Smart wars, black hats, white hatsBy Larry Buzecky, AEM Vice President, Business Intelligence & Strategy  

Anything “smart” can be hacked. Smart body partsSmart homesSmart carsSmart cities. And, of course, smart agriculture or construction equipment.

We know hacking can be pervasive, invasive. In order to not lose sight of just how pervasive and invasive, programmers sometimes set up what’s called a honeypot to sniff out who might be sniffing into their systems. Developers and programmers hold or attend Black Hat conferences in order to see the latest and greatest hacks. Product tear-downs are documented on-line in order to demonstrate vulnerabilities and “opportunities.”

I remember when the first few versions of the iPhone were rolling out, it was all the rage to find ways to compromise their operating systems in order to extend their functionality (this was called “jailbreaking” and there was a lucrative market around selling these “open source” versions of the iPhone). Come to think of it, this is still going on – see product tear-down link above. The bulk of activity in this ultra-gray hackers’ world remains hidden, of course, and we only learn about the activity if and when we identify the result of its application. I can’t emphasize that “if” enough.

But let’s clear up a myth about hacking – not all hacking is performed for nefarious purposes. For some, hacking is exploring, tinkering, seeking to understand, an attempt at bug correction or performance enhancement. Or, it’s simply considered fun - think old school script kiddies, or “skiddies.”

Wired has reported on attempts made by a family farmer named Dave and his pal Kyle Wiens, who is co-founder and CEO of iFixit, an online DIY repair community and parts retailer that provides access to open source repair manuals and product teardowns, to sidestep a hydraulic sensor issue on Dave’s tractor. The problem Dave was trying to eliminate was the tractor’s downtime between sensor failure and the fix implemented by an authorized technician. In short, what Dave and Kyle resolved to do was hack the tractor’s engine control unit (tECU), a very proprietary system that was well-secured by the manufacturer. In very short, Dave and Kyle were not successful.

Maximizing uptime is one of those golden targets our member companies are continuously seeking to hit. Dave wanted to maximize his uptime. And of course the tractor manufacturer wanted to protect this very sensitive and critical tractor component. Unauthorized tinkering in this proprietary system, besides being potentially (or actually) criminal, can easily lead to product damage or destruction, or even worse, much worse, injury or death to the end user. Tractors are expensive. Body parts and lives are priceless. Quick clarification – by body parts I mean our original body parts are priceless; fake body parts, or prosthetics, are spiraling down in price thanks to 3D printing. But I digress.

In previous blog posts I’ve talked about the tug-of-war that exists at times between managing risk and allowing for innovation – they don’t always walk together happily hand-in-hand. In the linkages between the interests of equipment manufacturers and the wants or needs of the end-user, there is understandably tension. Add into this mix a hacker community, either well-intentioned or not, that will not hesitate to look for vulnerabilities in systems like engines and transmissions.

Thankfully you also have a white hat community that documents and communicates the vulnerabilities they run across in order to help keep the systems they are scrutinizing more secure. Although there is some irony in that white hats can only document and communicate vulnerabilities around systems they are also trying to hack.

In this tense environment between OEMs maximizing security and end-users wanting to increase functionality on their own terms at times, and a restless and relentless hacker community, I believe there needs to be an ongoing discussion or forum that highlights the latest security issues, brings all parties to the table, and seeks resolutions that keep end-users safe while recognizing the limits of closed systems – because if they’re closed now they won’t stay closed for long. Perhaps OEMs should sponsor a hacker event in order to better understand the forces at work for or against their equipment. Perhaps AEM should help OEMs do that.

Ultimately, I believe that OEMs will have to move toward more open platforms, like this agriculture equipment manufacturer that opened their Application Program Interface (API) to third-parties this year. User communities that are allowed to engage with must-use systems can serve as a cheap and indispensable resource for companies that can get comfortable with this kind of IP exposure in terms of debugging, product enhancements, problem solving, and the list goes on.

In  the meantime, high school graduates looking to ensure for themselves stable, profitable, valued, rewarding, long-term future employment need look no farther than a major in computer science with an emphasis on information systems security.