Can I take over your car with my browser?

You bet.

A recent hack of the Nissan Leaf highlights the worst fears of companies racing to extend their businesses to mobile platforms.

Yes, remote control has been demonstrated

Well, not total control. The Leaf exploit didn't let the hacker run the car like Doc Brown did with his time-travelling Delorean, or anything as drastic.

Nonetheless, in addition to accessing a shocking amount of data about the car and its owner, the hacker  "...was also able to access the HVAC system to turn on the heater or A/C, and to turn on the heated seats."

And he did it all from his browser as he sat far away from the vehicle itself, in a different country.

Wow. That's some serious s***.

And it was pretty easy to do

It was just a matter of reverse-engineering the mobile app, understanding the calls that it makes, and trying to emulate how the app works using a simple set of readily-available browser tools.

We shouldn't be shocked in the least

For those of us who have been dealing with this kind of thing for a while now, the Leaf exploit is not surprising at all. Just google for five or ten minutes. You'll find numerous similar examples of published exploits in automotive, retail, energy, social media, and numerous other sectors.

Are you worried?

If your business is developing new digital channels to your customers - and that probably includes just about all of you on LinkedIn - you should be. 

Security for digital business is not what it used to be. 

Today, important components of your systems hang off of public networks, whether we like it or not. The mobile app on the smart phone, or the Fitbit tracking steps and sleep patterns, or the telematics device in your car tracking how you drive, or the car itself. All of these are sophisticated software operating "in the wild", as it were.

But more importantly, they need to communicate with each other, and almost always with server software doing heavy lifting like data storage, analytics, account management, billing, etc. either on premise or in the cloud.

And there's the rub. Software and systems development organizations comfortable with developing systems all nested safely behind firewalls, on private networks, have little or no experience managing the risk of components outside of the firewall. Worse, having lived in a protected bubble for so long, the risks often go unrecognized.

Should you call a halt to digital channels development?

Or maybe slow things down until your internal security practice can catch up to the technology being used today?

Absolutely not. There are ways to mitigate the risks involved in developing digital properties that span private and public networks, and keep your business and its customers reasonably safe, so that the business need not be hindered in its march into new digital markets.

CA Technologies can help

CA Technologies has invested a great deal of time and R&D on developing solutions for enabling the development of new digital channels using mobile and IoT components, safely and securely. 

Recently, CA announced the general availability of a new Mobile App Services (MAS) platform.  MAS adds access control and security to both the public-network-resident and server-side components of your new digital channels, so that you can continue to pursue aggressive development goals without lying awake at night worrying when the first hack will happen.

Feature snapshot

The MAS solution is built on top of CA API Gateway for Mobility (or "Mobile API Gateway" - I know, that sounds like a gateway with wheels :) - or MAG), which is recognized by analysts as the market-leading solution for securing the kind of mobile, IoT, and cloud connect-in scenarios introduced by new digital channels development.

Take a look at this feature chart that shows how the MAG and MAS layer on top each other to first, make sure the communication between the components of your highly distributed systems are secure, and then adding tools for developing great new digital properties while all the while leveraging the secure foundation. 

If you wonder at all why these features are of utmost importance to developing cohesive, compelling "apps" that span mobile, IoT, cloud, and on prem systems, ask your developers.

Ask them whether they bothered to implement PKI that identifies all instances of public network devices uniquely? If they didn't, ask them why they decided not to?

Ask them if they ever dreamed of connecting the current call centre staff to customers with in-app chat? Did they implement that feature. If not, why not?

Ask them if they wished sometimes that the security people would let them store more sensitive data on device so that they don't always need a network connection back to the mothership to make the app function well?

How to learn more

Hit me up! Feel free to contact me any time here on LinkedIn at any time.

OR for those of you in the Montreal area, you can join us at the Hyatt Regency Montreal on May 12 where you can meet the engineers behind the MAS solution. To register go to https://cainc.to/YXX25J

Want to try it out?

It's easy. Sign up at https://mas.ca.com/ and get started today!