How hacking automotive vehicles, medical devices, voting machines, and internet of things devices makes them safer.
Security researchers and security research are commonly referred to, respectively, as “hackers” and “hacking.” Such words can bring negative connotations to mind, such as hoodie-wearing miscreants in dark rooms lit only by the glow of a computer monitor. This stereotype is far from the truth. Certainly, there are malicious individuals out there attacking computer systems and networks for a variety of motives every day. However, security research and security researchers are an increasingly important component of protecting against such attacks, as well as proactively assessing flaws in the fabric of our digital infrastructures and fixing them.
In this report, we compare four areas in which computers and networks are playing an increasing role: automobiles (Section 2), medical devices (Section 3), voting machines (Section 4), and Internet of Things (IoT) devices (Section 5). We show that the efforts of security researchers have been instrumental in finding and fixing flaws in these systems, such as vulnerabilities and bugs that could have resulted in serious harm, economic loss, and loss of trust in digital infrastructure.
We also describe the complicated results of disclosing flaws. A security researcher does not simply find a flaw, tell the manufacturer, and have the manufacturer fix it. Where we can, we assess if a given flaw was fixed and how long it took to fix. As covered in a past CDT report, there is a complex set of laws and private incentives that might make it difficult for a researcher to engage a manufacturer and for the manufacturer to quickly fix a reported flaw.
While we try to be detailed in the examples cited in each section, this is not a comprehensive list. There are simply too many bugs and flaws that either go undetected or that might be detected and undisclosed or disclosed privately. Instead, these case studies make clear that security research is a necessary and important element of a robust, dynamic cybersecurity ecosystem – one that moves quickly to fix design and implementation flaws in systems that mediate our lives every day. While many of the examples we discuss were not fixed quickly, it is clear from this evidence that we must be very wary of discouraging security research.