Smart Solutions

Column Bernd Schöne: German Angst

The German computer security authority BSI recently released a 592-page report on the proceedings of its latest biannual Cybersecurity Congress in Bad Godesberg, and it makes fascinating reading. This time IoT was the hot topic. In fact most of the experts talked about nothing else. And what they had to say sounded very, very German, especially to people of the Anglo-Saxon persuasion. They were very, very worried. In fact they scared stiff.
Of course, Germans always have a tendency to view the future with a mixture of skepticism and good old German Angst – a vague sense of impending doom. Where others see opportunities, they tend to see risks, which often makes it difficult to communicate across cultural borders. Brits and Americans seem to be talking about a completely different subject than their German counterparts.

In this case, the big issue was the worry that, in terms of automation and smart factory applications, the world is about where office IT was back in the 90ies, or so the German participants tended to believe, many of them hailing from very prestigious institutions and official agencies. The consensus was sort of like this: stop everything! First, we need to devote lots of serious research to solving the problems before we can take a cautious step forward.


Bernd Schöne

Germans always have a tendency to view the future with a mixture of skepticism and good old German Angst.

Bernd Schöne
is a veteran German Internet journalist and an expert on cybersecurity

 

As if to confirm their greatest fears, news circulated around the conference rooms that two American hackers, Charlie Miller and Chris Valasek, had just demonstrated on public television how they were able to take control of a passing automobile from a distance of more than half a mile, switching the lights on and off and applying the brakes while the drivers were reduced to helpless passengers, paralyzed with fright. They then proceeded to take over the wheel and drive the car into a ditch. Okay, all this was done under controlled circumstances on a test circuit, and nobody got hurt. But everybody could readily imagine what it would be like if you were careening down a German autobahn at 130 miles an hour. Germans love their cars, and they trust in German automotive engineering. For them, it was as if the world had just started rotating in the wrong direction.
As a result of the televised live hack, Fiat, an Italo-American manufacturer, was forced to recall 1.4 million vehicles which had been proven vulnerable, including Dodge, Ram and Jeep models. All were found to need an immediate software update in order to close the hole through which Miller and Valasek had been able to gain access.
At the conference, the German IT expert Stephan Gerhager publically asked if the same thing could happen to German T
automobiles. When he got home he hired an automotive engineer and a graduate student who were given two months to attempt to similarly penetrate the biggest and most expensive German cars. It turned out it was a cinch: using off-the-shelf computer systems available in any backstreet garage they were able to listen in on the in-car data communications and insert malware that was able to take complete control through the so-called CAN Bus, a communications interface that is standard in most German cars of more recent vintage.
The good news was that they had to be sitting in the car to do it. Any attempt to duplicate the stunt by the American hackers and steer the car remotely via wireless control failed dismally.
It turned out that the German engineers had done their homework. The vital systems over which entertainment and engine communications flow were hermetically sealed off from the outside and from each other, like the systems of compartments that can keep a ship from sinking if it suddenly develops a leak, thus making them impossible to tamper with, at least remotely. It appears that German Angst actually paid off in this case: the car makers had been worried about the kind of stunt Miller and Valasek had pulled, even though there had been no proof up to that point that the deed could actually be done.
As it turns out, virtually every German car manufacturer has gone an extra step by now and added encryption and strong authentication to their vehicle systems. The CAN Bus is now virtually impregnable.
Stephan Gerhager conducted his research independantly, but he received funded from Allianz, the largest German car insurance company. But Alliance also insures large factories, and it seems that many industrial robots also use CAN Bus technology. They, too, are potentially subject to outside attack by remote control systems used by hackers to bring production to stop or, more worryingly, to cause the factory to produce faulty products, a fact that would probably only turn up after they have already been delivered to customers.
Conceivably, this realization will cause even non-German engineers and managers to wake up to the fact that they need to do something, and do it fast! Working on the principle that worrying too much about security is bad for business, and that if something is broke we can fix it later, may be typically American. But sometimes a dose of German Angst can be quite helpful.
.

Comments are closed.