Suggestion...
Everything always thru a VPN to a proxy back at FCA HQ.
edit. Unless, of course, they're slurping so much data that such a system would be impractical.
Fiat Chrysler recalls THOUSANDS more cars to swerve hack-my-brakes roadkill
Fiat Chrysler Automobiles has recalled nearly 8,000 SUVs, with the hope of halting hackers from mounting remote attacks on the vehicles. The manufacturer said it needed to apply software updates to 7,810 Jeep Renegades that were sold in the US market. It added that 2015 models of the SUV, which comes loaded with certain …
-
Sunday 6th September 2015 18:20 GMT Fraggle850
There ought to be a moratorium on connecting any wireless systems to the canbus
Unless/until appropriate and uncompromisable security protocols are in place.
I know it's unlikely to happen now that vehicle manufacturers are falling over themselves in the rush to sell 'connected' vehicles so I suspect we'll see more of this sort of thing.
-
Monday 7th September 2015 02:36 GMT Anonymous Coward
Re: There ought to be a moratorium on connecting any wireless systems to the canbus
When we all have self-drive cars we'll look back with a nostalgic tear in our eyes at the level of problems we are seeing now. It will seem like Atari boot sector viruses in a pre-Internet world all over again.
The cars will get a constant stream of software updates, map updates, traffic updates, messages between self-drive vehicles, messages from the road network, and doubtless a bunch of other stuff which hasn't even been thought of yet. Many of these will have more or less exploitable flaws, as will the cars' systems for processing them.
-
-
Sunday 6th September 2015 20:28 GMT regadpellagru
Unaware, geez ...
"The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration."
Of course, smart ass, cos no-one will even investigate nor have the competences to do so, even if those design flaws kill thousands !
How many deaths caused by cars design flaws, in the entire world, have ever been reported ?
Actually, the article should point out those problems result from DESIGN flaws, which are a lot more serious than software flaws.
Entertainment network should really share no physical part with driving network.
My understanding is, again, the manufacturor is just hiding it out with smoke, not fixing the design flaw,
which would be really costly, but just updating the software.
Mad.
-
Monday 7th September 2015 13:40 GMT Alan Brown
Re: Unaware, geez ...
"Of course, smart ass, cos no-one will even investigate nor have the competences to do so, even if those design flaws kill thousands !"
There's been a lot of speculation that certain high-profile car crashes relating to individuals in the network security community were due to the systems being interfered with.
Investigators (of course) found no evidence of tampering, but if your mercedes C-class has been pwned like this, there won't be any after it's been wrapped around a telephone pole.
-
Monday 7th September 2015 15:58 GMT Anonymous Coward
Re: Unaware, geez ...
"There's been a lot of speculation that certain high-profile car crashes relating to individuals in the network security community were due to the systems being interfered with."
Oh hello, Conspiracy Corner is open for business. So long as the steering wheel is mechanically connected to the rack and the car can be taken out of gear and the handbrake works it would be rather difficult to crash a car remotely with a half competant driver on board.
-
Thursday 17th September 2015 18:50 GMT regadpellagru
Re: Unaware, geez ...
"Oh hello, Conspiracy Corner is open for business. So long as the steering wheel is mechanically connected to the rack and the car can be taken out of gear and the handbrake works it would be rather difficult to crash a car remotely with a half competant driver on board."
Hmmmm, no, really no. You seem to imply you'll have dozens of seconds to react in case of attack, but that is not the case. I can't comment on the aforementioned affairs on security people, but I'm sure those things, carefully used, can kill.
If someone can remotely control and suppress your brakes, only your brakes outside of handbrakes (and here, understand we now have vehicules with bus-driven handbrakes and steering wheel, opening tons of other possibilities) and he knows you're coming to the mountains road I live closeby, he'll be in a position to wipe you out of the road.
Simple: wait until you're in one of the very sharp turns and suppress the brakes 2s before the sharp turn, you'll be so stunned you won't have time to switch gears or handbrake, your car jumps the barriers and crashes 20 m below. You're history.
-
-
-
-
Sunday 6th September 2015 21:02 GMT phil dude
2FA?
It is 2015. 2FA is now commonplace. Surely, admin for a car can be secured this way?
It helps that Fiat/Chrysler have at *least* hired the white hats - perhaps other car companies will be more proactive. Perhaps it is good PR? We'll see...
A general comment about the state of software security, is that there needs to be a better liability model regarding functional flaws. The statement "Hacking is criminal" says it all - the legality says little about the *probability* of something bad happening. Especially when non-local access is possible.
The sad state of the politics of today, says it all.
The prevailing cognitive dissonance that *you* can somehow have selective knowledge of a flaw in a software system that noone else can find - and exploit....
P.
-
-
Sunday 6th September 2015 22:15 GMT John Brown (no body)
Re: Cue maliious USB sticks in the Post
..until the bad guys start sending out their own...or spamming with instructions on how to download and install their own versions of the "fix".
ISTR someone posting back on the original story wondering if FC would be so dumb as to post out USB sticks for customers to applying their own fixes to their cars.
-
Sunday 6th September 2015 22:49 GMT Graham Marsden
Re: Cue maliious USB sticks in the Post
As soon as I saw the line "customers [...] will be sent a USB device that they'll be urged to use to upgrade the car's flawed software" I was thinking exactly the same.
The crook fakes up something that appears to come from Ford, gullible owner plugs it into their car (of course there's probably *no* security validation or any sort of checking to make sure it's legit), then, the next night, they walk up to the car, activate the unlock over-ride code that got installed and drive off with a nice shiny nearly new car...
-
Monday 7th September 2015 09:05 GMT Groaning Ninny
Re: Cue maliious USB sticks in the Post
The fist thing I thought when I saw the method of delivery was that Fiat Chrysler just haven't learned anything about security. This is just begging to be taken advantage of, I can imagine USB keys being sent out for not just cars, but also "Your insecure online banking".
Sheesh.
-
-
Sunday 6th September 2015 23:42 GMT Mark 85
A friend got one of these for his wife's Cherokee. Came in the mail, not registered or certified... but bulk mail. The instructions say to plug it in and give it about an hour. It doesn't say "where" to plug it in... and his wife was arguing that it should be plugged into her computer in the house and the update would be transmitted to the car. <rolling of eyes> I suggested any USB port in the driver area. We'll see.....
-
Monday 7th September 2015 00:58 GMT Chairo
Huh?
... If unauthorised, such interference constitutes a criminal act.
And if someone is authorised to hack your vehicle it is perfectly OK, right? WTF?
The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.
Just wait until the first customer that had an accident claims he had been hacked. And good chance to proof it hasn't! Reversal of the burden of proof is the keyword here. If the customer claims, the manufacturer has to prove the opposite. And how to prove it has not been hacked if there is a known vulnerability?
-
Monday 7th September 2015 07:11 GMT Pascal Monett
"These measures – [..] – block remote access to certain vehicle systems"
And why, pray tell, was remote access available in the first place ?
Apparently, remote access is just bolted on to the main car's data system and the software is supposed to sort out legit commands from unwanted ones by itself.
I call that a recipe for disaster.
-
Monday 7th September 2015 09:15 GMT LucreLout
I don't get it....
.... how does having a connected vehicle make a driver better at observation, anticipation, and correct & timely reaction? It doesn't, so this adds nothing to road safety.
How does it update vehicle firmware remotely, without the owner needing to do anything other than give the ok? Oh, it doesn't, so it's not actually making either the garage or the owners lives more convenient.
So, erm, what is it all supposed to be doing?
Biting the hand that feeds IT
