back to article Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago. Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems …

Page:

  1. mr.K

    Muppets

    See title.

    1. BillG
      Megaphone

      Re: Muppets

      Chrysler is treating this like it's a public relations problem. To make them take this seriously, the top level executives of Chrysler should be held criminally liable for any damage. So if someone hacks a Jeep and kills the occupants, charge Chrysler's CEO with manslaughter.

      Watch how seriously Chrysler takes security then!

      1. Charles 9

        Re: Muppets

        No, watch how seriously Chrysler dodges the issue. Remember, executives have the ability to pin spacegoats. They can also lobby Congress and employ their international connections to dodge the charge. The only way Chrysler will pay attention is if there is a public backlash so great that people simply stop buying anything from the conglomerate. For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.

        1. Rabbit80

          Re: Muppets

          Spacegoats? I haven't fired up goat simulator in a while, is that something new?

          1. VinceH
            Happy

            Re: Muppets

            "Spacegoats? I haven't fired up goat simulator in a while, is that something new?"

            That would have to be something by Jeff "Mutant Camels" Minter, wouldn't it?

            1. Charles 9

              Re: Muppets

              Nice thought. All this over a typo...

              PS. I personally preferred Laser Zone to AMC.

        2. Anonymous Coward
          Anonymous Coward

          Re: Muppets

          For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.

          .. if, of course, we assume those brands do NOT have these problems.. There is one make which takes this seriously, and has for years, but I am not allowed to mention it - I hope at some point they will actually publicise just how much effort they put in because it's worth knowing.

          1. Richard Ball

            Re: Muppets

            Get car;

            Cut off all antennas and short the connections;

            Start engine;

            Drive.

            Fixed.

            1. Esskay

              Re: Muppets

              Alternatively:

              1. Don't buy a Chrysler

              2. Fixed*.

              fortunately most people have already taken this approach.

              *assumes no other manufacturers think the internet is just a series of tubes

          2. Alan Brown Silver badge

            Re: Muppets

            @AC Presumably you're not allowed to mention it because you work for them, but you should be agitating for them to publically say how much work they put in, etc.

            Doing so will not only make it clear about the scale of Fiat-Chrysler's criminal negligence, but will also serve to expose the other makers who've been similarly negligent.

            I'm not pulling punches. This level of security FAIL should result in jailtime for the management who decided that spending money on better security was too expensive - it's at least as bad as the Ford Pinto debacle and I'm surprised that the NHTSA hasn't gone as far as ordering all affected cars off the road or forcing F-C to field-upgrade every single vehicle at a time and location which suits the customers, given recalls to stealerships only result in a little over half of affected vehicles being fixed within 6 months.

            Mailing out a USB key is spectacularly misguided, as other posters have already pointed out.

            1. Frank N. Stein

              Re: Muppets

              GM had a problem with the ignition switch on one car that actually caused deaths, but their CEO wasn't jailed for it, even though it was proven that GM knew about the problem and covered up fixing it to avoid the financial expenditure. No one was arrested for it. They paid a fine and scapegoats were fired, but that was it. Similar situation with Toyota/Lexus with the "sticking accelerator problem" that killed a couple of people in a Lexus when their accelerator jammed and the car wouldn't stop via brakes, but that was covered up as a problem with floor mats allegedly causing the accelerator to jam. As I recall, the CEO wasn't arrested over that and underlings lost jobs, and there was some sort of a fine, but that was it. F/C CEO isn't going to jail over this. Some underling or two will get fired. They'll pay a fine, and it will get swept under the rug, shortly thereafter. Considering that most manufacturer's have some sort of connected system in their new cars these days(On Star, My Touch, etc.), perhaps they all should examine their systems for vulnerabilities, but of course, they won't, because there are costs associated with it that they want to avoid.

              1. Tom 13

                Re: GM had a problem with the ignition

                Was that about the time the US government was getting all over Toyota about an alleged accelerator problem?

                I recall it smelled of a smoke and mirrors distraction at the time.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: GM had a problem with the ignition

                  "US government was getting all over Toyota about an alleged accelerator problem?"

                  No longer alleged. Been to court, end result $1Bn+ penalty payable by Toyota.

                  http://www.eetimes.com/document.asp?doc_id=1319903 "The single bit flip that killed" 25 Oct 2013

                  "Could bad code kill a person? It could, and it apparently did.

                  The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.

                  This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.

                  [continues]"

                  More detail from Prof Phil Koopman at CMU, an expert witness at the trial:

                  http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf

                  Toyota agree to pay £1Bn+ to end criminal inquiry

                  http://www.nytimes.com/2014/03/20/business/toyota-reaches-1-2-billion-settlement-in-criminal-inquiry.html

                  Plenty more if you go look for it. But not particularly widely publicised yet. Spread the word.

        3. The little voice inside my head

          Re: Muppets

          Dodge Charge(r), that would be a Challenge(r).

    2. JeffyPoooh
      Pint

      Dumb as tree stumps

      It doesn't matter how difficult the hacking is.

      Once discovered by someone and released, others can 'weaponize' it, and then *anyone* can be a script kiddie. Anyone.

      This same illogical 'difficulty makes it difficult' argument is dragged out time and again.

  2. DryBones

    I smell...

    A new Pwn2Own category!

    1. getHandle

      Re: I smell...

      I smell a new angle for The Fast And The Furious 9!

  3. Efros

    Jeep Grand Cherokee

    Had one of these a number of years ago, it never worked reliably enough in normal use to make it a reasonable hacking target. Pretty sure it was a Monday morning/Friday afternoon job.

  4. VeganVegan
    FAIL

    Pathetic

    Part of their response was that it takes time, effort, & skill to find a way to break in.

    Well, duh! Isn't it true for most hacks?

    And have they heard of script kiddies, who might have little skills of their own, but use someone else's tools?

    It might take 3letter agencies' resources to break my cipher, but once the key is published, even my grandma can be taught to access my secret files. (Sorry Grans, your special Christmas cheese casserole is really that bad).

    1. dotdavid

      Re: Pathetic

      "The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts"

      "The ability to develop the secret of gunpowder is not easy. It took researchers hundreds of years to tap into and control accurate and reliable firearms. They are experts"

  5. iLuddite

    supply and demand

    If markets generally operate on the principle of supply and demand, who is demanding connected private vehicles? Several people I have talked to are apprehensive of the idea, and I do not personally know anyone who is eager to expose their private vehicle to the open Internet. Phones, laptops, GPS - wonderful, but not the brakes, please.

    I have not purchased a new vehicle recently, and of anyone who has, I ask, did you have a choice of connected or not? Is this all supply-side?

    1. Anonymous Coward
      Anonymous Coward

      Re: supply and demand

      There's a concern of a cornered market. If ALL the manufacturers are connecting their cars and you can't buy used, then it's either buy a connected car or go without (since trying to disconnect the car may kill the car; you never know).

      1. Doctor Syntax Silver badge

        Re: supply and demand

        "There's a concern of a cornered market."

        I don;t know about the US but in Europe there's a good deal of regulatory stuff that new vehicle designs need to pass. Regulations about the isolation of safety-critical systems need to be added to this. That would avoid problems with future designs but getting it made retrospective might be difficult. With such regulation in place there'd be no issues about cornered markets; non-compliant vehicles wouldn't get into the market and manufacturers would have to start paying attention to introducing security at the design stage.

        1. Charles 9

          Re: supply and demand

          But Big Auto has Congress's ear. Trying making them enact more regulations usually takes an overwhelming consumer pushback.

        2. Tom 13

          Re: I don;t know about the US

          It's a crazy quilt of regs over here. Feds regulate MPG through taxation and the NTSB does crash testing which I believe is mandatory. But it isn't necessarily illegal to produce an unsafe car. You just have to be able to survive the class action lawsuit which will inevitably follow. OTOH the NTSB can issue recall orders if as a result of complaints they determine the vehicle is unsafe.

          Most regulation happens at the local level with Kalifornia having the most weight because of their high population. But the thoroughness of inspections is spotty. For example, I grew up in Pennsylvania. While growing up vehicles had to be inspected by licensed servicing stations every 6 months. They checked a variety of the standard stuff including body integrity (lack of rust), brakes, and tire wear. Somewhere along the way they switched to once a year (nominally cheaper, but all the inspection stations jacked their prices to make up for the lost business). I now reside in The People's Republic of Maryland. Despite state mandated emissions inspections every two years at state run stations, there are no corresponding laws about vehicle inspections. If you buy a used car, or transfer in from another state you have to have an inspection at the time you register the vehicle. After that, nothing.

      2. Frank N. Stein

        Re: supply and demand

        Doesn't the consumer (buyer of the car) have to sign up for connected car services in order to have them? Surely, those connected car services are not free. Onstar definitely isn't free. There are subscription fees for that. Surely, there are subscription fees for other connected car services. You don't sign up, you're not getting service, and the car isn't connected to anything without that subscription, right?

  6. goldcd

    Problem is simply

    that people that makes cars have no idea about IT.

    (and won't swallow their pride to ask for help).

    We can all argue over how this came about - but finest example is built in GPS.

    I remember when cars started coming "with a screen" and it was all very exciting. And.. well then I realized that we were being offered the chance to pay thousands for something demonstrably worse that what you could pick up for a hundred or so and stick to your wind-shield.

    What *I* as the consumer want is a decent interface between my car and my phone (and this certainly doesn't mean I want an iOS or Android compatible car).

    I want my car to run itself, brake when it sees I'm about to drive into somebody and all the rest - and simply the ability to overlay my phone on that screen (wot I paid for). My phone wants power, GPS (if I've got a window with elements in it) and that's about it. My phone does not need to connect to the inner workings of my car. Maybe my phone could utilize a read-only output from my car - but there's absolutely no reason my phone needs to be able to 'control' my car.

    1. Mark 85

      Re: Problem is simply

      that people that makes cars have no idea about IT.

      Or about making cars. Remember when Lee I. took over Chrysler the second time.. he fired a whole lot of beancounters and asked for people who wanted to make cars. When he left, the company hired beancounters again... and the downward spiral began.

  7. Anonymous Coward
    Anonymous Coward

    Grounds for a gross negligence charge?

    So Chrysler deemed the patch to be just an optional nicety whereas the National Highway Traffic Safety Administration (once actually told about it, apparently not by Chrysler) issued an urgent mass recall for it. That seems far beyond a trifling innocuous difference of opinion and either a knowing cover-up or incompetence beyond the point of negligence (at least one responsible adult is required per registered company...)

    1. Charles 9

      Re: Grounds for a gross negligence charge?

      Was Toyota slapped with gross negligence for its Prius issues? If not, don't expect Chrysler to get charged here. And like I said before, it's hard to pin executives of a company for company troubles; AFAIK, executives only get nailed on personal matters.

  8. x 7

    so how do you find the IP address of a specific car? You can't exactly run IPCONFIG on it....

    1. Anonymous Coward
      Anonymous Coward

      I think network sniffers come into play here. And you can't encrypt an IP address since that'd be like writing the address INSIDE the envelope.

      1. Adam 1

        Maybe not, but assuming the very long bow that such connectivity of the core systems of your car is needed, why were they not NAT'd inside some walled garden?

    2. Bob Dole (tm)
      Holmes

      >>so how do you find the IP address of a specific car?

      You run a port scanner across the sprint network looking for these car signatures. From this you have each one tell you it's GPS coordinates.

      If you know where the car that you actually want to control is, then you look for a match based on those coordinates. Once you have your match, enjoy your new Chrysler Mobile Drone(tm).

      Honestly they should be spinning this as a feature. Call it the iChauffeur. All they need to do is set up so that when you enter the vehicle you just say where you want to go then someone in a call center starts the car and drives it remotely. Maybe a combination of Siri with an Indian call center...

      (I'll be back in a minute - need to file a patent).

    3. Anonymous Coward
      Anonymous Coward

      so how do you find the IP address of a specific car? You can't exactly run IPCONFIG on it....

      There are people who do mass IP sweeps on the Internet. I suspect this is just a new category for the nmap "-O" option..

    4. Andrew Barratt

      I'm guessing very soon there will be automated portscans running looking for the affected port and device signature. Similar to the way the same sorts of scans are running looking for Industrial Control Systems.

  9. A. Coatsworth Silver badge
    Coat

    "unfortunately, the update has to be manually installed via a USB stick plugged into the car"

    Why is this unfortunate? that's the way updates to a car SW should be done! Only by physical access, that keeps things safer.

    I guess you could give the car some kind of wireless communication, so it can download the update automatically from the internet, but that connection might become a source for malicious attacks...

    wait, WHAT?

    1. Charles 9

      So then how do you get someone completely computer-illiterate and isolated to update their car when a critical issue comes up? They can't do it themselves and are out of the loop so wouldn't know to go to the dealer.

      BTW, that USB port can be a security issue in itself. Even with some kind of signature check, what happens when their private key gets compromised?

      1. Steven Raith

        Ehhh....

        I'm assuming the firmware update requires A Magical Dance Of Keys and Buttons to access firmware update mode (if not, shoot them) and if the private keys were compromised, you still need physical access to the vehicle (And it's keys, or keyfob if keyless) to update it.

        So that's less of an issue than you might think. Im quite sure you don't just turn the car on with the USB drive plugged in, that would be stupendously dense.

        Note - I don't know what the procedure is, and I genuinely don't care, to be blunt, as I specifically avoid cars that have nannying controls for everything. And penis extensions like Jeeps.

        1. Richard 12 Silver badge

          It almost certainly is "Just plug it in and reboot"

          Most of the BSPs provided by the manufacturers of the system-on-chips used in these things has that feature (though it is easily disabled), and it's a handy feature during development.

          They may have a button dance to do the reboot, one hopes a "special" one, but that's not security - and it's also public knowledge as soon as the recall starts.

          I hope the firmware image is signed, but I doubt it.

        2. John Brown (no body) Silver badge
          Mushroom

          "Im quite sure you don't just turn the car on with the USB drive plugged in, that would be stupendously dense."

          I'd give you good odds that that is EXACTLY how it will work :-)

      2. Not That Andrew

        > So then how do you get someone completely computer-illiterate and isolated to update their car..

        I'm pretty sure that's why the NHTSA made it a general recall.

      3. Robert Heffernan

        You know what they say about assumption

        @Charles 9

        If they couldn't get basic network security to work I wouldn't assume they have an idea about public/private key security on a USB stick.

    2. Bob Dole (tm)
      Facepalm

      What I find funny is that the researchers can apparently rewrite the cars software remotely. If they can do this, then why can't Chrysler do an over the air update?

      1. Charles 9

        "If they can do this, then why can't Chrysler do an over the air update?"

        Because the OTA channel is not secure. There's a risk of an OTA update getting hijacked.

    3. JeffyPoooh
      Pint

      Brakes are on the 'net, but not SW updates...

      A strange set of decisions...

      This is what's coming with self driving cars. More fiascoes like this. El Reg will need a new section...

  10. Peter Prof Fox

    Dangerous incompetence

    This is about as bad as not tightening wheel nuts before the cars leave the factory. An organisation fails putting millions at risk. But who is in a position to force manufacturers to properly assess and mitigate the risk. If hackers are ignored (or made criminals) then they're better of turning to the dark side.

    1. Charles 9

      Re: Dangerous incompetence

      The only people in a real position to force a change are the buyers (government can be bought off). But barring a total disaster, most of them are too clueless to care.

  11. Dr Trevor Marshall

    No wonder we are running out of IPv4 addresses

    Each car has a unique IP? Who decided that Chrysler should be issued millions of IPv4?

    1. Anonymous Coward
      Anonymous Coward

      Re: No wonder we are running out of IPv4 addresses

      I don't think it quite works that way. I suspect it's using either a private space or a NAT'ed network. Either way, part of the trick is getting inside that network. Then all the Chryslers nearby are your oysters.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon