Muppets
See title.
Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago. Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems …
Chrysler is treating this like it's a public relations problem. To make them take this seriously, the top level executives of Chrysler should be held criminally liable for any damage. So if someone hacks a Jeep and kills the occupants, charge Chrysler's CEO with manslaughter.
Watch how seriously Chrysler takes security then!
No, watch how seriously Chrysler dodges the issue. Remember, executives have the ability to pin spacegoats. They can also lobby Congress and employ their international connections to dodge the charge. The only way Chrysler will pay attention is if there is a public backlash so great that people simply stop buying anything from the conglomerate. For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.
For example, if police cancel squad car contracts from Chrysler and switch to GM or Ford cars instead, then that means big money going away.
.. if, of course, we assume those brands do NOT have these problems.. There is one make which takes this seriously, and has for years, but I am not allowed to mention it - I hope at some point they will actually publicise just how much effort they put in because it's worth knowing.
@AC Presumably you're not allowed to mention it because you work for them, but you should be agitating for them to publically say how much work they put in, etc.
Doing so will not only make it clear about the scale of Fiat-Chrysler's criminal negligence, but will also serve to expose the other makers who've been similarly negligent.
I'm not pulling punches. This level of security FAIL should result in jailtime for the management who decided that spending money on better security was too expensive - it's at least as bad as the Ford Pinto debacle and I'm surprised that the NHTSA hasn't gone as far as ordering all affected cars off the road or forcing F-C to field-upgrade every single vehicle at a time and location which suits the customers, given recalls to stealerships only result in a little over half of affected vehicles being fixed within 6 months.
Mailing out a USB key is spectacularly misguided, as other posters have already pointed out.
GM had a problem with the ignition switch on one car that actually caused deaths, but their CEO wasn't jailed for it, even though it was proven that GM knew about the problem and covered up fixing it to avoid the financial expenditure. No one was arrested for it. They paid a fine and scapegoats were fired, but that was it. Similar situation with Toyota/Lexus with the "sticking accelerator problem" that killed a couple of people in a Lexus when their accelerator jammed and the car wouldn't stop via brakes, but that was covered up as a problem with floor mats allegedly causing the accelerator to jam. As I recall, the CEO wasn't arrested over that and underlings lost jobs, and there was some sort of a fine, but that was it. F/C CEO isn't going to jail over this. Some underling or two will get fired. They'll pay a fine, and it will get swept under the rug, shortly thereafter. Considering that most manufacturer's have some sort of connected system in their new cars these days(On Star, My Touch, etc.), perhaps they all should examine their systems for vulnerabilities, but of course, they won't, because there are costs associated with it that they want to avoid.
"US government was getting all over Toyota about an alleged accelerator problem?"
No longer alleged. Been to court, end result $1Bn+ penalty payable by Toyota.
http://www.eetimes.com/document.asp?doc_id=1319903 "The single bit flip that killed" 25 Oct 2013
"Could bad code kill a person? It could, and it apparently did.
The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.
This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.
[continues]"
More detail from Prof Phil Koopman at CMU, an expert witness at the trial:
http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf
Toyota agree to pay £1Bn+ to end criminal inquiry
http://www.nytimes.com/2014/03/20/business/toyota-reaches-1-2-billion-settlement-in-criminal-inquiry.html
Plenty more if you go look for it. But not particularly widely publicised yet. Spread the word.
Part of their response was that it takes time, effort, & skill to find a way to break in.
Well, duh! Isn't it true for most hacks?
And have they heard of script kiddies, who might have little skills of their own, but use someone else's tools?
It might take 3letter agencies' resources to break my cipher, but once the key is published, even my grandma can be taught to access my secret files. (Sorry Grans, your special Christmas cheese casserole is really that bad).
"The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts"
"The ability to develop the secret of gunpowder is not easy. It took researchers hundreds of years to tap into and control accurate and reliable firearms. They are experts"
If markets generally operate on the principle of supply and demand, who is demanding connected private vehicles? Several people I have talked to are apprehensive of the idea, and I do not personally know anyone who is eager to expose their private vehicle to the open Internet. Phones, laptops, GPS - wonderful, but not the brakes, please.
I have not purchased a new vehicle recently, and of anyone who has, I ask, did you have a choice of connected or not? Is this all supply-side?
"There's a concern of a cornered market."
I don;t know about the US but in Europe there's a good deal of regulatory stuff that new vehicle designs need to pass. Regulations about the isolation of safety-critical systems need to be added to this. That would avoid problems with future designs but getting it made retrospective might be difficult. With such regulation in place there'd be no issues about cornered markets; non-compliant vehicles wouldn't get into the market and manufacturers would have to start paying attention to introducing security at the design stage.
It's a crazy quilt of regs over here. Feds regulate MPG through taxation and the NTSB does crash testing which I believe is mandatory. But it isn't necessarily illegal to produce an unsafe car. You just have to be able to survive the class action lawsuit which will inevitably follow. OTOH the NTSB can issue recall orders if as a result of complaints they determine the vehicle is unsafe.
Most regulation happens at the local level with Kalifornia having the most weight because of their high population. But the thoroughness of inspections is spotty. For example, I grew up in Pennsylvania. While growing up vehicles had to be inspected by licensed servicing stations every 6 months. They checked a variety of the standard stuff including body integrity (lack of rust), brakes, and tire wear. Somewhere along the way they switched to once a year (nominally cheaper, but all the inspection stations jacked their prices to make up for the lost business). I now reside in The People's Republic of Maryland. Despite state mandated emissions inspections every two years at state run stations, there are no corresponding laws about vehicle inspections. If you buy a used car, or transfer in from another state you have to have an inspection at the time you register the vehicle. After that, nothing.
Doesn't the consumer (buyer of the car) have to sign up for connected car services in order to have them? Surely, those connected car services are not free. Onstar definitely isn't free. There are subscription fees for that. Surely, there are subscription fees for other connected car services. You don't sign up, you're not getting service, and the car isn't connected to anything without that subscription, right?
that people that makes cars have no idea about IT.
(and won't swallow their pride to ask for help).
We can all argue over how this came about - but finest example is built in GPS.
I remember when cars started coming "with a screen" and it was all very exciting. And.. well then I realized that we were being offered the chance to pay thousands for something demonstrably worse that what you could pick up for a hundred or so and stick to your wind-shield.
What *I* as the consumer want is a decent interface between my car and my phone (and this certainly doesn't mean I want an iOS or Android compatible car).
I want my car to run itself, brake when it sees I'm about to drive into somebody and all the rest - and simply the ability to overlay my phone on that screen (wot I paid for). My phone wants power, GPS (if I've got a window with elements in it) and that's about it. My phone does not need to connect to the inner workings of my car. Maybe my phone could utilize a read-only output from my car - but there's absolutely no reason my phone needs to be able to 'control' my car.
that people that makes cars have no idea about IT.
Or about making cars. Remember when Lee I. took over Chrysler the second time.. he fired a whole lot of beancounters and asked for people who wanted to make cars. When he left, the company hired beancounters again... and the downward spiral began.
So Chrysler deemed the patch to be just an optional nicety whereas the National Highway Traffic Safety Administration (once actually told about it, apparently not by Chrysler) issued an urgent mass recall for it. That seems far beyond a trifling innocuous difference of opinion and either a knowing cover-up or incompetence beyond the point of negligence (at least one responsible adult is required per registered company...)
Was Toyota slapped with gross negligence for its Prius issues? If not, don't expect Chrysler to get charged here. And like I said before, it's hard to pin executives of a company for company troubles; AFAIK, executives only get nailed on personal matters.
>>so how do you find the IP address of a specific car?
You run a port scanner across the sprint network looking for these car signatures. From this you have each one tell you it's GPS coordinates.
If you know where the car that you actually want to control is, then you look for a match based on those coordinates. Once you have your match, enjoy your new Chrysler Mobile Drone(tm).
Honestly they should be spinning this as a feature. Call it the iChauffeur. All they need to do is set up so that when you enter the vehicle you just say where you want to go then someone in a call center starts the car and drives it remotely. Maybe a combination of Siri with an Indian call center...
(I'll be back in a minute - need to file a patent).
"unfortunately, the update has to be manually installed via a USB stick plugged into the car"
Why is this unfortunate? that's the way updates to a car SW should be done! Only by physical access, that keeps things safer.
I guess you could give the car some kind of wireless communication, so it can download the update automatically from the internet, but that connection might become a source for malicious attacks...
wait, WHAT?
So then how do you get someone completely computer-illiterate and isolated to update their car when a critical issue comes up? They can't do it themselves and are out of the loop so wouldn't know to go to the dealer.
BTW, that USB port can be a security issue in itself. Even with some kind of signature check, what happens when their private key gets compromised?
Ehhh....
I'm assuming the firmware update requires A Magical Dance Of Keys and Buttons to access firmware update mode (if not, shoot them) and if the private keys were compromised, you still need physical access to the vehicle (And it's keys, or keyfob if keyless) to update it.
So that's less of an issue than you might think. Im quite sure you don't just turn the car on with the USB drive plugged in, that would be stupendously dense.
Note - I don't know what the procedure is, and I genuinely don't care, to be blunt, as I specifically avoid cars that have nannying controls for everything. And penis extensions like Jeeps.
Most of the BSPs provided by the manufacturers of the system-on-chips used in these things has that feature (though it is easily disabled), and it's a handy feature during development.
They may have a button dance to do the reboot, one hopes a "special" one, but that's not security - and it's also public knowledge as soon as the recall starts.
I hope the firmware image is signed, but I doubt it.
This is about as bad as not tightening wheel nuts before the cars leave the factory. An organisation fails putting millions at risk. But who is in a position to force manufacturers to properly assess and mitigate the risk. If hackers are ignored (or made criminals) then they're better of turning to the dark side.
Every single device connected to the net should have its own publicly routeable IP address. NAT was a hackjob implemented to alleviate the IPv4 address shortage ... but instead, network engineers saw that as "extra security" and took that at face value.
Of course, NAT "security" is bollocks, and this hack proves it if the devices are connected to a NATted network. The faster we migrate to NATless IPv6, the faster we get all the security theater mentality away from IP addresses.
The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.
It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.
You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.
It's not a bad idea on its face, and it's an idea driven by consumer demands.
The idiocy entered the picture when critical car systems like steering, brakes, and engine control were merged onto the network with that connection. These systems have typically, in the past, been completely air-gapped from other car networks and systems, for the very reason that...they're critical.
Apparently, some moron in Italy decided that saving three cents worth of CAN cable was far more important that system integrity.
I watched a video many years ago where a Darpa speaker questioned the potential dangers with ABS due to the quality of the programmers involved.
If I remember, his point was that the best graduates don't end up working for auto makers. In his mind, probably C or B level at best.
I didn't put too much stock in it at the time but now...
Those who were negligent in writing the defective code or designing an insecure component should be heavily fined and suspended from their job without pay for six months. Those who hacked the cars should go to prison for a minimum of 10 years and be fined treble damages plus all cost of prosecution and incarceration.
Those who hacked the cars should go to prison for a minimum of 10 years and be fined treble damages plus all cost of prosecution and incarceration.
You are so very wrong. For every honest team of researchers who publish in order to get the hole closed, you can bet there's a bunch of other teams doing the same things but keeping quiet about it and adding to their capabilities. Military, espionage, lulz, blackmail, whatever.
This flaw -as someone a couple of comments down pointed out- be used as a WMD if you could hit every car of the same model at the same time: Steering 3 degrees left; accelerate hard; disable brakes. That'd probably tie up emergency services country-wide for at least a few hours. Ideal if you're planning a military invasion and want to keep the enemy busy and distracted. Or arsehats like ISIS would do it for the atrocity value alone...way more effective than a suicide bomber.
"Those who hacked the cars should go to prison for a minimum of 10 years"
...and if they hadn't found and published, how long before we find the hack in Hacking Teams 400GB data "loss" and that they were already selling it? Or some other company similar to Hacking Team? Or any of the worlds "state actors"?
"The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts," said Chrysler in a blog post.
And there aren't other experts out there? It did/does present an opportunity for a real WMD attack across the US.
If I understood that video correctly, the cars seem to run an embedded version of Windows given that the driver had to turn it off and then on again to reset :).
Now this is public, I suspect many tailgating accidents of these cars will end up filed as "my brakes were hacked, they suddenly didn't work"..
Forget the computer security issues here - when I drive a car, I control it. I don't mind the computer knowing what I'm doing with the car but the controls systems for the brakes, engine and steering should NOT be controllable from it. The engine, ABS and stability controls systems should be separate. This is completely possible - if I monitor the output of something it does not mean I can control it.
Poor cheap design I say.
Lots of new cars have "Park Assist", you stop beside a space, put the car in reverse, and press a button. In theory it parks in the space, which requires steering and brake control. Since the hackers noted that they could only control the car when it was in reverse I guess this is the system they used.
I test drove a few new cars with park assist recently. It's impressive in a way, but unnerving, and at least once I had to hit the brake myself to stop the car clipping the one beside it, so the technology is far from perfect anyway.
It has been several decades since you directly controlled any system in your car. The move toward "drive by wire" systems has been steady and inexorable.
Critical systems like brakes, engine control, and steering have, however, ALWAYS been air-gapped from other vehicle networks. The problem here isn't indirect control - it's the ACCESS to that control that Fiat's inexplicable decision to eliminate this air gap provides.
It has been several decades since you directly controlled any system in your car.
Brakes and steering are still directly controlled in all but a very few cars. They usually have some degree of assistance, but they are not 'drive by wire'.
I suspect on most modern cars the computer always controls the braking even when you're depressing the brake pedal. That's certainly part of how ABS solutions work, and you need it if you're implementing some sort of automatic anti-tailgating or blind spot braking mechanisms that's how you'd implement that as well.
As other posters pointed out, the real problem is that that control subsystem was connected to the public internet.
I suspect on most modern cars the computer always controls the braking even when you're depressing the brake pedal. That's certainly part of how ABS solutions work,
Don't 'suspect', look it up. Brakes work even with the battery disconnected, the pressure in the pipes comes directly from your foot on the pedal.
Of course there's some electric or vacuum assistance which can be activated by the computer to add effort when required, and ABS can vary that pressure by opening valves in the circuit to pulse the activity, but the fundamental braking effort is still direct. Same applies to steering.
Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study German cars that are safe and durable, Japanese cars for reliability, Italians for style and performance.
With few exceptions (Studebaker Avanti, 1964 Buick Riviera, 1964 Mustang, 1970 Plymouth Barracuda, Corvair) most post-war American cars have been hideous and as horrible mechanically as they look.
Of course, US drivers expect to buy cars cheaper than almost anywhere in the world and they get what they pay for.
"Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study German cars that are safe and durable, Japanese cars for reliability, Italians for style and performance."
Recent German cars are equally packed with a lot of electronic complexity. I wouldn't be too surprised if my 2012 Audi A6 suffered vulnerabilities similar to Chrysler's, to be honest. Mechanical faults are much rarer than electronic failures in recent cars. It's far from perfect, and due to price pressure all major car manufacturers, including the Germans, offload more and more QA to the customer.
In fact, features like Audi Connect scare the shit out of me. (It offers a pile of internet service integrations, such as Google Maps, Facebook and others, which may or may not make the car less secure; Most definitely it allows for more accurate tracking of the car, less privacy, and might eventually be used by forensics/insurances -- most definitely against you.)
Internet connectivity of any car system paired with a single CANBUS that trusts all connected devices makes a lot of alarm bells ring simultaneously!
"Before they start adding more pointless electronic complexity to their cars, Chrysler/GM/Ford should study"
What, exactly? All the car companies are interconnected. They all buy from the same few suppliers of critical systems and they have ALL been involved in safety scandals and coverup exposes.
The hint you should take from the title of the story is that it's Fiat-Chrysler, not Chrysler-Fiat. If it wasn't for Fiat the Chrysler name would have ceased to exist. (Being tied to Chrysler nearly took Daimler-Benz out of business. As it is the single largest contribution they made to Daimler during the alliance was teaching them how to make Mercedes which rust quickly and break down too much)
Similarly, Renault's prime contribution to Nissan has been to introduce unreliable electrics and PSA's contribution to Toyota has been shonky designs along with engine computer software flaws.
@detritus: Thank you for reposting association, I did so on the other thread ,but not early enough to get near the top!
It could just be a coincidence, but it does raise the question as with all other leaked 0-day expoits being hoarded, whether this hack was discovered independently?
P.
"Not even for traffic alerts"
Nope. When driving, drive. It's kind of important.
"which are best done well enough in advance so as to reroute around such things as accidents?"
Are you actually implying that TehIntraWebTubes know about traffic issues before they happen? The mind absolutely boggles ...
"And no, the radio doesn't work too well around here."
So you're so far outside of major traffic that the radio doesn't work too well? Why, exactly, do you think you are qualified to comment on the subject?
"Are you actually implying that TehIntraWebTubes know about traffic issues before they happen? The mind absolutely boggles ..."
Last week I got caught up in stopped traffic. Thanks to Waze I knew that the delay was less than 5 minutes, so waited.
The number of drivers turning around to take alternate routes which are all longer than that (the minimum alternate route is 15 minutes longer) made it clear that not everybody was aware of it.
That said: there is no good reason why safety critical systems should be connected to the entertainment/informatics system and from there onto the Internet.
"Nope. When driving, drive. It's kind of important."
Part of driving is avoiding trouble. Getting caught in the tieup aftermath of a bad accident may mean the difference between a good night's rest and insomnia...or even running out of gas. It's happened. You may surrender to the Hand of Fate, but I'm a firm believer in Will: in taking control of my destiny.
"Are you actually implying that TehIntraWebTubes know about traffic issues before they happen?"
No, but you can be made aware of snarls before they affect you. Like I said, if you get warning that a bad accident is 10 miles ahead of you, now would be a good time to seek a detour since the backup may be 9 1/2 miles long.
"So you're so far outside of major traffic that the radio doesn't work too well? Why, exactly, do you think you are qualified to comment on the subject?"
Because I drive a lot. IOW, this is coming firsthand. And the corridor I frequent happens to be quite rural AND doesn't support traffic radio frequencies. And BTW, this is true of MOST of the US Interstate Highway System. Only due to consumer demand do the cellcos keep cell towers along the route, but any other of information? As a former New Yorker, fahgettaboudit! Knowledge is power, and knowing the road is a key aspect of being a good driver. Being able to know things that are beyond your visual range helps a lot.
Whereabouts in the car? I hope it is a secure location. Can visualise stories of "Very odd, someone broke into my car, and didn't steal anything."
How many baddies are trying to get their hands on the USB patch stick in order to reverse engineer it?
"With the car's control networks bafflingly left open by default, El Reg wonders why Chrysler even bothered putting them in in the first place."
My guess: during development, dealing with the firewall - which will normally be fully enabled by default - was just too much of a pain in the ass for developers to deal with, so they completely disabled it rather than go through the somewhat more painstaking process of opening only those ports needed by their applications and those of other development teams. By the time deployment time rolled around, the system had grown in complexity to the point where the idea of shutting down ports was deemed too difficult and time-consuming, so everything was just left wide open.
Somewhere in Italy, there's a list of "nice-to-have enhancements" that contains "analyze firewall settings" on it.