Andy Greenberg and associates demonstrated that they can remotely hijack a Jeep Cherokee, making it do things that could kill everyone in it. Fiat Chrysler is recalling 1.4 million vehicles as a result of this revelation. Greenberg doesn’t fully explain how they did it, for obvious reasons, but he tells us this:
All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.
Every computer on the Internet has an IP address, so the real issue is the “one vulnerable element.” We can only guess about it, but this seems like serious negligence on Chrysler’s part. When a computer system can put people’s lives at risk, you have to pay serious attention to security. According to a Computerworld article, it’s the entertainment system which is open to remote access, but it “is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.”
A basic principle of secure design is that you grant only as much access as is necessary. It’s hard to imagine why an entertainment system would need access to life-critical components. If it is necessary, perhaps so that a warning of a major malfunction can go to the speakers, the critical component needs a firewall that limits the access it allows. Did Chrysler allow the entertainment system free run of its ECUs, or was the firewall defective? We don’t know yet, and maybe it will never be made public.
The situation reminds me of the 2013 Target breach. Attackers compromised a third-party vendor through a phishing email, got access to Target’s portals, and from there got at its Point of Sale system and its credit card data. Once they were past Target’s first line of defense, it was relatively easy to hop from one internal system to another.
UConnect comes from Sprint, so part of the blame may fall there, though Chrysler is responsible for allowing access to its ECUs. UConnect disclaims all responsibility for anything that goes wrong in its terms of service:
23. Disclaimer of Warranties. SPRINT AND FCA MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING (TO THE EXTENT ALLOWED BY LAW) ANY IMPLIED WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE CONCERNING THE UCONNECT SERVICES (INCLUDING YOUR DEVICE). SPRINT PROVIDES THE UCONNECT SERVICES, INCLUDING ANY SOFTWARE COMPONENTS, ON AN “AS IS” BASIS WITH ALL FAULTS, ERRORS, AND DEFECTS. YOUR USE OF AND ACCESS TO THE UCONNECT SERVICES IS AT YOUR SOLE RISK, AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE RESULTING FROM YOUR USE. SPRINT DOES NOT PROMISE UNINTERRUPTED OR ERROR-FREE SERVICES AND DON’T AUTHORIZE ANYONE TO MAKE WARRANTIES ON OUR BEHALF.
This is outrageous for a software system that can put your life at risk. The terms say, “By using the Uconnect Services, you agree that you are bound by these Uconnect Terms of Service,” so you didn’t have to sign anything to be bound by them. It’s the legal theory which I satirized in my song “Shrink Wrap Blues,” where the singer is bound to a deal with the Devil simply by opening a game’s package. In UConnect’s case, the software really could send you to Hell if it existed. The agreement also prohibits class-action lawsuits.
The recall requires owner action; owners can either have a dealer install the fix or do it themselves by plugging in a USB drive. Many people are terrified of touching computer hardware, and there’s no rattling or squeaking to warn them, so most car owners probably won’t bother. The ability to patch it so easily doesn’t reassure me much; it implies another point of vulnerability for anyone with physical access under the hood. Who needs car bombs when you can kill someone with a USB stick?
Chrysler has, to its credit, fixed some software security issues. In 2014 it started requiring diagnostic software to be registered in order to be operative. The article doesn’t address how this would protect older cars.
A lot of car safety issues are cost tradeoffs. Part of what you get for a high-priced model is more protection against injury. Fiat Chrysler’s issue, though, is just plain sloppiness, and unless I hear something serious to revise my opinion, they’re off my list for the next car I buy.