back to article Hacker-friendly Chrysler hauled into court for class-action showdown

Fiat Chrysler is facing a class-action lawsuit in the US after researchers proved they could wirelessly snatch control of the engine management systems in some of its vehicles. The lawsuit, filed in the southern district of Illinois, claims Chrysler knew the networking systems in its cars were insecure. The motoring giant …

  1. Anonymous Coward
    Anonymous Coward

    Time for a major rethink

    It should be obvious by now that hackers have taken control of many vital aspects of our lives due to negligence by manufacturers, engineers and programmers who view computer operations security as an after thought. As such not only the hackers, but the company CEOs, engineers and programmers should be held criminally responsible for their negligence.

    It doesn't take a rocket scientist to understand the vulnerabilities that have been created since the first iteration of Windoze. Had Gates and friends been held accountable for their negligence, we would have a much better, safer world today but unfortunately you can buy all the justice that you can afford in the U.S. so Gates is a billionaire for selling defective goods and corrupted 90% of all PCs in the world with totally insecure operating systems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time for a major rethink

      Windows is insecure?

      https://www.youtube.com/watch?v=8AsXHfrm7PQ

    2. Anonymous Coward
      Anonymous Coward

      Re: Time for a major rethink

      I respectfully put it to you that it is -in general- not the programmers, technicians, testers or QC people who are negligent or unaware of potential issues, but the bean counters that refuse to approve the necessary budget and the upper management insisting on silly deadlines often inspired by imaginary 'market forces'.

      1. Medixstiff

        Re: Time for a major rethink

        "but the bean counters that refuse to approve the necessary budget and the upper management insisting on silly deadlines often inspired by imaginary 'market forces'."

        I totally disagree on this one, most IT staff I have worked with are more than happy to do work in their own time, especially if it's really needed, such as patching and configuration changes, because they take pride in their work.

        Developers on the other hand, I find to be very slack individuals, the amount of time a new release has been stopped due to lackluster testing and code review is totally unacceptable in my view. Don't get me wrong, I have worked with some excellent programmers, but they are in the 5-10 percentile.

        1. dotdavid

          Re: Time for a major rethink

          "most IT staff I have worked with are more than happy to do work in their own time, especially if it's really needed"

          If the proper budgets and deadlines were in place, no-one would have to work in their own time. It is, after all, their time to do with as they please.

        2. Smooth Newt Silver badge

          Re: Time for a major rethink

          "most IT staff I have worked with are more than happy to do work in their own time, especially if it's really needed"

          Why should IT staff and developers be expected to work for nothing. If the company really needs it, then the company should pay for it and not expect their employees to subsidize them.

        3. Warm Braw Silver badge

          Re: Time for a major rethink (@ Medixstiff)

          You probably picked the wrong place to say it, but it's certainly something of which I have experience. Some time back, a then major IT vendor managed to ship a new product version with a significant chunk of its documented functionality not actually implemented - something that had escaped the notice of its developers and supposed testers.

          The days of buccaneering structural engineers are over - no one in their right mind would use "agile methodology" to design a bridge. If "software engineering" is to have any real meaning, then software development has got to get a lot less individualistic and the tools (languages, compilers and indeed CPUs) are going to have to move on.

  2. Anonymous Coward
    Anonymous Coward

    Makes for a nice slogan, though.

    Uconnect? UrSoScrewed..

    Sorry. I'll take my meds now, shall I?

  3. beast666

    I think it is great that all these researchers fix all these flaws before we go flying down The Mancunian Way in our blinged-up Teslas

  4. Henry Wertz 1 Gold badge

    Fines and rules.

    @"Time For a Major Rethink" AC:

    My life's not affected at all levels by software exploits. No Windows at home, and my bank etc. are competent so they don't get randomly hacked at regular intervals. The level of product liability you are expecting is excessive, and in a system like this, you would simply end up with no software being written at all. I sure as hell wouldn't write anything if I expected unlimited liability for it. At best, you'd end up with a situation like airplanes -- due to the extremely high costs of certifying any new design, you've got single-engine models still being sold that use 1930's era engine technology and a 1930's era carburetor... newer engines with fuel injection will drop right in, and have been shown to be more powerful, more fuel efficient, AND more reliable, but the certification costs are too high.

    Anyway... unfortunately, I find it difficult that the plaintiffs will be able to show harm. The flaws didn't affect them, the flaws have been fixed, and the previous existence of these flaws, good look showing that'll harm the sale price. I seriously doubt this case will get anyhwere.

    That said, these flaws were flat-out stupid -- leaving ports open is stupid, and it's particularly stupid to allow the entertainment system direct access to the engine management bus. It's actually common practice among car co.s to either keep them completely segregated -- i.e. no wire between them whatsoever -- or, to filter allowed commands to "read check engine light codes" and "reset check engine light" (if they want to sell the "hit the Onstar button and have them give a vague diagnosis of why your check engine light came on" thing.)

    In a typical safety recall, as long as the car company was cooperative, the fines are minimal, beacuse the actual cost of doing the recall is already pretty high (having to replace some physical component on each and every car after all.) I do hope Chrysler gets a nice fine here. Since the costs of a software update are low, they may otherwise see minimal affect on the balance sheet and so not actually learn their lesson that security must be taken more seriously.

  5. Toastan Buttar
    Flame

    "Chrysler could have solved all its problems if it had only used a basic"...

    ...air gap between anything to do with the mechanics of the vehicle and any form of remotely-accessible computer system.

    How f***ing hard can it be?

    1. Smooth Newt Silver badge

      Re: "Chrysler could have solved all its problems if it had only used a basic"...

      It's hard to air gap it.

      If the entertainment system and the displays have access to the Internet, and also need to know information about the electronic management systems even just for warning messages like "the handbrake is on" when you are moving, then there can't be an air gap.

      Some sort of regular unidirectional broadcast by the electronic management systems, without any signals electrically possible in the opposite direction is the best you can hope for if you want to prevent the possibility of control in the other direction.

  6. Randy Hudson

    HTTP is not a security concern. Every new firmware has to be signed by FCA. A man in the middle would have no way to sign any malicious code.

  7. foxyshadis

    Port 6667?

    Were they using IRC to control the cars?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020