BMW’s vulnerability reveals disturbing trend in the race for features
Security isn’t cool. It’s the business equivalent of your dad forcing you to put on a jacket before you can go out with your friends, and it’s a major reason companies continually overlook security in favor of flashy consumer-facing features.
Earlier in 2015, researchers at a German motorist association discovered a vulnerability in BMW’s ConnectedDrive system that could allow hackers to unlock the doors of more than 2 million vehicles.
BMW had the communication traveling through a cellular-based Internet network over a non-encrypted channel — the equivalent of logging on to your bank account over “http” instead of “https” — and the Allgemeiner Deutscher Automobil-Club was able to manipulate functions by simulating a fake phone network.
BMW quickly patched the flaw, but this PR nightmare brought to light a pervasive problem facing the industry: Companies today are so fixated on meeting consumer technology demands that they often overlook the most basic security features. BMW, Mercedes-Benz, Audi, and Lexus are constantly trying to outdo one another with new features, but by treating security as an afterthought, the competition puts sensitive consumer data at risk.
This problem isn’t limited to auto manufacturers. Just look at the recent Venmo debacle. It seems obvious that a company specializing in peer-to-peer financial transactions would have state-of-the-art security measures in place, but security isn’t users’ top concern, so it often isn’t companies’ top priority, either.
End users are more interested in the convenience and features a product has to offer. They aren’t thinking about the gaping security holes. But as our technology becomes more intelligent, more autonomous, and more interwoven into every aspect of our lives, security will become an even bigger pain point.
Advertise on features, bank on security
There’s no doubt that security is hard to advertise. No one looking to buy a car is asking about BMW’s encryption (until now), which is why companies often focus on building features that are visible to the consumer.
Security can also seem burdensome to end users, particularly when they’re asked to type in a lengthy password with numerals and special characters to prevent people from being able to easily guess their login credentials. But allowing security to fall by the wayside just because it isn’t “cool” is myopic at best, disastrous at worst.
Users might not understand everything your company does to protect their data, but having a reputation of solid security can be a major differentiator. For instance, Telegram, the security-conscious messaging app, saw a surge in downloads after Facebook bought WhatsApp. The fact is that, despite its popularity, users still distrust Facebook when it comes to privacy. Telegram, on the other hand, offers prize money to users who can break through its encryption; a $200,000 reward for breaking the service’s homegrown MTProto encryption protocol remains unclaimed.
Box is another company that uses encryption to consumers’ benefit. The brand recently released a security feature that lets users encrypt data in Box’s cloud while storing the encryption keys on their own side — leaving Box without access to the encryption keys. This setup makes a Box breach — or a government inquiry — a non-issue for its customers.
Similarly, Epic, an electronic health record system, recently notched a big win for a small security-conscious company. Healthcare is a highly regulated industry, but few EHR systems have as much security built into them as Epic’s. Mayo Clinic recognized the system’s superior security and chose to migrate from its combined GE and Cerner EHRs. Mayo Clinic’s adoption of Epic shows how worthwhile it is for organizations to move to systems that take security seriously in a complex, insecure world.
The key is to stop seeing security as a burden and start approaching it as an opportunity. More often than not, the biggest cost of better security is time. It can slow development and mean finishing second in the race to release new features, but while you may lose a sprint or two by investing in top-notch security, you’ll be more likely to win the marathon with users.
Originally published at venturebeat.com on March 25, 2015.