Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday July 27 2015, @04:40PM   Printer-friendly
from the can't-they-fix-it-by-wireless? dept.

Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago.

Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems built into Fiat Chrysler cars: the flaw can be exploited by an attacker to wirelessly take control of the engine, brakes and entertainment system.

The cars connect to the internet via Fiat Chrysler's uConnect cellular network, and thus can be accessed and tampered with from miles away by anyone who knows the vehicle's public IP address. No authentication is required. The US network has been attempting to block incoming connections, we're told. The motor giant has produced a software fix for the root cause of the vulnerability – unfortunately, the update has to be manually installed via a USB stick plugged into the car.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by goodie on Monday July 27 2015, @06:01PM

    by goodie (1877) on Monday July 27 2015, @06:01PM (#214443) Journal

    More specifically Tesla, who are priding themselves on pushing firmware updates etc. to cars over at night etc. It's funny but I'd bet my ass that those guys have thought of security features for this from the beginning, compared to those bozos who are barely starting to consider patching individual flaws as they are made public. Would they say "ok screw this, square one, let's rethink how we do this and do it right!" ? Nope. They're going to wait like standard recalls. 1 issue == 1 patch. They're going to treat this like a standard recall procedure. What they don't realize is that while people weren't trying to mess with how hot their heated seats get or how they work, people are very interested in this. So chances are, there will be a lot of issues. A lot. Not that it'll change anything really.

    If my gut feeling is right, this is where Tesla could make a lot of money. Best part is they just have to wait for those guys to keep pouring money down on recalls and trip over their own feet.

    I'm just going to keep my old, unconnected car for as long as I can. Heck, the simpler it is the better. My car is made to drive. As long as it does that reliably, I don't care if I can lock it remotely. If I forget to lock it, I'm stupid. That's why we have insurance.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by VLM on Monday July 27 2015, @06:23PM

    by VLM (445) Subscriber Badge on Monday July 27 2015, @06:23PM (#214450)

    the simpler it is the better

    I selected my new car partially because its disconnected. That also means it was cheaper.

    My guess how this will play out is the "security" team will be funded by selling data from the car. And they might be able to sell enough data to lower the price of the car. So you'll have to pay extra or remove antennas or something to drive privately.

    Right now a motivated enough 3rd party team could probably find a way to stream your location data and send you spam without the mfgr's cooperation.

    Think how much money quicktrip would pay to blast an audio commercial over the speakers when you're slowing down to pull into a mobil gas station with a low gas tank... stuff like that.

    As one of the technological elite who can search for stuff online, read manuals, and own diagonal cutters (sadly this is all it takes to be elite) I won't have to suffer thru the experience the masses have to suffer thru.

    You know how it is when you see what a non-ad-blocker internet user puts up with? Imagine that x10 in your car. Spam in your heads up display, spam commercials on the radio, your location data streamed and sold continuously, random car fires unless you send BTC to Russia, its gonna be quite the cluster F.

    • (Score: 2) by frojack on Monday July 27 2015, @07:21PM

      by frojack (1554) on Monday July 27 2015, @07:21PM (#214481) Journal

      Right now a motivated enough 3rd party team could probably find a way to stream your location data and send you spam without the mfgr's cooperation.
      Think how much money quicktrip would pay to blast an audio commercial over the speakers when you're slowing down to pull into a mobil gas station with a low gas tank... stuff like that.

      Do you seriously believe they could withstand the lawsuits from such a stunt?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by VLM on Monday July 27 2015, @08:37PM

        by VLM (445) Subscriber Badge on Monday July 27 2015, @08:37PM (#214508)

        LOL maybe the strategy is threaten to do it unless they get money to not do it.

  • (Score: 0) by Anonymous Coward on Monday July 27 2015, @06:28PM

    by Anonymous Coward on Monday July 27 2015, @06:28PM (#214453)

    I'm just going to keep my old, unconnected car for as long as I can.
    I am considering a new car. But I have to say this has given me pause (along with the over the radio hack someone did a few weeks ago). Along the lines of 'think I will let that sit for a couple years and let them work it out'. But all those cool toys they are slugging in there are enticing :)

    OTA updates for cars. The code and keys and hardware and network and routers and vpns and firewalls to get 'just right' would be quite amazing. With each step being a potential breaking point and something to 'support' for 10-15 years plus.

    Cars are not like computers where we usually chuck them after 5 years. Cars can last for decades if properly taken care of. I am coming up on 13 years for the car I bought new in 2002. It still runs very well. Because I take care of it. Though I think every seal on the car has decided to break down at the exact same time ;)

    • (Score: 0) by Anonymous Coward on Monday July 27 2015, @06:33PM

      by Anonymous Coward on Monday July 27 2015, @06:33PM (#214457)

      But all those cool toys they are slugging in there are enticing :)

      Just remember that convenience doesn't trump software freedom.

    • (Score: 3, Insightful) by KilroySmith on Monday July 27 2015, @07:23PM

      by KilroySmith (2113) on Monday July 27 2015, @07:23PM (#214482)

      OTA updates for cars. The code and keys and hardware and network and routers and vpns and firewalls to get 'just right' would be quite amazing.

      Why?
      With a code-signing PUBLIC key IN THE SECURE SYSTEM (say, the ECU), every network, host, router that the OTA package passes through can be treated as the wretched hive of scum and villainy that it is. GM (or Chrysler, et al) signs the OTA package (using the code-signing PRIVATE key) in a super-secret facility buried under a mountain, and then releases it. The ECU doesn't apply any OTA package that isn't correctly signed.
      We do this all day, every day, for $3 peripherals attached to PC's. Even though we run a ton of code and a driver on the PC side, it's all treated as malware by the actual peripheral - it only applies OTA changes signed by our engineering team.
      If only my $30,000 car had the same focus on security that my $3 peripheral does...

      • (Score: 2, Insightful) by Anonymous Coward on Monday July 27 2015, @08:01PM

        by Anonymous Coward on Monday July 27 2015, @08:01PM (#214495)

        It is tough to get right *even* with code signing. There is a bit more to it than that.

        I love this example. The guy went from a signed blob of code to owning the entire device (though he does that in the 2nd video).
        http://hackaday.com/2014/10/30/reverse-engineering-a-blu-ray-drive-for-laser-graffiti/ [hackaday.com]

        This also is a good example
        https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/february/abusing-blu-ray-players-pt.-1-sandbox-escapes/ [www.nccgroup.trust]

        They hacked it from the other end. Remember bluray is a line of trust sort of system too. It is at this point hacked. It only takes time and knowledge.

        I have also setup chain of trust systems. Getting it 'just right' is tricky. There are tons of moving parts (more than you would think). Then on the other end is the support group who ends up with the system. Are they up to keeping it running correctly.

        To put it this way. If someone breaks into my 300 dollar phone. Yes I am mad but its fairly 'cheap' and disposable to fix. Someone bricks my 50k BMW for the luz; because someone got a configuration wrong, or some piece of server software was not updated in 5 years, or someone figured out a particular mp3 turns off the breaks. I am going to be in a suing mood.

        The stakes are a bit higher with a higher priced bit of equipment. Someone bricks your 3 dollar dongle it is fairly cheap to fix. 50k bits of equipment not so cheap...

        • (Score: 2) by KilroySmith on Tuesday July 28 2015, @01:42AM

          by KilroySmith (2113) on Tuesday July 28 2015, @01:42AM (#214645)

          You're absolutely correct, but they got lazy and got bit.

          In our $3 peripheral, the OTA signed blobs are also encrypted. Admittedly, the AES-128 encryption key is global to all parts, and could be exposed; but it provides an excellent level of obfuscation. Imagine trying to determine what CPU our peripheral runs when you're trying to do visual analysis of hex dumps of encrypted blobs...

          If [Micah] is able to load unsigned blobs (which is what has to happen, unless [Micah] has broken a rational PK encryption system), then the security of this system was never taken seriously. There may be a surface layer of security, but that's about it.

          Too bad you posted AC. You seem knowledgeable, and I would have enjoyed adding you to a friend list.

  • (Score: 2, Interesting) by Anonymous Coward on Monday July 27 2015, @08:58PM

    by Anonymous Coward on Monday July 27 2015, @08:58PM (#214532)

    > More specifically Tesla, who are priding themselves on pushing firmware updates etc. to cars over at night etc.

    That's one of the biggest reasons I won't buy a tesla. The thing practically depends on internet connectivity. Unnecessarily so, like the nav system isn't worth dick without being online. They may be ahead of Detroit when it comes to security, but that's a low bar. Their entire design is one where they keep the backdoors for themselves. That won't last if the cars become popular enough. They need to stop thinking web 2.0 for the car's computer systems. It needs to have maximum possible offline functionality, making the online stuff a requirement for when it is truly necessary, not just whatever is convenient for Tesla.

  • (Score: 2) by bob_super on Monday July 27 2015, @11:52PM

    by bob_super (1357) on Monday July 27 2015, @11:52PM (#214598)

    > I'm just going to keep my old, unconnected car for as long as I can.

    I didn't think my Versa could go up in resale value... 100% manual, come fight for it.

  • (Score: 2) by Phoenix666 on Tuesday July 28 2015, @11:31AM

    by Phoenix666 (552) on Tuesday July 28 2015, @11:31AM (#214796) Journal

    Remember that Elon Musk started with software, PayPal. It's where he made the money he started Tesla with. He might not himself be a programmer, but he certainly has software and connectivity in mind more than any other automobile executive. To wit, he's already pushed out semi-autonomous driving updates to Tesla cars.

    It's one of the things that positions Tesla well to capture more and more market share from established car companies that don't understand software, electric cars, or autonomous driving.

    --
    Washington DC delenda est.
    • (Score: 2) by goodie on Wednesday July 29 2015, @01:51AM

      by goodie (1877) on Wednesday July 29 2015, @01:51AM (#215178) Journal

      True, true. And there may be issues with that too as some have pointed out in this thread. But on this specific issue, I'd trust a guy like Musk and his team over Fiat any day (might be a bad thing though ;) ) .