Editor’s NotE MICHAEL DESMOND The Things We Leave Behind
In its short history, the Internet of Things (IoT) has produced its share of drama, from the largest-ever distributed denial of service (DDoS) attack (msdn.com/magazine/mt790193) to the prospect of zombie automobiles taking orders from remote hackers (msdn.com/magazine/ mt422336). Now, a recent presentation at the RSA Conference 2017 makes clear that the IoT has an ownership lifecycle problem. And once again, the auto industry is helping lead the way.
Charles Henderson leads IBM’s rather amazingly named X-Force Red, a crack team of security pros tasked with challenging and ver- ifying the security of deployed applications, networks, hardware and workforces. In that role, Henderson is involved in research, outreach and vulnerability testing for IBM. At the RSA Conference 2017 in San Francisco, Henderson related his personal experience trading in a beloved convertible for a new car at an auto dealer- ship. What started as a simple transaction turned into a journey of discovery, as Henderson learned that there seemed to be no straightforward way to fully remove his personal information and access rights from the connected systems on his old car.
Two years later, the old convertible was still present in his smartphone app. Henderson enjoyed as much control over his old car ’s systems as the current, rightful owner.
It wasn’t for lack of trying. Henderson detailed the steps he took in returning his convertible, taking care to clear his personal information from the car’s infotainment and other systems. He per- formed a factory reset, wiped the Bluetooth settings and reset the
garage door openers. But when he got home with the new car—a different model from the same brand and dealership of his old car— Henderson discovered something odd. The smartphone app used to lo- catehiscarandprovideconveniencefunctionslikelockingdoors,starting the engine and beeping the horn still showed his old car right next to the new one. Figuring there must be a lag in processing the trans- fer, Henderson waited. And waited. And waited.
Two years later, the old convertible was still present in his smart- phone app. Henderson enjoyed as much control over his old car’s systems as the current, rightful owner. Over the next two years that followed, he researched the resale of several cars back to authorized dealers across four different manufacturers, and found that in every instance the dealer failed to properly control access after the sale.
“Cars are not disposable items,” Henderson said. “Concepts of access revocation and resetting access only work if they’re intuitive to that second owner.”
The problem is only getting worse. As home smart hubs and other consumer-connected devices and appliances proliferate, the question begs: What happens to data, settings and access after you’re done with connected hardware? Right now, there’s no easy and obvious answer. Henderson pointed out that the mobile phone industry used to have this problem, with personally identifiable informa- tion (PII) like photos and contacts turning up on phones resold on the open market. To help boost the resale value of phones, vendors worked to create a consistent device reset experience.
Automobiles and really the whole universe of consumer IoT products need something similar. Henderson said the answer lies in the development and adoption of standards for clearing PII from devices, and in training users to look for and utilize factory reset functionality. And even then, it won’t be easy.
“At the B2B level we still screw up access revocation on a daily basis,” Henderson told the audience. “If we can’t do it in business, how do we expect to do it in the home? That’s a tough nut to crack.”
It certainly is. But the alternative is to leave a trail of leaky, exposed and vulnerable con-
nected hardware in our wakes.
Visit us at msdn.microsoft.com/magazine. Questions, comments or suggestions for MSDN Magazine? Send them to the editor: mmeditor@microsoft.com.
© 2017 Microsoft Corporation. All rights reserved.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, you are not permitted to reproduce, store, or introduce into a retrieval system MSDN Magazine or any part of MSDN Magazine. If you have purchased or have otherwise properly acquired a copy of MSDN Magazine in paper format, you are permitted to physically transfer this paper copy in unmodified form. Otherwise, you are not permitted to transmit copies of MSDN Magazine (or any part of MSDN Magazine) in any form or by any means without the express written permission of Microsoft Corporation.
A listing of Microsoft Corporation trademarks can be found at microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx. Other trademarks or trade names mentioned herein are the property of their respective owners.
MSDN Magazine is published by 1105 Media, Inc. 1105 Media, Inc. is an independent company not affiliated with Microsoft Corporation. Microsoft Corporation is solely responsible for the editorial contents of this magazine. The recommendations and technical guidelines in MSDN Magazine are based on specific environments and configurations. These recommendations or guidelines may not apply to dissimilar configurations. Microsoft Corporation does not make any representation or warranty, express or implied, with respect to any code or other information herein and disclaims any liability whatsoever for any use of such code or other information. MSDN Magazine, MSDN and Microsoft logos are used by 1105 Media, Inc. under license from owner.
4 msdn magazine