back to article Fiat Chrysler recalls THOUSANDS more cars to swerve hack-my-brakes roadkill

Fiat Chrysler Automobiles has recalled nearly 8,000 SUVs, with the hope of halting hackers from mounting remote attacks on the vehicles. The manufacturer said it needed to apply software updates to 7,810 Jeep Renegades that were sold in the US market. It added that 2015 models of the SUV, which comes loaded with certain …

  1. JeffyPoooh
    Pint

    Suggestion...

    Everything always thru a VPN to a proxy back at FCA HQ.

    edit. Unless, of course, they're slurping so much data that such a system would be impractical.

  2. Fraggle850

    There ought to be a moratorium on connecting any wireless systems to the canbus

    Unless/until appropriate and uncompromisable security protocols are in place.

    I know it's unlikely to happen now that vehicle manufacturers are falling over themselves in the rush to sell 'connected' vehicles so I suspect we'll see more of this sort of thing.

    1. Smooth Newt Silver badge
      Unhappy

      Re: There ought to be a moratorium on connecting any wireless systems to the canbus

      When we all have self-drive cars we'll look back with a nostalgic tear in our eyes at the level of problems we are seeing now. It will seem like Atari boot sector viruses in a pre-Internet world all over again.

      The cars will get a constant stream of software updates, map updates, traffic updates, messages between self-drive vehicles, messages from the road network, and doubtless a bunch of other stuff which hasn't even been thought of yet. Many of these will have more or less exploitable flaws, as will the cars' systems for processing them.

    2. PrivateCitizen

      Re: There ought to be a moratorium on connecting any wireless systems to the canbus

      Unless/until appropriate and uncompromisable security protocols are in place.

      Now, if you find such a beast, truly great riches will be yours. I am reasonably sure no such thing exists.

  3. regadpellagru

    Unaware, geez ...

    "The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration."

    Of course, smart ass, cos no-one will even investigate nor have the competences to do so, even if those design flaws kill thousands !

    How many deaths caused by cars design flaws, in the entire world, have ever been reported ?

    Actually, the article should point out those problems result from DESIGN flaws, which are a lot more serious than software flaws.

    Entertainment network should really share no physical part with driving network.

    My understanding is, again, the manufacturor is just hiding it out with smoke, not fixing the design flaw,

    which would be really costly, but just updating the software.

    Mad.

    1. Alan Brown Silver badge

      Re: Unaware, geez ...

      "Of course, smart ass, cos no-one will even investigate nor have the competences to do so, even if those design flaws kill thousands !"

      There's been a lot of speculation that certain high-profile car crashes relating to individuals in the network security community were due to the systems being interfered with.

      Investigators (of course) found no evidence of tampering, but if your mercedes C-class has been pwned like this, there won't be any after it's been wrapped around a telephone pole.

      1. boltar Silver badge

        Re: Unaware, geez ...

        "There's been a lot of speculation that certain high-profile car crashes relating to individuals in the network security community were due to the systems being interfered with."

        Oh hello, Conspiracy Corner is open for business. So long as the steering wheel is mechanically connected to the rack and the car can be taken out of gear and the handbrake works it would be rather difficult to crash a car remotely with a half competant driver on board.

        1. regadpellagru

          Re: Unaware, geez ...

          "Oh hello, Conspiracy Corner is open for business. So long as the steering wheel is mechanically connected to the rack and the car can be taken out of gear and the handbrake works it would be rather difficult to crash a car remotely with a half competant driver on board."

          Hmmmm, no, really no. You seem to imply you'll have dozens of seconds to react in case of attack, but that is not the case. I can't comment on the aforementioned affairs on security people, but I'm sure those things, carefully used, can kill.

          If someone can remotely control and suppress your brakes, only your brakes outside of handbrakes (and here, understand we now have vehicules with bus-driven handbrakes and steering wheel, opening tons of other possibilities) and he knows you're coming to the mountains road I live closeby, he'll be in a position to wipe you out of the road.

          Simple: wait until you're in one of the very sharp turns and suppress the brakes 2s before the sharp turn, you'll be so stunned you won't have time to switch gears or handbrake, your car jumps the barriers and crashes 20 m below. You're history.

  4. phil dude
    Linux

    2FA?

    It is 2015. 2FA is now commonplace. Surely, admin for a car can be secured this way?

    It helps that Fiat/Chrysler have at *least* hired the white hats - perhaps other car companies will be more proactive. Perhaps it is good PR? We'll see...

    A general comment about the state of software security, is that there needs to be a better liability model regarding functional flaws. The statement "Hacking is criminal" says it all - the legality says little about the *probability* of something bad happening. Especially when non-local access is possible.

    The sad state of the politics of today, says it all.

    The prevailing cognitive dissonance that *you* can somehow have selective knowledge of a flaw in a software system that noone else can find - and exploit....

    P.

    1. PrivateCitizen

      Re: 2FA?

      It is 2015. 2FA is now commonplace. Surely, admin for a car can be secured this way?

      Hard to think how multi-factor authentication would help this sort of attack.

  5. Mage Silver badge

    Cue maliious USB sticks in the Post

    I don't mind if they can be reformatted. More use than malicious emails.

    1. John Brown (no body) Silver badge

      Re: Cue maliious USB sticks in the Post

      ..until the bad guys start sending out their own...or spamming with instructions on how to download and install their own versions of the "fix".

      ISTR someone posting back on the original story wondering if FC would be so dumb as to post out USB sticks for customers to applying their own fixes to their cars.

    2. Graham Marsden
      Stop

      Re: Cue maliious USB sticks in the Post

      As soon as I saw the line "customers [...] will be sent a USB device that they'll be urged to use to upgrade the car's flawed software" I was thinking exactly the same.

      The crook fakes up something that appears to come from Ford, gullible owner plugs it into their car (of course there's probably *no* security validation or any sort of checking to make sure it's legit), then, the next night, they walk up to the car, activate the unlock over-ride code that got installed and drive off with a nice shiny nearly new car...

    3. Groaning Ninny

      Re: Cue maliious USB sticks in the Post

      The fist thing I thought when I saw the method of delivery was that Fiat Chrysler just haven't learned anything about security. This is just begging to be taken advantage of, I can imagine USB keys being sent out for not just cars, but also "Your insecure online banking".

      Sheesh.

  6. Captain Badmouth
    Happy

    Gullible all right

    "The crook fakes up something that appears to come from Ford, gullible owner plugs it into their car...."

    Plugs Ford usb stick into Chrysler vehicle? Definitely contains gullible DNA. :)

  7. Mark 85 Silver badge

    A friend got one of these for his wife's Cherokee. Came in the mail, not registered or certified... but bulk mail. The instructions say to plug it in and give it about an hour. It doesn't say "where" to plug it in... and his wife was arguing that it should be plugged into her computer in the house and the update would be transmitted to the car. <rolling of eyes> I suggested any USB port in the driver area. We'll see.....

    1. Hud Dunlap
      Happy

      @Mark 85

      Thanks. I needed a smile today.

  8. Chairo
    WTF?

    Huh?

    ... If unauthorised, such interference constitutes a criminal act.

    And if someone is authorised to hack your vehicle it is perfectly OK, right? WTF?

    The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.

    Just wait until the first customer that had an accident claims he had been hacked. And good chance to proof it hasn't! Reversal of the burden of proof is the keyword here. If the customer claims, the manufacturer has to prove the opposite. And how to prove it has not been hacked if there is a known vulnerability?

    1. Gene Cash Silver badge

      Re: Huh?

      > And if someone is authorised to hack your vehicle it is perfectly OK, right? WTF?

      Actually, yes it is. Ever heard of pen testing?

      1. Chairo

        Re: Huh?

        >Actually, yes it is. Ever heard of pen testing?

        Well, if I autorise someone to hack my vehicle, that's Ok. But if the manufacturer autorises someone to hack or access my vehicle, I have a problem with that.

    2. nematoad Silver badge

      Re: Huh?

      "...such interference constitutes a criminal act."

      Yes, and so should the fact that these clueless idiots have allowed this to happen.

      "Would you like a connected car?"

      Runs away screaming.

  9. Fraggle850

    After an accident, as alluded to by Chairo

    1. Have accident through your own error

    2. Insert USB stick with compromised firmware

    3. Claim 'it woz hackers wot made me do it'

    4. Get away with it

    4a. Sue vehicle manufacturer

    1. Alan Brown Silver badge

      Re: After an accident, as alluded to by Chairo

      1a: Rewrite logs in the vehicle's black box.

      Yes, they all have one. It's also the airbag control module and records from them have been used in several prosecutions.

  10. Pascal Monett Silver badge

    "These measures – [..] – block remote access to certain vehicle systems"

    And why, pray tell, was remote access available in the first place ?

    Apparently, remote access is just bolted on to the main car's data system and the software is supposed to sort out legit commands from unwanted ones by itself.

    I call that a recipe for disaster.

  11. LucreLout Silver badge

    I don't get it....

    .... how does having a connected vehicle make a driver better at observation, anticipation, and correct & timely reaction? It doesn't, so this adds nothing to road safety.

    How does it update vehicle firmware remotely, without the owner needing to do anything other than give the ok? Oh, it doesn't, so it's not actually making either the garage or the owners lives more convenient.

    So, erm, what is it all supposed to be doing?

  12. boltar Silver badge

    Whats that loud clucking sound?

    Oh, look at all those chickens coming home to roast!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020