Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Watchdog sparks mass recall, sheds light on ridiculous flaw


Security seems anything but crystal clear for Chrysler

Owners of affected vehicles will be getting a USB drive in the post containing the update, or they can download the patch, copy it to a spare stick and do the job themselves. Alternatively, Chrysler dealerships will update cars at no charge.

"The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts," said Chrysler in a blog post.

"The software update addressed by the recall, after the security steps we took July 23, would require unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write the appropriate code."

Well, sort of.

Details of the vulnerability [PDF] published alongside the recall notice suggest compromising the vehicles has proved easier than first thought. And it appeared Chrysler remains completely clueless when it comes to security:

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

With the car's control networks bafflingly left open by default, El Reg wonders why Chrysler even bothered putting them in in the first place.

As Miller and Valasek pointed out at last year's Black Hat security conference, protecting a car's computer system is actually pretty easy to do. They cobbled together a simple intrusion protection system that could block most hacks.

"IDS sucks in computers, but it turns out they work for cars because cars are simple," said Miller.

Chrysler was told about the wireless vulnerability about seven months ago, and after devising a fix, the manufacturer slipped out the patch earlier this month in a service pack with no publicity. It took Miller and Valasek crashing a moving car on a public road to get any kind of attention to the flaw.

One group of Chrysler customers are going to be particularly peeved – the US police, which is one of the car company's biggest customers. Canny criminals would relish the chance of killing a pursuer's engine, so the boys in blue better get patching.

It would be unlikely that owners of the affected vehicles haven't yet heard that their car is hackable, but updating the software manually might be an issue for many. Considering how many people have problems updating their PCs, then doing the car themselves might be an issue. ®


Other stories you might like

  • Has Intel gone too far with its Ohio fab 'delay' stunt?
    With construction unceremoniously underway, x86 giant may have overplayed its hand

    COMMENT The way Intel has been talking about the status of its $20 billion Ohio fab project, you would be forgiven if you assumed that construction on the Midwest mega-site has been delayed in light of Congress struggling to pass a large subsidies package that would support new American chip factories.

    When Intel delayed a groundbreaking ceremony for the Ohio manufacturing site two weeks ago out of frustration over the subsidies inaction, some headlines may have given you the impression the semiconductor giant was putting off construction entirely.

    However, an Intel spokesperson made it clear to The Register and others at the time that the start date for construction had not changed.

    Continue reading
  • Hive ransomware gang rapidly evolves with complex encryption, Rust code
    RaaS malware devs have been busy bees

    The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly overhauled its malware, including migrating the code to the Rust programming language and using a more complex file encryption process.

    Researchers at the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group's methods.

    "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," the researchers said in a write-up this week.

    Continue reading
  • What do you mean your exaflop is better than mine?
    Gaming the system was fine for a while, now it's time to get precise about precision

    Comment A multi-exaflop supercomputer the size of your mini-fridge? Sure, but read the fine print and you may discover those performance figures have been a bit … stretched.

    As more chipmakers bake support for 8-bit floating point (FP8) math into next-gen silicon, we can expect an era of increasingly wild AI performance claims that differ dramatically from the standard way of measuring large system performance, using double-precision 64-bit floating point or FP64.

    When vendors shout about exascale performance, be aware that some will use FP8 and some FP64, and it's important to know which is being used as a metric. A computer system that can achieve (say) 200 peta-FLOPS of FP64 is a much more powerful beast than a system capable of 200 peta-FLOPS at just FP8.

    Continue reading

Biting the hand that feeds IT © 1998–2022