Chrysler recalls 1.4 million cars after vulnerability: “This won’t be the last patch we see”
Amid the various articles and media hysteria regarding the recall of 1.4 million Chrysler cars after vulnerabilities were disclosed, one executive argues this could be the tip of the iceberg.
Tim Erlin is director of security and product management at Tripwire. He argues Chrysler has an opportunity to make the most out of this incident and pioneer software security for the automotive industry, adding there are known software security best practices. However, he added: “A recall has very real, material costs for an automotive manufacturer.
“Experiencing an urgent recall for a security patch to the vehicle’s software is likely to drive changes around how software is updated for all manufacturers. While new update methods can be built into new vehicles, there are millions of cars already on the road to consider as well.
“The security of vehicle software is now a safety issue, and manufacturers will need to adapt to treat it as such,” Erlin added. “This won’t be the last patch we see for a car near you.”
On July 21, Wired published a piece by Andy Greenberg which detailed his experiences with Charlie Miller and Chris Valasek, who had spent the previous year researching car hacking techniques.
Greenberg was essentially the human guinea pig for Miller and Valasek’s findings. Sent out in a Jeep in downtown St. Louis, driving 70 mph, the car’s software, being remotely exploited by a laptop in Miller’s basement 10 miles away, performed a series of actions from the irritating – blasting cold air at the driver, turning the radio volume to full – to the downright dangerous, such as cutting the transmission.
Greenberg was safe, although noting afterwards he “beg[ged] the hackers to make it stop.” However the short term danger for Greenberg became a potentially long term one for Chrysler, the Jeep’s manufacturer, as the article went live.
Like most good hackers, Miller and Valasek had been sharing this data with Chrysler for the past nine months. In some cases security researchers, frustrated by a company’s complete indifference to their nefarious findings, go rogue: Paul Price spotted a shocking flaw in card manufacturer Moonpig’s API and shared it with them through responsible disclosure. 17 months later, with the issue not fixed, he went public.
Chrysler, meanwhile, has been cooperating and has put together a software patch which, in the absence of being fitted to cars over the air, can either be manually downloaded and installed via a flash drive, be installed at a dealership, or through a USB stick. The latter has been widely panned by security professionals, as the possibilities for bad actors to send out fake USB upgrade sticks is all too easy to consider. One said it was “the dumbest move I have heard of in a long time.”
On Friday, Fiat Chrysler Automobiles (FCA) issued a voluntary safety recall for software in 1.4 million US vehicles, saying it was doing so “out of an abundance of caution.” Ken Westin, senior security analyst at Tripwire, notes that while the hacking by Miller and Valasek appears “quite scary”, the possibility of this being used in a real attack remains slim.