Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago.
Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems built into Fiat Chrysler cars: the flaw can be exploited by an attacker to wirelessly take control of the engine, brakes and entertainment system.
The cars connect to the internet via Fiat Chrysler's uConnect cellular network, and thus can be accessed and tampered with from miles away by anyone who knows the vehicle's public IP address. No authentication is required. The US network has been attempting to block incoming connections, we're told. The motor giant has produced a software fix for the root cause of the vulnerability – unfortunately, the update has to be manually installed via a USB stick plugged into the car.
Related Stories
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
[Ed. addition follows]
See also coverage at The Register Jeep drivers: Install this security patch right now – or prepare to DIE:
The full details of the hack are still private, but it relies on the uConnect cellular network; since 2009, Chrysler cars have included hardware to connect to this network to reach the internet. The two researchers have demonstrated that a canny hacker can use the uConnect system to get wireless access to major components of a car's controls, and potentially crash it remotely with no one being any the wiser. The flaw has existed in the system since 2013.
Miller says the hack will work on recent Fiat Chrysler motors – such as Ram, Durango, and Jeep models. The pair disclosed the flaws to the manufacturer so that a patch could be prepared and distributed before their Black Hat tell-all. The fix is supposed to stop miscreants from accessing critical systems via the cellular network, a protection mechanism you would have expected in place on day one, week one.
Original Submission
(Score: 4, Insightful) by LoRdTAW on Monday July 27 2015, @04:52PM
Annnnnd yet another security hole. How long before we see stuxnet like malware for cars?
(Score: 4, Funny) by tibman on Monday July 27 2015, @04:59PM
Not many car owners spring for the backseat uranium centrifuge upgrade.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by HiThere on Monday July 27 2015, @08:38PM
Would you *really* prefer that the cars OS could be updated over a wireless connection?
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by LoRdTAW on Monday July 27 2015, @11:33PM
What do you think?
(Score: 2) by Nerdfest on Monday July 27 2015, @04:59PM
unfortunately, the update has to be manually installed via a USB stick plugged into the car.
Oh, I'm pretty sure I could update someone's car remotely if I put my mind to it.
(Score: 2) by wonkey_monkey on Monday July 27 2015, @05:02PM
tampered with from miles away by anyone who knows the vehicle's public IP address.
What is this I don't even
If that's really correct - only one of the articles says it's a public IP address - aren't they doing it completely wrong?
systemd is Roko's Basilisk
(Score: 3, Interesting) by frojack on Monday July 27 2015, @07:09PM
First you have to realize that this only applies to those cars that have built-in wifi hotspots for all your portable devices.
This is accomplished by buying a data-plan for the car (which comes with a 4G data plan and a sim, and a monthly bill).
Very few people buy this because it duplicates their cell plan, and provides very little additional capabilities other than keeping the kids in the back seat happy.
But if you did use this, you would certainly want to be able access outside web sites, email, notifications. I can't come up with a single reason why you would want to allow inbound connections for ANY thing. Just like your cell phone does everything with outbound connections only, there is no reason for the car to ever have a public IP. (It should all be behind a firewall. It should all be behind a NAT. )
But if it is ipv6 capable, isn't EVERYTHING public to some extent?
So your risk is only if you bought a car with this option, (it was available on my 2012 Chrysler, but I just couldn't see paying another data plan for the car).
Then you have to reveal your car's IP to someone. Which might happen with something as simple as an email showing headers etc.
So the risk is small.
Still Fiat-Chrysler deserve the public bitchslap for missing this. (Not to mention the huge fine they just received and the forced buy-back of Ram Trucks, for playing fast and loose with the recall process.
No, you are mistaken. I've always had this sig.
(Score: 2) by jcross on Monday July 27 2015, @08:53PM
I believe the guys who discovered the vulnerability were pulling the IP addresses of cars using a burner phone on the same cellular network as the cars (it was Sprint IIRC). From reading the Wired article I assumed that traffic from both phones and cars was going through some common point where it could be intercepted, but it was not clear how that worked exactly.
(Score: 2) by frojack on Monday July 27 2015, @09:20PM
That's not how I read it.
The put a phone, (iphone I believe), on the in-car wifi, and used that to determine the IP of both the in-car wifi network and the external IP, by connecting back to their own remote computer. The did not use the cellular network on this phone - just the wifi connection from the in-car wifi.
Even that should not give in-bound access. So unless the added compromised software on the phone, inbound connections should have been rejected.
No, you are mistaken. I've always had this sig.
(Score: 2) by jcross on Tuesday July 28 2015, @01:36AM
Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth. A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.
(Score: 2) by captain normal on Tuesday July 28 2015, @12:17AM
Still if you did select the option, what it10t thought it a good idea to make the car's operation computer have a wireless connection? Or for that matter a hard wired connection to the wireless modem?
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 1, Insightful) by Anonymous Coward on Monday July 27 2015, @05:04PM
The more computerized cars become, the more proprietary software, DRM, and privacy issues people will have to deal with. I don't trust the companies, and I don't trust the government to not abuse the situation. The only thing to do is to reject these shitty cars.
(Score: 2, Touché) by Anonymous Coward on Monday July 27 2015, @05:05PM
A car co. has/had the slogan, "we are driven". Perhaps they want to find another slogan now.
(Score: 1) by TechieRefugee on Monday July 27 2015, @05:24PM
"We are driven... by hackers DEAR GOD SOMEONE HELP US I CAN'T STOP THE CAR BECAUSE OF THESE JERKS"
(Score: 2) by frojack on Monday July 27 2015, @07:11PM
I plead not guilty, Your Honor. My car was hacked.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Monday July 27 2015, @05:07PM
This story [bbc.com] is even more interesting, it just doesn't have a cool live demonstration on video.
They don't need a cellular/internet link, these guys figured out how to hack a car over digital radio.
(Score: 4, Insightful) by Anonymous Coward on Monday July 27 2015, @05:27PM
This is just a software fix for a single exploit. The wiring is still there.
(Score: 2) by sjames on Monday July 27 2015, @05:54PM
Exactly. The real fix is to separate the critical systems from the infotainment completely or at least install a proxy that only grants read only access.
(Score: 2) by frojack on Monday July 27 2015, @07:17PM
The wiring is still there.
Its probably a software fix for the incoming tcp/ip connection via the in-car wifi. (cellular link).
No manufacturer is going to rip out the CAN bus [wikipedia.org] from the car.
You might hope they may firewall the CAN bus from the wifi network, or make it read only,
There are a lot of nifty things you can do by reading and monitoring CAN bus signals. But it doesn't have to be available via wifi.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by goodie on Monday July 27 2015, @06:01PM
More specifically Tesla, who are priding themselves on pushing firmware updates etc. to cars over at night etc. It's funny but I'd bet my ass that those guys have thought of security features for this from the beginning, compared to those bozos who are barely starting to consider patching individual flaws as they are made public. Would they say "ok screw this, square one, let's rethink how we do this and do it right!" ? Nope. They're going to wait like standard recalls. 1 issue == 1 patch. They're going to treat this like a standard recall procedure. What they don't realize is that while people weren't trying to mess with how hot their heated seats get or how they work, people are very interested in this. So chances are, there will be a lot of issues. A lot. Not that it'll change anything really.
If my gut feeling is right, this is where Tesla could make a lot of money. Best part is they just have to wait for those guys to keep pouring money down on recalls and trip over their own feet.
I'm just going to keep my old, unconnected car for as long as I can. Heck, the simpler it is the better. My car is made to drive. As long as it does that reliably, I don't care if I can lock it remotely. If I forget to lock it, I'm stupid. That's why we have insurance.
(Score: 2) by VLM on Monday July 27 2015, @06:23PM
the simpler it is the better
I selected my new car partially because its disconnected. That also means it was cheaper.
My guess how this will play out is the "security" team will be funded by selling data from the car. And they might be able to sell enough data to lower the price of the car. So you'll have to pay extra or remove antennas or something to drive privately.
Right now a motivated enough 3rd party team could probably find a way to stream your location data and send you spam without the mfgr's cooperation.
Think how much money quicktrip would pay to blast an audio commercial over the speakers when you're slowing down to pull into a mobil gas station with a low gas tank... stuff like that.
As one of the technological elite who can search for stuff online, read manuals, and own diagonal cutters (sadly this is all it takes to be elite) I won't have to suffer thru the experience the masses have to suffer thru.
You know how it is when you see what a non-ad-blocker internet user puts up with? Imagine that x10 in your car. Spam in your heads up display, spam commercials on the radio, your location data streamed and sold continuously, random car fires unless you send BTC to Russia, its gonna be quite the cluster F.
(Score: 2) by frojack on Monday July 27 2015, @07:21PM
Right now a motivated enough 3rd party team could probably find a way to stream your location data and send you spam without the mfgr's cooperation.
Think how much money quicktrip would pay to blast an audio commercial over the speakers when you're slowing down to pull into a mobil gas station with a low gas tank... stuff like that.
Do you seriously believe they could withstand the lawsuits from such a stunt?
No, you are mistaken. I've always had this sig.
(Score: 2) by VLM on Monday July 27 2015, @08:37PM
LOL maybe the strategy is threaten to do it unless they get money to not do it.
(Score: 0) by Anonymous Coward on Monday July 27 2015, @06:28PM
I'm just going to keep my old, unconnected car for as long as I can.
I am considering a new car. But I have to say this has given me pause (along with the over the radio hack someone did a few weeks ago). Along the lines of 'think I will let that sit for a couple years and let them work it out'. But all those cool toys they are slugging in there are enticing :)
OTA updates for cars. The code and keys and hardware and network and routers and vpns and firewalls to get 'just right' would be quite amazing. With each step being a potential breaking point and something to 'support' for 10-15 years plus.
Cars are not like computers where we usually chuck them after 5 years. Cars can last for decades if properly taken care of. I am coming up on 13 years for the car I bought new in 2002. It still runs very well. Because I take care of it. Though I think every seal on the car has decided to break down at the exact same time ;)
(Score: 0) by Anonymous Coward on Monday July 27 2015, @06:33PM
But all those cool toys they are slugging in there are enticing :)
Just remember that convenience doesn't trump software freedom.
(Score: 3, Insightful) by KilroySmith on Monday July 27 2015, @07:23PM
OTA updates for cars. The code and keys and hardware and network and routers and vpns and firewalls to get 'just right' would be quite amazing.
Why?
With a code-signing PUBLIC key IN THE SECURE SYSTEM (say, the ECU), every network, host, router that the OTA package passes through can be treated as the wretched hive of scum and villainy that it is. GM (or Chrysler, et al) signs the OTA package (using the code-signing PRIVATE key) in a super-secret facility buried under a mountain, and then releases it. The ECU doesn't apply any OTA package that isn't correctly signed.
We do this all day, every day, for $3 peripherals attached to PC's. Even though we run a ton of code and a driver on the PC side, it's all treated as malware by the actual peripheral - it only applies OTA changes signed by our engineering team.
If only my $30,000 car had the same focus on security that my $3 peripheral does...
(Score: 2, Insightful) by Anonymous Coward on Monday July 27 2015, @08:01PM
It is tough to get right *even* with code signing. There is a bit more to it than that.
I love this example. The guy went from a signed blob of code to owning the entire device (though he does that in the 2nd video).
http://hackaday.com/2014/10/30/reverse-engineering-a-blu-ray-drive-for-laser-graffiti/ [hackaday.com]
This also is a good example
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/february/abusing-blu-ray-players-pt.-1-sandbox-escapes/ [www.nccgroup.trust]
They hacked it from the other end. Remember bluray is a line of trust sort of system too. It is at this point hacked. It only takes time and knowledge.
I have also setup chain of trust systems. Getting it 'just right' is tricky. There are tons of moving parts (more than you would think). Then on the other end is the support group who ends up with the system. Are they up to keeping it running correctly.
To put it this way. If someone breaks into my 300 dollar phone. Yes I am mad but its fairly 'cheap' and disposable to fix. Someone bricks my 50k BMW for the luz; because someone got a configuration wrong, or some piece of server software was not updated in 5 years, or someone figured out a particular mp3 turns off the breaks. I am going to be in a suing mood.
The stakes are a bit higher with a higher priced bit of equipment. Someone bricks your 3 dollar dongle it is fairly cheap to fix. 50k bits of equipment not so cheap...
(Score: 2) by KilroySmith on Tuesday July 28 2015, @01:42AM
You're absolutely correct, but they got lazy and got bit.
In our $3 peripheral, the OTA signed blobs are also encrypted. Admittedly, the AES-128 encryption key is global to all parts, and could be exposed; but it provides an excellent level of obfuscation. Imagine trying to determine what CPU our peripheral runs when you're trying to do visual analysis of hex dumps of encrypted blobs...
If [Micah] is able to load unsigned blobs (which is what has to happen, unless [Micah] has broken a rational PK encryption system), then the security of this system was never taken seriously. There may be a surface layer of security, but that's about it.
Too bad you posted AC. You seem knowledgeable, and I would have enjoyed adding you to a friend list.
(Score: 2, Interesting) by Anonymous Coward on Monday July 27 2015, @08:58PM
> More specifically Tesla, who are priding themselves on pushing firmware updates etc. to cars over at night etc.
That's one of the biggest reasons I won't buy a tesla. The thing practically depends on internet connectivity. Unnecessarily so, like the nav system isn't worth dick without being online. They may be ahead of Detroit when it comes to security, but that's a low bar. Their entire design is one where they keep the backdoors for themselves. That won't last if the cars become popular enough. They need to stop thinking web 2.0 for the car's computer systems. It needs to have maximum possible offline functionality, making the online stuff a requirement for when it is truly necessary, not just whatever is convenient for Tesla.
(Score: 2) by bob_super on Monday July 27 2015, @11:52PM
> I'm just going to keep my old, unconnected car for as long as I can.
I didn't think my Versa could go up in resale value... 100% manual, come fight for it.
(Score: 2) by Phoenix666 on Tuesday July 28 2015, @11:31AM
Remember that Elon Musk started with software, PayPal. It's where he made the money he started Tesla with. He might not himself be a programmer, but he certainly has software and connectivity in mind more than any other automobile executive. To wit, he's already pushed out semi-autonomous driving updates to Tesla cars.
It's one of the things that positions Tesla well to capture more and more market share from established car companies that don't understand software, electric cars, or autonomous driving.
Washington DC delenda est.
(Score: 2) by goodie on Wednesday July 29 2015, @01:51AM
True, true. And there may be issues with that too as some have pointed out in this thread. But on this specific issue, I'd trust a guy like Musk and his team over Fiat any day (might be a bad thing though ;) ) .
(Score: 2) by Bot on Tuesday July 28 2015, @09:09PM
A word of advice from the country that let FIAT eat Lancia/Autobianchi, Ferrari, Maserati, Alfa Romeo, all while getting public money and crank out wonderful models like the Duna and the Multipla.
You want the FIAT?
You can't handle the FIAT!
Leave your country quietly, don't close the door. No, really, leave the country.
Do you think that the US made peace with Cuba and Iran shortly after getting FIAT on board by mere coincidence? No, it's a way to have more places to escape to! The powerful people know, now you know too.
Account abandoned.