Paired my Phone to a Car for the First Time

Ever.

Why never

I don’t think Chrysler (or any manufacturer) is going to do anything nefarious with my information, nor will the following auto journalists to test this car, but…

1 – Your contacts database is one of your most precious files, and ideally, you have a copy on an external drive, that’s been backed up in the last couple weeks (if you say you store all your contacts in Facebook, please leave my blog.) So why be careless about where that file ends up?

2 – I don’t know what information the car copies, then saves, from my phone. Nor do I know that the data is fully deleted when I un-pair the phone. Not-knowing means not-happening.

3 – I’m still undecided if I trust the cloud, and so I don’t use it. And pairing the car means I’ve dipped my toe into the cloud.

4 – pairing usually requires Bluetooth, which I don’t use. I’ve been attacked via Bluetooth before, so I quit using it (that’s why you never see me anymore, in my beloved hands-free headsets)

So why now?

I’m conducting a test for an upcoming ‘Keri on Driving‘ column…

The test is: automakers say we’re now able to fully control our car, without removing our hands from the wheel. Okay then, let’s see.

I set up for success and chose Chrysler because their ‘UConnect’ infotainment system is one of the best available.

How I paired it

I did not pair my own phone, not a chance.

Instead, I got a pre-paid SIM card from TELUS (talk & text only, no data), and put it in the Android they gave me. I saved the contacts I chat most with, and fired it up.

What happened

1 – the car now has saved all my contacts list, and my call history 
2 – the car can now access my text messages, and can send as me

So to word it dramatically - the car now knows all your friends, whom you speak with most, and can text them. This is why you always delete your phone from a rental car, and don’t name your phone your name.

Because a possible attack: return the rental car > next guy gets in > your phone is your name > look up home address for that name > guy now knows where you are not

That’s pretty high-level, and the guy would have to be quite skilled, but still, why chance it.

Let the test begin

Figured out voice command navigation this afternoon, and how to send texts but only using the screen (think I’m doing something wrong there), audio is easy, and not sure if climate controls are even a possibility…

How nice did this photo turn out

When it launched, I reviewed this car for the paper, click here.

Short review – the 200 went from barely competing, to the one to compete against.

 

Had an Epiphany Yesterday

I write the news for the paper on Tuesdays, and wrote about the most hackable cars.

Autonet – the Most Hackable Cars

I pitch these type of stories constantly, and my editor rolls his eyes, okay most people roll their eyes at me, to which I always say “you’ll see”.

Because securing cars is going to be a huge thing soon, especially with all the internet connectivity coming to cars. Chevy is bringing WiFi to dashboards this summer.

The first time a car is breached and lights the news on fire, remember where you heard it first.

The story was well received by both industries (auto & security), then today a infosec buddy even texted me from across the country that his client just quoted it.

So my epiphany is this – I’m going to narrow in and specialize in this. Make myself really good at it. I’ve already decided I’m auto-for-life, and think I could excel in this vertical.

I already have over a year of history online writing about it, a reputation starting with the manufacturers, it brings my 2 favourite things together (cars and security), and I find it so fun. And bet I can find big cheques down the road in it too.

So I spent way too much time today investigating further, and check out my OBD2 reader courtesy of my neighbour!

Here we go guys… PUMPED.

20140806-214644-78404224.jpg

20140806-214643-78403016.jpg

It’s not IF You are Breached, it’s WHEN

That’s one of the oldest saying in security, because it’s true.

Thinking you are going to be forever immune is delusional.

Do you not lock your front door? Lock your car when you park it downtown? Take a different walking path at night than during the day? Why would online actions require less diligence and care?

Here’s the mean number of breaches to Canadian companies, over the last 4 years.

Note that none of them are 0.

If you are a small business owner:

You have a responsibility, especially if you are accepting people’s credit card numbers. Because you may be more of a target than you realize… think like an attacker: is it easier to go after 1 large business, that likely has security systems and staff in place? Or 10 smaller businesses, who probably have no clue and are lazy about protecting their assets?

The type of breaches Canadian companies experienced last year.

1 – one careless click, on one stupid link…
2 – how old-fashioned! Never leave your laptop unattended
3 – from the inside…
4 – lock your WiFi network. And change your router password too, how to here
5 – the counter to this attack is listening to your gut. Blog tag = social engineering

***

This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

More about that here.

 

 

How ‘Security Responsible’ are You?

TELUS has released their 6th annual study of Canadian business security practices.

The report focuses on which best practices businesses have in place, that go beyond just compliance (as in, the bare minimum forced on you by the government.)

Ideally, your business is in the quadrant with the *.

How does your small business compare?  Take this test to find out.

Give yourself a score between 0-7 (0 being terrible, 7 being excellent), then compare how you operate to other Canadian businesses.

Do you…

1 – monitor and/or have rigorous procedures to act on new threat information

2 – understand the security drivers impacting your business

3 – conduct regular security awareness training for employees

4 – involve security early and throughout the development of new infrastructure/systems

5 – communicate social media policies to their employees

6 – have and/or execute on a comprehensive mobile security strategy

7 – conduct enterprise mobility security testing and Threat Risk Assessments (TRA)

Now compare:

The more “security responsible” companies have: less breaches, retain staff longer, better managed risk, and are positioned better to take new risks (side-note from me: they have better business karma, because accepting a credit card and being careless and lazy about it is terrible.)

And ideally, you have ongoing employee training sessions, because the human is always the weakest link.

Note:

This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

The study is in its 6th year, and TELUS remains the country’s only telecom to proactively study security, and this is the only Canadian study this in-depth on a single country.

How it was conducted: 400+ security professionals were surveyed in the 2nd half of 2013, looking for both qualitative and quantitative data on how companies are executing their security strategies. Respondants were Private 48%, Government 23%, Publicly Traded 20%, and Non-profit 9%.

Blog tag = TELUS Security

 

 

Things to Think About re: Autonomous Cars

Read it online at Autonet.

Will parking spots become extinct?

What about securing something that is more computer than car? Protect the privacy of the vehicle’s whereabouts… or the car’s software from attack, because think that nightmare through.

Will map-range anxiety replace spontaneous exploration and adventure?

Favourite line:

Go get lost this coming weekend, while you still can.

***

I had a paragraph in there, about the ethics of programming the crash-avoidance algorithm, but it got cut.

What I said:

In an imminent crash involving two vehicles, what are the ethics behind the crash-avoidance algorithm? Aim for the larger object? Now all SUV drivers feel targeted, because they are, so will their insurance increase then? What if it’s programmed to hit the car best known for safety? Volvo owners won’t be happy about that.

***

Above Photo

That’s an Audi TTS.

Google gets a lot of press about their autonomous car, but back in 2010 Audi sent the roadster up a 14,000 foot mountain, “Pikes Peak”.

It was even able to register negative obstacles, as in, stuff that wasn’t there, like a cliff without a guard-rail.