The DEFCON conference has created a number of stories regarding security over the last week or two. The much-publicized Cisco router weakness has been pretty much played to death, but RFID also took its hits regarding the range for the RF communications, a Gartner report revealed that many ATMs don’t take advantage of security codes to make card access more secure, and even our cars may be susceptible to Bluetooth attacks (although they didn’t manage to cause any damage in that case). Are we on the verge of a security-related meltdown of network-connected devices?

We went through a similar round of hysteria with the Y2K problem. I gave a speech in 1999 where I listed all of the things that could happen if embedded systems were disabled by Y2K problems. Once I had their attention I explained why it was not going to happen. Once the press gets hold of this type of story there is a real tendency for the signal-to-noise ratio to get quite low. There is some evidence that this is happening here, although the gain is not set nearly as high as it was in 1999.

Consider the “virus attacks your car through Bluetooth�? scenario. The inference is that a hacker can gain access to the entire vehicular network through this network interface. In reality, with current generations the most they might be able to do is listen in on your cell calls or talk to you in your car. The current level of Bluetooth integration is simply speakerphone implementation. Control networks are strictly segregated from anything externally accessible in cars.

Yes, there are security vulnerabilities in connected embedded systems, but generally these devices are much less complex (and therefore less vulnerable) than general-purpose computers. The antivirus companies have tried mightily to drum up a threat to cell phones or PDAs, but so far they haven’t come up with much. Maybe they need to get more educational material out there to the virus writers so that they can generate them a bigger market.

Larry Mittag