Monday, August 03, 2015

Chrysler Hack-Fix: Quick, Dirty, and Dangerous

You've read about the hacking of a Chrysler product.  A couple of white-hat hackers were able to play with the wipers and brakes of a car from several hundred miles away.  They reported the vulnerability to Chrysler.

And then Chrysler went cheap-o to fix it.

...Rather than simply treating the software patch as a traditional recall (i.e. requiring them to visit a service center and have an expert make the fix), Fiat Chrysler is mailing a USB thumb drive to owners of the affected cars. From there, the cars' owners can plug the USB drive into the cars' USB port to patch the software vulnerability. This seems like a convenient way to issue a recall for something that car owners can fix themselves. 

However, as anybody with cybersecurity experience would well know, this opens a huge procedural window for hackers who may be inclined to exploit the vulnerability to take control of the car. Carl Leonard, principal security analyst at Raytheon Websense, says this creates an easy social engineering opportunity and uses a notoriously vulnerable distribution method in the USB drive....

The friggin' US MAIL!!?!!???

Uh-huh.  No wonder Chrysler is begging for a merger with another automotive which actually has a pocketbook.

No comments: