Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Watchdog sparks mass recall, sheds light on ridiculous flaw

114 Reg comments Got Tips?

Security seems anything but crystal clear for Chrysler

Owners of affected vehicles will be getting a USB drive in the post containing the update, or they can download the patch, copy it to a spare stick and do the job themselves. Alternatively, Chrysler dealerships will update cars at no charge.

"The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts," said Chrysler in a blog post.

"The software update addressed by the recall, after the security steps we took July 23, would require unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write the appropriate code."

Well, sort of.

Details of the vulnerability [PDF] published alongside the recall notice suggest compromising the vehicles has proved easier than first thought. And it appeared Chrysler remains completely clueless when it comes to security:

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

With the car's control networks bafflingly left open by default, El Reg wonders why Chrysler even bothered putting them in in the first place.

As Miller and Valasek pointed out at last year's Black Hat security conference, protecting a car's computer system is actually pretty easy to do. They cobbled together a simple intrusion protection system that could block most hacks.

"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller.

Chrysler was told about the wireless vulnerability about seven months ago, and after devising a fix, the manufacturer slipped out the patch earlier this month in a service pack with no publicity. It took Miller and Valasek crashing a moving car on a public road to get any kind of attention to the flaw.

One group of Chrysler customers are going to be particularly peeved – the US police, which is one of the car company's biggest customers. Canny criminals would relish the chance of killing a pursuer's engine, so the boys in blue better get patching.

It would be unlikely that owners of the affected vehicles haven't yet heard that their car is hackable, but updating the software manually might be an issue for many. Considering how many people have problems updating their PCs, then doing the car themselves might be an issue. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020