. Yes, if I stuck with horse and buggies, there'd be less risk of collision injury. I'll still drive my car to work tomorrow.

Topic: Security

John Carroll

About John Carroll

John Carroll has delivered his opinion on ZDNet since the last millennium. Since May 2008, he is no longer a Microsoft employee. He is currently working at a unified messaging-related startup.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Aren't you missing the point?

    Shouldn't the bottom line on this issue be that more attention should be given to the security aspects of technology, rather than ignoring them in the beginning when it's created, and then never revisiting the issue to address it? These technologies are being released much too soon in the market - they're half baked. Expecting that a technology be ready for market shouldn't cause one to be labeled a Luddite. Time to market is being given priority to ensure the best chances of chasing down the almighty dollar. It's easy to understand why they're rushed out, but it should also be easy to understand why they shouldn't be rushed out from a security perspective.

    It's one thing to have my free web-based email account fill up with spam, but it's a whole other story when your $45K Acura succumbs to some lousy worm. Technologists are failing society in general by not solving these issues promptly. It'll come back to haunt us one day, and our reputation will be tough to win back.
    ejhonda
    • Interesting

      Maybe GM writes that Lexus virus! ANYTHING to make the Japs look bad would be good for GM.

      Bluetooth and most technologies are driven NOT by software, but by hardware. There is no inherent security issues with hardware - its ALL in the software.
      Roger Ramjet
    • Re: Aren't you missing the point?

      John Carroll?s point was that we shouldn?t walk away from monocultures because of challenges that emerge, such as security. Monocultures are effectively standards, and the use of less standards leads to less cost. That is why we have such a large PC market based on the PC hardware standard, along with the de facto Windows standard. All we have to do with the selection of our monocultures, is figure out how to get past the various challenges that arise. Every system has it challenges, and as you alluded to, monocultures really need to think beforehand about security, when they implement their wares, so as to mitigate widespread inconvenience for customers.
      P. Douglas
      • Auto industry has to be careful

        Mr. Douglas,

        Well said. I also want to point out that there are many Bluetooth vulnerabilities and many more to come within the next year. However, given the fact that a car company can be sued for billions if someone gets hurt from a flaw in their cars, I'm pretty sure that they would not permit the Bluetooth systems to have any thing to do with the mechanics of the automobile. I don't think they're going to allow the Bluetooth system to control the braking system or cruise control or even remotely have the possibility of corrupting them. Worst case, you won't get to listen to your MP3s or make a call from your car.
        george_ou
      • Monoculture != standard

        [i]Monocultures are effectively standards, and the use of less standards leads to less cost. That is why we have such a large PC market based on the PC hardware standard, along with the de facto Windows standard. All we have to do with the selection of our monocultures, is figure out how to get past the various challenges that arise.[/i]

        The number of logical fallacies in this would take quite a while to count. Suffice to say that a monoculture is [b]not[/b] a standard; ask the forestry people in Europe dealing with their declining biodiversity. There is no "standard" benefit from having only one species of oak in a forest.

        Likewise a standard does not represent a monoculture. An SAE #8 machine screw is based on a classic standard, but the dang things are available in (off the top) mild steel, hard steel, brass, nickel-plated mild steel, stainless steel, and nylon. That's just at my local hardware store; if you go to the industrial catalogs there are lots more. You have your pick of manufacturers worldwide. About the only thing that they have in common is that they'll all screw into an SAE #8 nut.

        The essence of a standard is that it specifies the minimum properties needed to ensure interoperability. Bluetooth is such a standard. Microsoft operating systems, on the other hand, are not, any more than a particular species of black oak is.
        Yagotta B. Kidding
        • Yes it does

          [I] The essence of a standard is that it specifies the minimum properties needed to ensure interoperability. Bluetooth is such a standard. Microsoft operating systems, on the other hand, are not, any more than a particular species of black oak is.[/I]

          Doesn?t Windows come with the Win32 API which provides a standard way for programs to operate on a PC? Doesn?t Windows come with a range of other services that allow things like drivers to operate and work across a range of computers? Windows is technically a collection of standards that allow various software and hardware to work reliably on a PC. Though there may be some variation among the standards in different versions of Windows (usually affecting drivers), Windows is on the whole a reliable standard (OS), that supports the overwhelming majority of applications, going all the way back to DOS.
          P. Douglas
  • Fringe elements

    [i]However, few would advocate diversifying beyond HTTP to encompass 10 or 20 networking protocols for Internet-based data interchange. We would be "more secure" in that those not using HTTP wouldn?t be exposed to risks associated with HTTP networks (such as bugs in Web browsers that use HTTP as their networking protocol), but the costs of such a draconian solution, in terms of a less functional Web, less compatibility, and more development and maintenance effort would surely outweigh the risk.[/i]

    Well, few with the exception of the IETF and most of the network engineers out there. John ignores them to clarify the argument, I suppose; it would certainly complicate matters to include:

    ftp-data 20/tcp
    ftp 21/tcp
    ssh 22/tcp
    telnet 23/tcp
    smtp 25/tcp
    domain 53/tcp
    finger 79/tcp
    pop2 109/tcp
    pop3 110/tcp
    auth 113/tcp
    sftp 115/tcp
    nntp 119/tcp
    ntp 123/tcp
    imap 143/tcp
    snmp 161/tcp
    bgp 179/tcp
    irc 194/tcp
    imap3 220/tcp
    nntps 563/tcp
    whoami 565/tcp
    rsync 873/tcp
    imaps 993/tcp
    ircs 994/tcp
    pop3s 995/tcp
    cvsup 5999/tcp
    bittorrent 6881-6889/tcp
    pgpkeyserver 11371/tcp

    That's almost thirty, although I stuck with the ones most commonly used over the Internet (no oddballs, no LAN-only stuff like CIFS, RPC, LDAP, X11, etc.)

    Now, I understand that John is a web programmer and may not know that there are other protocols besides HTTP. That makes sense, just because all he has is a hammer doesn't mean that the rest of us have to nail our microwave ovens shut. Frankly, I have a hard time imagining NTP working in any usable sense if it had to be tunneled over HTTP, and DNS over HTTP would be such a pig that words fail.

    So, John, have fun with your hammer. I hope you won't be too terribly hurt if the rest of us keep a few screwdrivers, hacksaws, table saws, lathes, and milling machines; mostly we try not to hurt your feelings by using them where you can see them.
    Yagotta B. Kidding