back to article Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago. Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems …

  1. mr.K

    Muppets

    See title.

    1. BillG
      Megaphone

      Re: Muppets

      Chrysler is treating this like it's a public relations problem. To make them take this seriously, the top level executives of Chrysler should be held criminally liable for any damage. So if someone hacks a Jeep and kills the occupants, charge Chrysler's CEO with manslaughter.

      Watch how seriously Chrysler takes security then!

      1. Charles 9

        Re: Muppets

        No, watch how seriously Chrysler dodges the issue. Remember, executives have the ability to pin spacegoats. They can also lobby Congress and employ their international connections to dodge the charge. The only way Chrysler will pay attention is if there is a public backlash so great that people simply stop buying anything from the conglomerate. For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.

        1. Rabbit80

          Re: Muppets

          Spacegoats? I haven't fired up goat simulator in a while, is that something new?

          1. VinceH
            Happy

            Re: Muppets

            "Spacegoats? I haven't fired up goat simulator in a while, is that something new?"

            That would have to be something by Jeff "Mutant Camels" Minter, wouldn't it?

            1. Charles 9

              Re: Muppets

              Nice thought. All this over a typo...

              PS. I personally preferred Laser Zone to AMC.

        2. Anonymous Coward
          Anonymous Coward

          Re: Muppets

          For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.

          .. if, of course, we assume those brands do NOT have these problems.. There is one make which takes this seriously, and has for years, but I am not allowed to mention it - I hope at some point they will actually publicise just how much effort they put in because it's worth knowing.

          1. Richard Ball

            Re: Muppets

            Get car;

            Cut off all antennas and short the connections;

            Start engine;

            Drive.

            Fixed.

            1. Esskay

              Re: Muppets

              Alternatively:

              1. Don't buy a Chrysler

              2. Fixed*.

              fortunately most people have already taken this approach.

              *assumes no other manufacturers think the internet is just a series of tubes

          2. Alan Brown Silver badge

            Re: Muppets

            @AC Presumably you're not allowed to mention it because you work for them, but you should be agitating for them to publically say how much work they put in, etc.

            Doing so will not only make it clear about the scale of Fiat-Chrysler's criminal negligence, but will also serve to expose the other makers who've been similarly negligent.

            I'm not pulling punches. This level of security FAIL should result in jailtime for the management who decided that spending money on better security was too expensive - it's at least as bad as the Ford Pinto debacle and I'm surprised that the NHTSA hasn't gone as far as ordering all affected cars off the road or forcing F-C to field-upgrade every single vehicle at a time and location which suits the customers, given recalls to stealerships only result in a little over half of affected vehicles being fixed within 6 months.

            Mailing out a USB key is spectacularly misguided, as other posters have already pointed out.

            1. Frank N. Stein

              Re: Muppets

              GM had a problem with the ignition switch on one car that actually caused deaths, but their CEO wasn't jailed for it, even though it was proven that GM knew about the problem and covered up fixing it to avoid the financial expenditure. No one was arrested for it. They paid a fine and scapegoats were fired, but that was it. Similar situation with Toyota/Lexus with the "sticking accelerator problem" that killed a couple of people in a Lexus when their accelerator jammed and the car wouldn't stop via brakes, but that was covered up as a problem with floor mats allegedly causing the accelerator to jam. As I recall, the CEO wasn't arrested over that and underlings lost jobs, and there was some sort of a fine, but that was it. F/C CEO isn't going to jail over this. Some underling or two will get fired. They'll pay a fine, and it will get swept under the rug, shortly thereafter. Considering that most manufacturer's have some sort of connected system in their new cars these days(On Star, My Touch, etc.), perhaps they all should examine their systems for vulnerabilities, but of course, they won't, because there are costs associated with it that they want to avoid.

              1. Tom 13

                Re: GM had a problem with the ignition

                Was that about the time the US government was getting all over Toyota about an alleged accelerator problem?

                I recall it smelled of a smoke and mirrors distraction at the time.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: GM had a problem with the ignition

                  "US government was getting all over Toyota about an alleged accelerator problem?"

                  No longer alleged. Been to court, end result $1Bn+ penalty payable by Toyota.

                  http://www.eetimes.com/document.asp?doc_id=1319903 "The single bit flip that killed" 25 Oct 2013

                  "Could bad code kill a person? It could, and it apparently did.

                  The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.

                  This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.

                  [continues]"

                  More detail from Prof Phil Koopman at CMU, an expert witness at the trial:

                  http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf

                  Toyota agree to pay £1Bn+ to end criminal inquiry

                  http://www.nytimes.com/2014/03/20/business/toyota-reaches-1-2-billion-settlement-in-criminal-inquiry.html

                  Plenty more if you go look for it. But not particularly widely publicised yet. Spread the word.

        3. The little voice inside my head

          Re: Muppets

          Dodge Charge(r), that would be a Challenge(r).

    2. JeffyPoooh
      Pint

      Dumb as tree stumps

      It doesn't matter how difficult the hacking is.

      Once discovered by someone and released, others can 'weaponize' it, and then *anyone* can be a script kiddie. Anyone.

      This same illogical 'difficulty makes it difficult' argument is dragged out time and again.

  2. DryBones

    I smell...

    A new Pwn2Own category!

    1. getHandle

      Re: I smell...

      I smell a new angle for The Fast And The Furious 9!

  3. Efros

    Jeep Grand Cherokee

    Had one of these a number of years ago, it never worked reliably enough in normal use to make it a reasonable hacking target. Pretty sure it was a Monday morning/Friday afternoon job.

  4. VeganVegan
    FAIL

    Pathetic

    Part of their response was that it takes time, effort, & skill to find a way to break in.

    Well, duh! Isn't it true for most hacks?

    And have they heard of script kiddies, who might have little skills of their own, but use someone else's tools?

    It might take 3letter agencies' resources to break my cipher, but once the key is published, even my grandma can be taught to access my secret files. (Sorry Grans, your special Christmas cheese casserole is really that bad).

    1. dotdavid

      Re: Pathetic

      "The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts"

      "The ability to develop the secret of gunpowder is not easy. It took researchers hundreds of years to tap into and control accurate and reliable firearms. They are experts"

  5. iLuddite

    supply and demand

    If markets generally operate on the principle of supply and demand, who is demanding connected private vehicles? Several people I have talked to are apprehensive of the idea, and I do not personally know anyone who is eager to expose their private vehicle to the open Internet. Phones, laptops, GPS - wonderful, but not the brakes, please.

    I have not purchased a new vehicle recently, and of anyone who has, I ask, did you have a choice of connected or not? Is this all supply-side?

    1. Anonymous Coward
      Anonymous Coward

      Re: supply and demand

      There's a concern of a cornered market. If ALL the manufacturers are connecting their cars and you can't buy used, then it's either buy a connected car or go without (since trying to disconnect the car may kill the car; you never know).

      1. Doctor Syntax Silver badge

        Re: supply and demand

        "There's a concern of a cornered market."

        I don;t know about the US but in Europe there's a good deal of regulatory stuff that new vehicle designs need to pass. Regulations about the isolation of safety-critical systems need to be added to this. That would avoid problems with future designs but getting it made retrospective might be difficult. With such regulation in place there'd be no issues about cornered markets; non-compliant vehicles wouldn't get into the market and manufacturers would have to start paying attention to introducing security at the design stage.

        1. Charles 9

          Re: supply and demand

          But Big Auto has Congress's ear. Trying making them enact more regulations usually takes an overwhelming consumer pushback.

        2. Tom 13

          Re: I don;t know about the US

          It's a crazy quilt of regs over here. Feds regulate MPG through taxation and the NTSB does crash testing which I believe is mandatory. But it isn't necessarily illegal to produce an unsafe car. You just have to be able to survive the class action lawsuit which will inevitably follow. OTOH the NTSB can issue recall orders if as a result of complaints they determine the vehicle is unsafe.

          Most regulation happens at the local level with Kalifornia having the most weight because of their high population. But the thoroughness of inspections is spotty. For example, I grew up in Pennsylvania. While growing up vehicles had to be inspected by licensed servicing stations every 6 months. They checked a variety of the standard stuff including body integrity (lack of rust), brakes, and tire wear. Somewhere along the way they switched to once a year (nominally cheaper, but all the inspection stations jacked their prices to make up for the lost business). I now reside in The People's Republic of Maryland. Despite state mandated emissions inspections every two years at state run stations, there are no corresponding laws about vehicle inspections. If you buy a used car, or transfer in from another state you have to have an inspection at the time you register the vehicle. After that, nothing.

      2. Frank N. Stein

        Re: supply and demand

        Doesn't the consumer (buyer of the car) have to sign up for connected car services in order to have them? Surely, those connected car services are not free. Onstar definitely isn't free. There are subscription fees for that. Surely, there are subscription fees for other connected car services. You don't sign up, you're not getting service, and the car isn't connected to anything without that subscription, right?

  6. goldcd

    Problem is simply

    that people that makes cars have no idea about IT.

    (and won't swallow their pride to ask for help).

    We can all argue over how this came about - but finest example is built in GPS.

    I remember when cars started coming "with a screen" and it was all very exciting. And.. well then I realized that we were being offered the chance to pay thousands for something demonstrably worse that what you could pick up for a hundred or so and stick to your wind-shield.

    What *I* as the consumer want is a decent interface between my car and my phone (and this certainly doesn't mean I want an iOS or Android compatible car).

    I want my car to run itself, brake when it sees I'm about to drive into somebody and all the rest - and simply the ability to overlay my phone on that screen (wot I paid for). My phone wants power, GPS (if I've got a window with elements in it) and that's about it. My phone does not need to connect to the inner workings of my car. Maybe my phone could utilize a read-only output from my car - but there's absolutely no reason my phone needs to be able to 'control' my car.

    1. Mark 85

      Re: Problem is simply

      that people that makes cars have no idea about IT.

      Or about making cars. Remember when Lee I. took over Chrysler the second time.. he fired a whole lot of beancounters and asked for people who wanted to make cars. When he left, the company hired beancounters again... and the downward spiral began.

  7. Anonymous Coward
    Anonymous Coward

    Grounds for a gross negligence charge?

    So Chrysler deemed the patch to be just an optional nicety whereas the National Highway Traffic Safety Administration (once actually told about it, apparently not by Chrysler) issued an urgent mass recall for it. That seems far beyond a trifling innocuous difference of opinion and either a knowing cover-up or incompetence beyond the point of negligence (at least one responsible adult is required per registered company...)

    1. Charles 9

      Re: Grounds for a gross negligence charge?

      Was Toyota slapped with gross negligence for its Prius issues? If not, don't expect Chrysler to get charged here. And like I said before, it's hard to pin executives of a company for company troubles; AFAIK, executives only get nailed on personal matters.

  8. x 7

    so how do you find the IP address of a specific car? You can't exactly run IPCONFIG on it....

    1. Anonymous Coward
      Anonymous Coward

      I think network sniffers come into play here. And you can't encrypt an IP address since that'd be like writing the address INSIDE the envelope.

      1. Adam 1

        Maybe not, but assuming the very long bow that such connectivity of the core systems of your car is needed, why were they not NAT'd inside some walled garden?

    2. Bob Dole (tm)
      Holmes

      >>so how do you find the IP address of a specific car?

      You run a port scanner across the sprint network looking for these car signatures. From this you have each one tell you it's GPS coordinates.

      If you know where the car that you actually want to control is, then you look for a match based on those coordinates. Once you have your match, enjoy your new Chrysler Mobile Drone(tm).

      Honestly they should be spinning this as a feature. Call it the iChauffeur. All they need to do is set up so that when you enter the vehicle you just say where you want to go then someone in a call center starts the car and drives it remotely. Maybe a combination of Siri with an Indian call center...

      (I'll be back in a minute - need to file a patent).

    3. Anonymous Coward
      Anonymous Coward

      so how do you find the IP address of a specific car? You can't exactly run IPCONFIG on it....

      There are people who do mass IP sweeps on the Internet. I suspect this is just a new category for the nmap "-O" option..

    4. Andrew Barratt

      I'm guessing very soon there will be automated portscans running looking for the affected port and device signature. Similar to the way the same sorts of scans are running looking for Industrial Control Systems.

  9. A. Coatsworth Silver badge
    Coat

    "unfortunately, the update has to be manually installed via a USB stick plugged into the car"

    Why is this unfortunate? that's the way updates to a car SW should be done! Only by physical access, that keeps things safer.

    I guess you could give the car some kind of wireless communication, so it can download the update automatically from the internet, but that connection might become a source for malicious attacks...

    wait, WHAT?

    1. Charles 9

      So then how do you get someone completely computer-illiterate and isolated to update their car when a critical issue comes up? They can't do it themselves and are out of the loop so wouldn't know to go to the dealer.

      BTW, that USB port can be a security issue in itself. Even with some kind of signature check, what happens when their private key gets compromised?

      1. Steven Raith

        Ehhh....

        I'm assuming the firmware update requires A Magical Dance Of Keys and Buttons to access firmware update mode (if not, shoot them) and if the private keys were compromised, you still need physical access to the vehicle (And it's keys, or keyfob if keyless) to update it.

        So that's less of an issue than you might think. Im quite sure you don't just turn the car on with the USB drive plugged in, that would be stupendously dense.

        Note - I don't know what the procedure is, and I genuinely don't care, to be blunt, as I specifically avoid cars that have nannying controls for everything. And penis extensions like Jeeps.

        1. Richard 12 Silver badge

          It almost certainly is "Just plug it in and reboot"

          Most of the BSPs provided by the manufacturers of the system-on-chips used in these things has that feature (though it is easily disabled), and it's a handy feature during development.

          They may have a button dance to do the reboot, one hopes a "special" one, but that's not security - and it's also public knowledge as soon as the recall starts.

          I hope the firmware image is signed, but I doubt it.

        2. John Brown (no body) Silver badge
          Mushroom

          "Im quite sure you don't just turn the car on with the USB drive plugged in, that would be stupendously dense."

          I'd give you good odds that that is EXACTLY how it will work :-)

      2. Not That Andrew

        > So then how do you get someone completely computer-illiterate and isolated to update their car..

        I'm pretty sure that's why the NHTSA made it a general recall.

      3. Robert Heffernan

        You know what they say about assumption

        @Charles 9

        If they couldn't get basic network security to work I wouldn't assume they have an idea about public/private key security on a USB stick.

    2. Bob Dole (tm)
      Facepalm

      What I find funny is that the researchers can apparently rewrite the cars software remotely. If they can do this, then why can't Chrysler do an over the air update?

      1. Charles 9

        "If they can do this, then why can't Chrysler do an over the air update?"

        Because the OTA channel is not secure. There's a risk of an OTA update getting hijacked.

    3. JeffyPoooh
      Pint

      Brakes are on the 'net, but not SW updates...

      A strange set of decisions...

      This is what's coming with self driving cars. More fiascoes like this. El Reg will need a new section...

  10. Peter Prof Fox

    Dangerous incompetence

    This is about as bad as not tightening wheel nuts before the cars leave the factory. An organisation fails putting millions at risk. But who is in a position to force manufacturers to properly assess and mitigate the risk. If hackers are ignored (or made criminals) then they're better of turning to the dark side.

    1. Charles 9

      Re: Dangerous incompetence

      The only people in a real position to force a change are the buyers (government can be bought off). But barring a total disaster, most of them are too clueless to care.

  11. Dr Trevor Marshall

    No wonder we are running out of IPv4 addresses

    Each car has a unique IP? Who decided that Chrysler should be issued millions of IPv4?

    1. Anonymous Coward
      Anonymous Coward

      Re: No wonder we are running out of IPv4 addresses

      I don't think it quite works that way. I suspect it's using either a private space or a NAT'ed network. Either way, part of the trick is getting inside that network. Then all the Chryslers nearby are your oysters.

      1. Anonymous Coward
        FAIL

        Re: No wonder we are running out of IPv4 addresses

        Why only nearby? I would think that you could send the same 'turn left hard and then brake' command to every single one of them.

      2. scote

        Re: No wonder we are running out of IPv4 addresses

        It probably is NAT'd the security researchers said that you need to be on the same wireless network

      3. Andrew Barratt

        Re: No wonder we are running out of IPv4 addresses

        From the write ups it appears that this is a public IP similar to the way ISPs used to allocate one during a dial up session.

    2. Daniel B.
      Boffin

      Re: No wonder we are running out of IPv4 addresses

      Every single device connected to the net should have its own publicly routeable IP address. NAT was a hackjob implemented to alleviate the IPv4 address shortage ... but instead, network engineers saw that as "extra security" and took that at face value.

      Of course, NAT "security" is bollocks, and this hack proves it if the devices are connected to a NATted network. The faster we migrate to NATless IPv6, the faster we get all the security theater mentality away from IP addresses.

  12. Alan Denman

    chrysler said..

    Only hackers can do this.

    Comforting to know

    1. Ole Juul

      Re: chrysler said..

      "Only hackers can do this."

      That's Chrysler's way of saying that only people who know how to do this can do this.

      1. JeffyPoooh
        Pint

        Re: chrysler said..

        Only experts can help write the script.

        Any child can download it and click on it. "Script kiddies"

        It's a monumental error to assume otherwise.

  13. Adam 1

    Iot must die

    The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.

    It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.

    You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.

  14. zen1

    this isn't unfortunate

    it's goddamn stupid, irresponsible and down right amateurish, especially by a division of one of the worlds largest automakers. Those assholes should be charged with criminal negligence. Once again, el reg, this article just screams "I need a douche bag icon!!!"

  15. Aslan

    Hooray for publishing security flaws

    Hooray for publishing security flaws making us all safer.

    1. sabroni Silver badge

      Re: Hooray for publishing security flaws

      Yeah, i'd be so much safer if i didn't know about this. They can't hack my car if i don't know there's a flaw!!

    2. Six_Degrees

      Re: Hooray for publishing security flaws

      Please lay out the design of your attack, being sure to point out which portions of it were made possible by this article.

  16. Chris Tierney

    USB sticks in the post

    Hello Chrysler owner,

    I noticed your shiny car in the drive and thought I'd send you a usb stick with the fix.

    Please ignore the other USB stick as we sent you this in error.

    Yours Truly

    A.T.Hief

    1. Graham Lockley

      Re: USB sticks in the post

      Doesn't work unless you sign it PRESIDENT JONATHAN GOODLUCK and offer 20MILIION US DOLLARS

      Just saying....

      :)

    2. Wensleydale Cheese
      Unhappy

      Re: USB sticks in the post

      "Please ignore the other USB stick as we sent you this in error."

      I expect the spooks have thought of that already

  17. Dave Stevens

    CPU?

    So what's in a Dodge? PowerPC?

    1. Anonymous Coward
      Anonymous Coward

      Re: CPU?

      Mine's an 8080 mod 1 (1Mhz)

      1. Anonymous Coward
        Anonymous Coward

        Re: CPU?

        Mine's an 8080 mod 1 (1Mhz)

        Time to find out where my last PSION Organiser II is - I think I may still have the engineering drawings somewhere as well :)

  18. John Crisp

    Damn. That's where all the IPv4 blocks have gone.

    So with so many cars needing an IP we better hurry on to IPv6.

    Now what was it you said about walled gardens and NAT..... ?

    1. Richard 12 Silver badge

      If you're inside the garden...

      Say, for example, have the same cellular data provider.

      One suspects that's how it works.

  19. Small Furry Animal
    Stop

    What me care?

    I have two cars.One's a Rover P5B and the other's a Lotus Europa S1. Neither has or needs any kind of 'hi-tech' controls.

    Just because a thing can be done doesn't mean it should.

  20. Kev99 Silver badge

    Who was the idiot that decided it would be cute to use the internet in a car? If any one gets pinged by this, I hope they take Chrysler and especially the idiot who had this great idea, for all they got.

    1. OldDude

      Actually GM is making a huge deal about how they provide internet access in their cars.

      They've had IPV4 addresses assigned to their vehicles for more than a decade. How do you think OnStar works?

      The weak link in FCA's setup is linked to the Sprint cellular service that was tied in.

    2. Six_Degrees

      It's not a bad idea on its face, and it's an idea driven by consumer demands.

      The idiocy entered the picture when critical car systems like steering, brakes, and engine control were merged onto the network with that connection. These systems have typically, in the past, been completely air-gapped from other car networks and systems, for the very reason that...they're critical.

      Apparently, some moron in Italy decided that saving three cents worth of CAN cable was far more important that system integrity.

  21. Bruce Ordway

    Quality of programmers

    I watched a video many years ago where a Darpa speaker questioned the potential dangers with ABS due to the quality of the programmers involved.

    If I remember, his point was that the best graduates don't end up working for auto makers. In his mind, probably C or B level at best.

    I didn't put too much stock in it at the time but now...

    1. Richard Taylor 2

      Re: Quality of programmers

      Except this is probably not a programming error - it is a systems error - something an enterprise architect (or what an EA should be) team would be responsible for.

  22. Anonymous Coward
    Anonymous Coward

    All entities should be held accountable

    Those who were negligent in writing the defective code or designing an insecure component should be heavily fined and suspended from their job without pay for six months. Those who hacked the cars should go to prison for a minimum of 10 years and be fined treble damages plus all cost of prosecution and incarceration.

    1. Old Used Programmer

      Re: All entities should be held accountable

      Read the article...the hackers *own* the car they worked the hack out on. So...tell me what laws they broke.

      1. Anonymous Coward
        Anonymous Coward

        Re: tell me what laws they broke.

        "the hackers *own* the car they worked the hack out on. So...tell me what laws they broke."

        Can I start with the DMCA "reverse engineering" provisions/prohibitions?

        Or is this permissible somehow?

        1. Anonymous Coward
          Anonymous Coward

          Re: tell me what laws they broke.

          It is if the channels are not actively protected. The DMCA still allows for clean-room reverse engineering (the "Compaq technique") but you can't break active protections (such as DRM) in so doing.

    2. Anonymous Coward
      Anonymous Coward

      Re: All entities should be held accountable

      Those who hacked the cars should go to prison for a minimum of 10 years and be fined treble damages plus all cost of prosecution and incarceration.

      You are so very wrong. For every honest team of researchers who publish in order to get the hole closed, you can bet there's a bunch of other teams doing the same things but keeping quiet about it and adding to their capabilities. Military, espionage, lulz, blackmail, whatever.

      This flaw -as someone a couple of comments down pointed out- be used as a WMD if you could hit every car of the same model at the same time: Steering 3 degrees left; accelerate hard; disable brakes. That'd probably tie up emergency services country-wide for at least a few hours. Ideal if you're planning a military invasion and want to keep the enemy busy and distracted. Or arsehats like ISIS would do it for the atrocity value alone...way more effective than a suicide bomber.

    3. John Brown (no body) Silver badge
      FAIL

      Re: All entities should be held accountable

      "Those who hacked the cars should go to prison for a minimum of 10 years"

      ...and if they hadn't found and published, how long before we find the hack in Hacking Teams 400GB data "loss" and that they were already selling it? Or some other company similar to Hacking Team? Or any of the worlds "state actors"?

  23. Richard Taylor 2

    "The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts," said Chrysler in a blog post.

    And there aren't other experts out there? It did/does present an opportunity for a real WMD attack across the US.

    1. Six_Degrees

      True. Also, simply knowing such control is, in fact, possible is a serious advantage over where the original researchers started.

  24. Anonymous Coward
    Anonymous Coward

    Reset leaves no evidence - hello dubious claims..

    If I understood that video correctly, the cars seem to run an embedded version of Windows given that the driver had to turn it off and then on again to reset :).

    Now this is public, I suspect many tailgating accidents of these cars will end up filed as "my brakes were hacked, they suddenly didn't work"..

    1. Anonymous Coward
      Anonymous Coward

      Re: Reset leaves no evidence - hello dubious claims..

      If it is an embedded version of Vista, you know you are going to die.

  25. Andrew Barratt

    Will be interesting to see how many people get popped by a rogue - Jeep branded USB going through their door.

  26. TWB

    Why is the onboard computer able to control the brakes and steering?

    Forget the computer security issues here - when I drive a car, I control it. I don't mind the computer knowing what I'm doing with the car but the controls systems for the brakes, engine and steering should NOT be controllable from it. The engine, ABS and stability controls systems should be separate. This is completely possible - if I monitor the output of something it does not mean I can control it.

    Poor cheap design I say.

    1. b166er

      Re: Why is the onboard computer able to control the brakes and steering?

      Presumably so a future firmware update will enable the vehicle to auto-pilot.

      1. Zog_but_not_the_first
        Big Brother

        Re: Why is the onboard computer able to control the brakes and steering?

        Prole control.

    2. Phil O'Sophical Silver badge

      Re: Why is the onboard computer able to control the brakes and steering?

      Lots of new cars have "Park Assist", you stop beside a space, put the car in reverse, and press a button. In theory it parks in the space, which requires steering and brake control. Since the hackers noted that they could only control the car when it was in reverse I guess this is the system they used.

      I test drove a few new cars with park assist recently. It's impressive in a way, but unnerving, and at least once I had to hit the brake myself to stop the car clipping the one beside it, so the technology is far from perfect anyway.

    3. Six_Degrees

      Re: Why is the onboard computer able to control the brakes and steering?

      It has been several decades since you directly controlled any system in your car. The move toward "drive by wire" systems has been steady and inexorable.

      Critical systems like brakes, engine control, and steering have, however, ALWAYS been air-gapped from other vehicle networks. The problem here isn't indirect control - it's the ACCESS to that control that Fiat's inexplicable decision to eliminate this air gap provides.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why is the onboard computer able to control the brakes and steering?

        It has been several decades since you directly controlled any system in your car.

        Brakes and steering are still directly controlled in all but a very few cars. They usually have some degree of assistance, but they are not 'drive by wire'.

    4. Tom 13

      Re: Why is the onboard computer able to control the brakes and steering?

      I suspect on most modern cars the computer always controls the braking even when you're depressing the brake pedal. That's certainly part of how ABS solutions work, and you need it if you're implementing some sort of automatic anti-tailgating or blind spot braking mechanisms that's how you'd implement that as well.

      As other posters pointed out, the real problem is that that control subsystem was connected to the public internet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why is the onboard computer able to control the brakes and steering?

        I suspect on most modern cars the computer always controls the braking even when you're depressing the brake pedal. That's certainly part of how ABS solutions work,

        Don't 'suspect', look it up. Brakes work even with the battery disconnected, the pressure in the pipes comes directly from your foot on the pedal.

        Of course there's some electric or vacuum assistance which can be activated by the computer to add effort when required, and ABS can vary that pressure by opening valves in the circuit to pulse the activity, but the fundamental braking effort is still direct. Same applies to steering.

  27. Anonymous Coward
    Anonymous Coward

    If they all have their own I.P. address would it not be easy just to confirm the address range bought?

    That's a scary thought.

  28. Fihart

    look and learn

    Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study German cars that are safe and durable, Japanese cars for reliability, Italians for style and performance.

    With few exceptions (Studebaker Avanti, 1964 Buick Riviera, 1964 Mustang, 1970 Plymouth Barracuda, Corvair) most post-war American cars have been hideous and as horrible mechanically as they look.

    Of course, US drivers expect to buy cars cheaper than almost anywhere in the world and they get what they pay for.

    1. sysconfig

      Re: look and learn

      "Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study German cars that are safe and durable, Japanese cars for reliability, Italians for style and performance."

      Recent German cars are equally packed with a lot of electronic complexity. I wouldn't be too surprised if my 2012 Audi A6 suffered vulnerabilities similar to Chrysler's, to be honest. Mechanical faults are much rarer than electronic failures in recent cars. It's far from perfect, and due to price pressure all major car manufacturers, including the Germans, offload more and more QA to the customer.

      In fact, features like Audi Connect scare the shit out of me. (It offers a pile of internet service integrations, such as Google Maps, Facebook and others, which may or may not make the car less secure; Most definitely it allows for more accurate tracking of the car, less privacy, and might eventually be used by forensics/insurances -- most definitely against you.)

      Internet connectivity of any car system paired with a single CANBUS that trusts all connected devices makes a lot of alarm bells ring simultaneously!

      1. Anonymous Coward
        Anonymous Coward

        Re: look and learn

        In fact, features like Audi Connect scare the shit out of me.

        You can relax. All Google ever gets is data requests from an Audi proxy which filters out ALL personal data (sorry, not allowed to tell you how I know this, but feel free to enquire with Audi yourself).

    2. Alan Brown Silver badge

      Re: look and learn

      "Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study"

      What, exactly? All the car companies are interconnected. They all buy from the same few suppliers of critical systems and they have ALL been involved in safety scandals and coverup exposes.

      The hint you should take from the title of the story is that it's Fiat-Chrysler, not Chrysler-Fiat. If it wasn't for Fiat the Chrysler name would have ceased to exist. (Being tied to Chrysler nearly took Daimler-Benz out of business. As it is the single largest contribution they made to Daimler during the alliance was teaching them how to make Mercedes which rust quickly and break down too much)

      Similarly, Renault's prime contribution to Nissan has been to introduce unreliable electrics and PSA's contribution to Toyota has been shonky designs along with engine computer software flaws.

  29. detritus
    Black Helicopters

    Michael Hastings

    So, might it be time to go back and check what vulnerabilities a ~2013 model Mercedes C250 Coupé could suffer?

    1. phil dude
      Black Helicopters

      Re: Michael Hastings

      @detritus: Thank you for reposting association, I did so on the other thread ,but not early enough to get near the top!

      It could just be a coincidence, but it does raise the question as with all other leaked 0-day expoits being hoarded, whether this hack was discovered independently?

      P.

  30. jake Silver badge

    I've been warning about this for years.

    My fleet (except the Peterbilt) are all restored 1970 or older vehicles.

    Internet connectivity has no place on public roads, for lots of reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've been warning about this for years.

      Not even for traffic alerts, which are best done well enough in advance so as to reroute around such things as accidents? And no, the radio doesn't work too well around here.

      1. jake Silver badge

        @"AC 16 hrs", WETMER (was: Re: I've been warning about this for years.)

        "Not even for traffic alerts"

        Nope. When driving, drive. It's kind of important.

        "which are best done well enough in advance so as to reroute around such things as accidents?"

        Are you actually implying that TehIntraWebTubes know about traffic issues before they happen? The mind absolutely boggles ...

        "And no, the radio doesn't work too well around here."

        So you're so far outside of major traffic that the radio doesn't work too well? Why, exactly, do you think you are qualified to comment on the subject?

        1. Alan Brown Silver badge

          Re: @"AC 16 hrs", WETMER (was: I've been warning about this for years.)

          "Are you actually implying that TehIntraWebTubes know about traffic issues before they happen? The mind absolutely boggles ..."

          Last week I got caught up in stopped traffic. Thanks to Waze I knew that the delay was less than 5 minutes, so waited.

          The number of drivers turning around to take alternate routes which are all longer than that (the minimum alternate route is 15 minutes longer) made it clear that not everybody was aware of it.

          That said: there is no good reason why safety critical systems should be connected to the entertainment/informatics system and from there onto the Internet.

        2. Anonymous Coward
          Anonymous Coward

          Re: @"AC 16 hrs", WETMER (was: I've been warning about this for years.)

          "Nope. When driving, drive. It's kind of important."

          Part of driving is avoiding trouble. Getting caught in the tieup aftermath of a bad accident may mean the difference between a good night's rest and insomnia...or even running out of gas. It's happened. You may surrender to the Hand of Fate, but I'm a firm believer in Will: in taking control of my destiny.

          "Are you actually implying that TehIntraWebTubes know about traffic issues before they happen?"

          No, but you can be made aware of snarls before they affect you. Like I said, if you get warning that a bad accident is 10 miles ahead of you, now would be a good time to seek a detour since the backup may be 9 1/2 miles long.

          "So you're so far outside of major traffic that the radio doesn't work too well? Why, exactly, do you think you are qualified to comment on the subject?"

          Because I drive a lot. IOW, this is coming firsthand. And the corridor I frequent happens to be quite rural AND doesn't support traffic radio frequencies. And BTW, this is true of MOST of the US Interstate Highway System. Only due to consumer demand do the cellcos keep cell towers along the route, but any other of information? As a former New Yorker, fahgettaboudit! Knowledge is power, and knowing the road is a key aspect of being a good driver. Being able to know things that are beyond your visual range helps a lot.

  31. returnmyjedi

    Jeepers!

    And I thought Microsoft's Blue&Me system that's in my Alfa was bad. It might not understand a word of English or manage a stable connection over anything except an aux cable but at least I'm the one driving (badly).

    1. Alan Brown Silver badge

      Re: Jeepers!

      "And I thought Microsoft's Blue&Me system that's in my Alfa was bad."

      Microsoft and Alfa - the most perfect partners one could ever dream up.

  32. Ken Moorhouse Silver badge

    manually installed via a USB stick plugged into the car.

    Whereabouts in the car? I hope it is a secure location. Can visualise stories of "Very odd, someone broke into my car, and didn't steal anything."

    How many baddies are trying to get their hands on the USB patch stick in order to reverse engineer it?

    1. Tom 13

      Re: manually installed via a USB stick plugged into the car.

      I think Steven Wright experienced that, except it was back in the 70s. He told the police someone stole his car an replaced it with an exact duplicate.

  33. Alan Brown Silver badge

    So... All a terrorist needs to do is open a few hundred thousand connection to random vehicles in the ip range and crash them. Wouldn't even need to be successful with most. Just "enough to do the job"

  34. Six_Degrees

    "With the car's control networks bafflingly left open by default, El Reg wonders why Chrysler even bothered putting them in in the first place."

    My guess: during development, dealing with the firewall - which will normally be fully enabled by default - was just too much of a pain in the ass for developers to deal with, so they completely disabled it rather than go through the somewhat more painstaking process of opening only those ports needed by their applications and those of other development teams. By the time deployment time rolled around, the system had grown in complexity to the point where the idea of shutting down ports was deemed too difficult and time-consuming, so everything was just left wide open.

    Somewhere in Italy, there's a list of "nice-to-have enhancements" that contains "analyze firewall settings" on it.

  35. Anonymous Coward
    Anonymous Coward

    You had better hope the update installs properly

    As we have seen with botched aircraft software updates that appeared to install properly, people can and do die with improper software updates for transportation vehicles.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon