I’ve often written about how depressing I find computer security is for the December issue, so this year I thought I’d try a different tack. Honestly, there were parts of USENIX Security, particularly the WOOT workshop, that had me laughing out loud.
I really liked the “Fast and Vulnerable” paper for its humorous insights into the state of programming. A widely used product, one that is Internet-connected and can be used to control cars, totally fails at having any security at all. What a laugh! They even included the private SSH key for the root account for the device—and the same key is used on all devices by this manufacturer.
Not that SSH is needed at all: just a simple SMS message to the device can be used to instruct it to download a software update. That’s right. All you need is a phone number and to send a text message, and you can “own” someone else’s car. And the phone number could be wardialed. As if this weren’t enough, there’s also a Web and a Telnet interface you can use.
