Chrysler’s computer security disaster

Andy Greenberg and associates demonstrated that they can remotely hijack a Jeep Cherokee, making it do things that could kill everyone in it. Fiat Chrysler is recalling 1.4 million vehicles as a result of this revelation. Greenberg doesn’t fully explain how they did it, for obvious reasons, but he tells us this:

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.

Every computer on the Internet has an IP address, so the real issue is the “one vulnerable element.” We can only guess about it, but this seems like serious negligence on Chrysler’s part. When a computer system can put people’s lives at risk, you have to pay serious attention to security. According to a Computerworld article, it’s the entertainment system which is open to remote access, but it “is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.”

A basic principle of secure design is that you grant only as much access as is necessary. It’s hard to imagine why an entertainment system would need access to life-critical components. If it is necessary, perhaps so that a warning of a major malfunction can go to the speakers, the critical component needs a firewall that limits the access it allows. Did Chrysler allow the entertainment system free run of its ECUs, or was the firewall defective? We don’t know yet, and maybe it will never be made public.

The situation reminds me of the 2013 Target breach. Attackers compromised a third-party vendor through a phishing email, got access to Target’s portals, and from there got at its Point of Sale system and its credit card data. Once they were past Target’s first line of defense, it was relatively easy to hop from one internal system to another.

UConnect comes from Sprint, so part of the blame may fall there, though Chrysler is responsible for allowing access to its ECUs. UConnect disclaims all responsibility for anything that goes wrong in its terms of service:

23. Disclaimer of Warranties. SPRINT AND FCA MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (TO THE EXTENT ALLOWED BY LAW) ANY IMPLIED WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE CONCERNING THE UCONNECT SERVICES (INCLUDING YOUR DEVICE). SPRINT PROVIDES THE UCONNECT SERVICES, INCLUDING ANY SOFTWARE COMPONENTS, ON AN “AS IS” BASIS WITH ALL FAULTS, ERRORS, AND DEFECTS. YOUR USE OF AND ACCESS TO THE UCONNECT SERVICES IS AT YOUR SOLE RISK, AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE RESULTING FROM YOUR USE. SPRINT DOES NOT PROMISE UNINTERRUPTED OR ERROR-FREE SERVICES AND DON’T AUTHORIZE ANYONE TO MAKE WARRANTIES ON OUR BEHALF.

This is outrageous for a software system that can put your life at risk. The terms say, “By using the Uconnect Services, you agree that you are bound by these Uconnect Terms of Service,” so you didn’t have to sign anything to be bound by them. It’s the legal theory which I satirized in my song “Shrink Wrap Blues,” where the singer is bound to a deal with the Devil simply by opening a game’s package. In UConnect’s case, the software really could send you to Hell if it existed. The agreement also prohibits class-action lawsuits.

The recall requires owner action; owners can either have a dealer install the fix or do it themselves by plugging in a USB drive. Many people are terrified of touching computer hardware, and there’s no rattling or squeaking to warn them, so most car owners probably won’t bother. The ability to patch it so easily doesn’t reassure me much; it implies another point of vulnerability for anyone with physical access under the hood. Who needs car bombs when you can kill someone with a USB stick?

Chrysler has, to its credit, fixed some software security issues. In 2014 it started requiring diagnostic software to be registered in order to be operative. The article doesn’t address how this would protect older cars.

A lot of car safety issues are cost tradeoffs. Part of what you get for a high-priced model is more protection against injury. Fiat Chrysler’s issue, though, is just plain sloppiness, and unless I hear something serious to revise my opinion, they’re off my list for the next car I buy.

Advertisements

4 Responses to “Chrysler’s computer security disaster”

  1. Eyal Mozes Says:

    This makes me feel much worse about my Honda. The specific defect you helped me discover in Honda’s entertainment system is not life-threatening; but given their blatant dishonesty in concealing the defect, and in continuing to deny it after being presented with conclusive proof, it seems very likely there are other defects in the system that they’re concealing and that we have not discovered. Now that I know that defects in a car’s entertainment system can be life-threatening, this is a matter of serious concern.

    If Chrysler takes prompt action to fix the problem, not just by issuing a recall but by making extra effort to reach out to owners to make sure they’re aware of it and aware of the seriousness of the problem; and if there’s no evidence that they were aware of it before and concealed it; then Chrysler will be much higher than Honda on my list of the next car to buy (and yes, I realize that’s still saying very little for Chrysler).

    • Gary McGath Says:

      No such luck. Chrysler is lying outright, claiming “no defect has been found.” The patch is being issued out of an “abundance of caution.” Don’t ask what that means if there’s no defect to be cautious about.

      Several people have noticed that snail-mailing a USB stick with the fix on it provides huge opportunities for fraud.

      • Eyal Mozes Says:

        Chrysler’s statements about this are certainly unconscionable. Still, if Honda had mailed me a USB stick to fix the defect, and said that “no defect has been found” and they’re mailing the patch out of an “abundance of caution”, that would have been much better than their actual behavior.

      • Eyal Mozes Says:

        Thinking more about this, while Chrysler’s statement that “no defect has been found” is cowardly and contemptible, it’s not clear to me that what they’re doing in practice – mailing USB sticks to all owners of affected cars – isn’t exactly the right thing to do.

        The alternative – issuing a conventional recall, requiring owners to take their car to the servicing dealer for the fix to be applied – would create the risk that many owners will ignore the recall, and not get the fix applied to their car. Mailing out USB sticks makes it much more likely that everyone will in fact apply the fix.

        If hackers try to take advantage of this by mailing out spoof letters and USB sticks, then the owner will get two different letters and USB sticks in the mail, both of them purporting to be from Chrysler. They may not be able to tell which is the genuine one, but they’d have to be extremely stupid not to realize that something is wrong, and that they need to call Chrysler or their dealer before using either stick. There’s some risk that an owner will be stupid enough not to realize this; but it seems much smaller than the risk that an owner will get a conventional recall notice and ignore it.

        Overall, my conclusion is that I very much wish Honda had treated the defect in their system the same way Chrysler treated theirs.


Comments are closed.