At my latest visit to my hairdresser, he told me about two recent crime incidents in Sweden involving wireless communication. This sent me home to research what had happened in more detail – and the results are not very comforting.
The Incidents
The first incidents – An owner of a new BMW X5 had his car stolen apparently by two perpetrators. One following the man when he left his car and another standing close to the car. The one at the car activates the cars security system with a special device. The car then asks the key for a code. This request is transmitted to the person following the owner and sent to the key in the owner’s pocket. The key answers with the code. The code is then transmitted to the person at the car and sent to the car – and it is opened. Following the same procedure, it can be started. Now they can drive for as long as they want as long as they don’t turn off the engine…
The second incident – was a burglary at a house equipped with the latest in wireless alarms. The son aged 17 was home alone, had activated the perimeter alarm, and went to sleep. At night, he woke by somebody entering through the main entrance. He sneaked out through a back door and tried to call the police from his mobile. He couldn’t get any signal, and the alarm hadn’t worked. The burglars were using a jammer that killed all wireless communication within a 200-meter range.
The Risks
Both incidents illustrate that though very convenient, wireless communication comes with risks.
Apparently, both kind of devices can be bought on the Internet at fairly low cost – a few hundred Euros. The car “hacking” devices only on the “dark” Internet, but the jammer can be bought for legitimate purposes like ensuring disturbance-free environments, preventing cheating at exams, etc.
These two incidents illustrate, that whenever you are working with wireless communication you need to make the communication safe and secure by design, and not as something you add on later.
Resolution?
In the alarm scenario, you could have the alarm go off with a special alarm saying, “Communication lost” – in both ends – in the house to alert residents and in the monitoring center to take appropriate action.
In the car scenario, you could add a time constraint prohibiting relaying of communication and perhaps add randomly scheduled challenge responses to verify continued contact between car and key.
I don’t mean to say, that these small additions will completely solve the problem – they are after all just add-ons on something that was not designed for safe reliable communication.
When it comes to IoT devices, you need to make a thorough investigation of the potential consequences of disrupting or intercepting the communication and find ways of mitigating these risks by design. You will not be able to prevent all kinds of interruption, but you might be able to detect, document and perhaps alert on interruptions enabling fast resolution of the issue.