Chrysler issues Jeep Cherokee security patch via USB drive mailed to owners

By midian182
Sep 7, 2015
Post New Reply
  1. Fiat Chrysler has been criticized after a patch it released for the Jeep Cherokee security flaw was mailed to more than a million customers on a USB drive via the US Postal Service.

    In July, two hackers demonstrated a zero-day exploit involving the infotainment system of a Jeep Cherokee. The pair showed how they were not only able to remotely control the vehicle’s windshield wipers and radio, but could also kill the engine, put the jeep into neutral and apply or completely disable the brakes.

    Chrysler's decision to mail a patch out on a USB stick has come under fire from several security experts, who say it could pave the way for a future attacker to send out their own spoof letters and USB drives so as to trick users into installing rogue software on their vehicles.

    It’s been suggested that Fiat should include a method for validating the authenticity of the USB drive so users can verify it really has come from them before it’s plugged in. There’s also the fear that hackers will be able to pull the data off the USB and reverse-engineer it, giving them an insight into how the vehicles receive their software updates and perhaps finding new vulnerabilities to exploit.

    “An auto manufacturer is basically conditioning customers into plugging things into their vehicles,” says Mark Trumpbour, an organizer of the New York hacker conference Summercon.

    Chrysler has responded by pointing out the security concerns arising from the letters are only “speculation,” it also pointed out the USB drives are read-only. “Consumer safety and security is our highest priority,” the spokesperson added. “We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”

    Days after the Jeep hack story went public, Chrysler released a security update for download on its website. It also implemented a layer of protection on the Uconnects’ Sprint network designed to block the wireless attack.

    Permalink to story.

  2. kendall007

    kendall007 TS Rookie

    I would take less Tech in a car if they would just build them better. Why do we need wifi in a car? Most people have cell phones. If you can't use a map, get a stand alone GPS. All this extra tech in cars is just one more thing to break, and get hacked. Keep It Simple Stupid.
    agb81 likes this.
  3. insect

    insect TS Evangelist Posts: 315   +114

    Cars today are the most reliable in history. Truck defect rate over time for example:

    The industry as a whole follows similar trends. Technology made that possible. Now it asks users to perform maintenance instead of waiting for the old lady to run the oil to 25K miles. Now it reports problems back to the manufacturer for patching. Now it helps you avoid collisions and adjusts suspension on the fly by scanning the road ahead prolonging the life of tires and shocks. Now it adjusts fuel/air ratios on demand to maximize performance and gas mileage.

    Give me the technology anyday.
  4. davislane1

    davislane1 TS Evangelist Posts: 3,384   +2,171

    Indeed. But as a consequence failures are often far more serious and/or inconvenient than previous generations of cars. As a tow truck driver once commented (while towing a vehicle with a faulty computer board), it's the new stuff he always has to tow, bricked because of some computer or sensor problem.

    Or, in my case, a faulty computer component causing the transmission to shift from 4th to reverse at 85mph on the express way. That was an interesting glitch.

    I'll take low tech and more minor maintenance over high tech and expensive repairs all day long.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...