Fiat Chrysler Recalls 1.4 Million Autos To Fix Remote Hack

swinferno writes: Fiat Chrysler announced today that it's recalling 1.4 million automobiles just days after researchers demonstrated a terrifying hack of a Jeep that was driving down the highway at 70 miles per hour. They are offering a software patch for some of their internet-connected vehicles. Cybersecurity experts Chris Valasek and Charlie Miller have publicly exposed a serious vulnerability that would allow hackers to take remote control of Fiat Chrysler Automobile (FCA) cars that run its Uconnect internet-accessing software for connected car features. Despite this, the researchers say automakers are being slow to address security concerns, and are often approaching security in the wrong way.

Re:tip of the iceburg

[ckatko]

We have absolutely every idea of how to secure IT systems. Nobody wants to freaking listen.

I know of a college's root password stored in plain text file on a PUBLICLY accessible url so "new computers can install ghost copies quicker." I know of companies actually using "password" for their password. I know companies that deny access to copy-and-paste on remote desktop, refuse to use e-mail because it's insecure, but are fine with me using a domain administrator account to do my work.

The reason businesses don't care about security is two reasons. 1) They're not afraid and people and the laws should make them afraid so it becomes cost-effective to care. 2) The IT field is full of bullshitters so even when people do hire IT, they assume the guy they hire understands security. When most companies only need one IT guy, they have no experienced guy on hand to tell them if the guy if full of crap. I'm a software developer and I had to teach one admin how Kerberos authentication works and how to resolve issues with it, and another thought that intranet ip addresses were somehow accessible from the web.

However, with the IoT, the situation is mark darker. The IoT is a movement. If it cannot get good market penetration fast, it dies out. So people know that IoT is inherently dangerous but they don't have the time and resources to make them secure and solve those problems so they bank on, and hope for, that nobody ever notices so they can sell enough of their products to keep the market going. People buy features, but security only matters if someone finds out.

The IoT is the NSA's wet dream. Why spy on Americans when you can willingly get them to sign a EULA that lets their Smart TV keep the microphone on 24/7? (This has already happened.) And worse still, if the NSA can do it, so can any government. And people are so stupid they're willingly giving up their privacy just so they can "keep up with the tech Joneses" for a gadget that doesn't even improve their lives in any significant way.

Re:Approach security the wrong way? No shit!

[TWX]

Exactly. If the functions of the vehicle's control systems have changed from a relatively simple engine spark and fuel injection management system to something that controls most aspects of the mechanics of the vehicle-in-motion, then the systems need to be balanced so that these critical systems are not run on poorly-secured or unsecured systems like the infotainment and passenger-comfort parts of the controls. If there is a need for something like the feedback from the body control module to tell the ECM how to set the suspension based on driver input, go back to basics, set a serial-link a simple four-bit byte that just changes values based on the setting chosen, and anything else is simply ignored and last-setting is retained. Doesn't have to be complicated.