Chrysler Criticized For Patching Hack Via Mailed USB

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Chrysler is being criticized for distributing a patch for its cars on a UBS drive sent via USPS. Sure, we all know not to plug random USB devices into our cars / computers but this seems a little nit-picky to me.

Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit. Now it’s getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service.
 
Why not issue a "recall" on the vehicle, as is the case when any physical issue is found on a car? The consumer will take their vehicle into their local dealership, who will have the software update, and the issue can be resolved that way. Why treat any different than any other recall?

This does feel very "sloppy" to me.
 
Is there even a precedence for this? (Honest question) Have manufacturer's in the last 50 years ever recommended consumers solve a "manufacturing" issue with there care themselves rather than take it to the dealership?
 
ccmfreak2 said:
Why not issue a "recall" on the vehicle, as is the case when any physical issue is found on a car? The consumer will take their vehicle into their local dealership, who will have the software update, and the issue can be resolved that way. Why treat any different than any other recall?

This does feel very "sloppy" to me.
Click to expand...

Requiring a million people schedule an appointment, drive to the dealer, then sit around for two hours drinking gross coffee until the car is done is a massive waste of time. Users can just put the USB stick in their car and do the update at their own convenience. For people that can't process the directions, they can maker dealer appointments and be inconvenienced for their own incompetence.
 
ccmfreak2 said:
Why not issue a "recall" on the vehicle, as is the case when any physical issue is found on a car? The consumer will take their vehicle into their local dealership, who will have the software update, and the issue can be resolved that way. Why treat any different than any other recall?

This does feel very "sloppy" to me.
Click to expand...

honestly, I wouldnt mind the option of either. like a mailed "Here is a usb stick with the fix for your car. if you are unable to perform this yourself, please bring it to your local dealer and we will do the fix for you"
 
ocellaris said:
Requiring a million people schedule an appointment, drive to the dealer, then sit around for two hours drinking gross coffee until the car is done is a massive waste of time. Users can just put the USB stick in their car and do the update at their own convenience. For people that can't process the directions, they can maker dealer appointments and be inconvenienced for their own incompetence.
Click to expand...

But this is common practice. When a recall is issued affecting a million people, they are all told to go to their local dealership. This brings me to my second question regarding precedence.
 
ccmfreak2 said:
Is there even a precedence for this? (Honest question) Have manufacturer's in the last 50 years ever recommended consumers solve a "manufacturing" issue with there care themselves rather than take it to the dealership?
Click to expand...

For mailed around USB sticks to people for some Sync updates in the past. People were generally really happy about this.
 
mnewxcv said:
honestly, I wouldnt mind the option of either. like a mailed "Here is a usb stick with the fix for your car. if you are unable to perform this yourself, please bring it to your local dealer and we will do the fix for you"
Click to expand...

Sure, I wouldn't mind it myself, tbh. But the article makes a great point: What stops someone from mailing another stick a few months later made to look official that ends up bricking your car? Yes, the chances of getting access to the db with names and addresses of all the people is small, but it's still very possible - and that's what computer security is all about: Protecting against the possible, no matter how unlikely.
 
ccmfreak2 said:
But this is common practice. When a recall is issued affecting a million people, they are all told to go to their local dealership. This brings me to my second question regarding precedence.
Click to expand...

"Common practice" needs to catch up with modern vehicles. I would rather pay shipping to have a USB stick mailed to me than drive to a dealer so a tech can put the USB stick for me.
 
ccmfreak2 said:
Sure, I wouldn't mind it myself, tbh. But the article makes a great point: What stops someone from mailing another stick a few months later made to look official that ends up bricking your car? Yes, the chances of getting access to the db with names and addresses of all the people is small, but it's still very possible - and that's what computer security is all about: Protecting against the possible, no matter how unlikely.
Click to expand...

If you are that worried about it, what is to stop people from doing that even if there is no recall? If you send people a fancy looking envelope with a USB stick, they will likely follow the directions.
 
ocellaris said:
If you are that worried about it, what is to stop people from doing that even if there is no recall? If you send people a fancy looking envelope with a USB stick, they will likely follow the directions.
Click to expand...

Exactly the point the article is making! Chrysler is now setting a precedence to trust mailed USB sticks rather than going to an official location to have the work done.

We don't do this in the tech world. If we get an email that says, "I'm AVG, and I've attached an official launcher for the latest version of our software to this message!" Do we download that attachment and run it? Of course not! We go to the official site and get the latest, even if the email is legit.

The biggest problem in the physical world is that mail doesn't even have to have a return address on it to verify the mailed update even has the remote chance of being legit.
 
ccmfreak2 said:
But this is common practice. When a recall is issued affecting a million people, they are all told to go to their local dealership. This brings me to my second question regarding precedence.
Click to expand...

Because this does not require a dealer visit and is easily performed by anyone with even a modicum of intelligence.

As has already been stated, I would prefer this method over a trip to the dealer anytime.

Also, while many of us enjoy the convenience of a dealer on every corner, there are many people who have to drive an hour each way to find a dealer
 
ccmfreak2 said:
Exactly the point the article is making! Chrysler is now setting a precedence to trust mailed USB sticks rather than going to an official location to have the work done.

We don't do this in the tech world. If we get an email that says, "I'm AVG, and I've attached an official launcher for the latest version of our software to this message!" Do we download that attachment and run it? Of course not! We go to the official site and get the latest, even if the email is legit.

The biggest problem in the physical world is that mail doesn't even have to have a return address on it to verify the mailed update even has the remote chance of being legit.
Click to expand...

but chrysler isnt making that trust, its there already. If a typical chrysler owner got a usb drive in a chrysler box with directions, they would follow them. Doesnt matter if chrysler sent it or not, or if this article was ever published.
 
ocellaris said:
Requiring a million people schedule an appointment, drive to the dealer, then sit around for two hours drinking gross coffee until the car is done is a massive waste of time. Users can just put the USB stick in their car and do the update at their own convenience. For people that can't process the directions, they can maker dealer appointments and be inconvenienced for their own incompetence.
Click to expand...

You are missing the point. Here's a scenario, a criminal has a way to bypass security measures on a car, he just needs physical access. Well, he could of course just mail the drive to a few owners with directions on how to connect drive and load his malware.

In short, if you are plugging USB drives sent by mail into your car, you may get your dumbass killed. Even if they look really really official.

And of course requiring millions and millions of people to schedule an appointment is the way it's always been done. This is not some new problem or process.
 
I think the primary issue is how do I know this is really from Chrysler and not some hacker. I would hope they have some way of verifying and/or the ability to just got to a dealership instead at no cost
 
zaniix said:
I think the primary issue is how do I know this is really from Chrysler and not some hacker. I would hope they have some way of verifying and/or the ability to just got to a dealership instead at no cost
Click to expand...

You are just as ignorant to what is happening at the dealership. You have to draw a line somewhere. I think a prior contact to the person over the phone letting them know it is coming and have a passphrase they give you to verify against the drive that could ship with the matching phrase. Or simply just call and tell them it is coming.

Nothing is perfect, there will always be a way someone can think of that would break the current system. I mean how do you know the person working at chrystler isn't infecting all the drives before they ship out etc etc.
 
I just think the dealers are upset because they actually want customers to come in for a recall so they have the opportunity to upsell you a bunch of unneeded services like every recall I've ever gone in for.
 
zaniix said:
I think the primary issue is how do I know this is really from Chrysler and not some hacker. I would hope they have some way of verifying and/or the ability to just got to a dealership instead at no cost
Click to expand...

That or if the patch/flash drive itself can be analyzed to allow further hacking of the system. Seeing how it works is likely going to give someone an idea how to gain root access to the vehicle (either by analyzing how the vehicle authenticates or by changing the payload).
 
Ticker305 said:
I just think the dealers are upset because they actually want customers to come in for a recall so they have the opportunity to upsell you a bunch of unneeded services like every recall I've ever gone in for.
Click to expand...

This. I took a Chevy in for the ignition lock recall and now I'm on all of their mailing lists. During the recall process, they do a vehicle inspection and try to upsale you on maintenance/other-issues.
 
Spidey329 said:
This. I took a Chevy in for the ignition lock recall and now I'm on all of their mailing lists. During the recall process, they do a vehicle inspection and try to upsale you on maintenance/other-issues.
Click to expand...

my alero has that ignition rotation bs.

i'm afraid to take my car in...

they may condemn it.

:(
 
ccmfreak2 said:
Sure, I wouldn't mind it myself, tbh. But the article makes a great point: What stops someone from mailing another stick a few months later made to look official that ends up bricking your car? Yes, the chances of getting access to the db with names and addresses of all the people is small, but it's still very possible - and that's what computer security is all about: Protecting against the possible, no matter how unlikely.
Click to expand...

Depends on how secure their USB update process is.
Based on past experience we know their automotive system are safe and secure.... Oh, wait...
 
I would just do the update myself off the usb drive. Way more convenient than wasting my time at the dealership.
 
Master_shake_ said:
my alero has that ignition rotation bs.

i'm afraid to take my car in...

they may condemn it.

:(
Click to expand...

That's if you survive the "dreaded" up sale and other unneeded services sales pitch?
The maintenance department brings in more money than new car sales.

If everyone bought the up sale, showroom floors at Honda and Toyota dealerships would be covered in 24 Karat 1/2" gold plate, especially after the Takata air bag debacle.

Unlike the Chrysler hack, the ignition recall resulted in deaths. You really should get it fixed. On second thought, it is an Alero. :D
 
I'm not in the industry, so I don't know how these updates work for sure, but wouldn't the software be signed/etc so that only 'authorized' devices can perform the updates on a production vehicle? I understand that putting that many devices into the wild increases the probability that someone could reverse-engineer it, but it is so much more convenient that it is worth putting more effort into making the process secure. Of course, that puts the responsibility back on the company that made the insecure software to begin with....
 
I have to say, I would much rather do this than have to bring my car to a dealer (what a pain to have to do!) But that is true, how do you know the USB stick hasn't been intercepted and compromised?
 
mnewxcv said:
but chrysler isnt making that trust, its there already. If a typical chrysler owner got a usb drive in a chrysler box with directions, they would follow them. Doesnt matter if chrysler sent it or not, or if this article was ever published.
Click to expand...

I think your missing the point.

Chrysler is setting a dangerous precedent by saying this is a legitimate way to distribute car updates.

Now that criminals know Chrysler actually does this its not much of a leap for them to start sending out USB drives that randoms the car unless you got to 7-11 and get a money-pack.

I'm sure a good hacker could backwards engineer the Chrysler provided USB stick, and that opens up a whole new set of issues.
 
anyone with a newer model jeep was aware there was a uconnect patch available and could download and patch themselves or just take your jeep to the dealer and they would do it for you if youre too stupid. the same people complaining about the usb are the ones running over themselves because they cant figure out the shifter.
 
I'd rather do it myself if it's as simple as a USB stick for a software update.

If it's hardware related, sure I'll take it in. Let them fix it. But, to take it in so they can insert a USB stick? Come on. This is the 21st century. We are smart enough to do that ourselves. If you aren't, or you aren't comfortable with it - by all means, take it in and have them do it. Nothing is stopping people from doing that.

I see it as nitpicking myself. Sloppy? Nah. Just a new way of doing things. As newer cars have a ton of software that could have issues, it'll be more commonplace for software updates. USB drives are a perfect way of doing that. Quick, easy, no reason to drive into a dealership.
 
Personally i don't even know are we arguing about this. A software patch is just a band aid. There is no guarantee that other bugs won't show up.


IMO the only acceptable solution is to install 2 airgaped buses. One that is gsm/satelite/whatever connected and controls the media stuff and another that controls the vital operating systems on the car trans/acceleration/brakes

From my perspective just the fact that someone can remotely access vital functions of your car from anywhere is simply unacceptable.
 
thedocta45 said:
I think your missing the point.

Chrysler is setting a dangerous precedent by saying this is a legitimate way to distribute car updates.

Now that criminals know Chrysler actually does this its not much of a leap for them to start sending out USB drives that randoms the car unless you got to 7-11 and get a money-pack.

I'm sure a good hacker could backwards engineer the Chrysler provided USB stick, and that opens up a whole new set of issues.
Click to expand...

You think the update sitting on PC at a repair shop is somehow the pinnacle of security or something?
 
Jim Kim said:
That's if you survive the "dreaded" up sale and other unneeded services sales pitch
Click to expand...

My feelings exactly.

Dealers are Satan incarnate.

I wish all car companies would just do the direct model.like Tesla.

Rather than just overturn the laws protecting the dealers, we should change them around, banning dealerships all together and moving everything to the direct model.
 
Do automotive enthusiasts like that type of computer integration and drive by wire cars these days?

My enthusiast friend prefers good old fashioned mechanical connections on manual transmission, brakes, clutch, gas, and steering wheel. He also prefers a third party stereo that's not connected to the car's computer.
 
Not sure if this has already been mentioned. Couldn't an alternative be that the consumer goes to the dealer and they make the usb sticks there. If chrysler is giving them away, why not do it in house.
 
Jovian said:
And here I thought it was a good idea
Click to expand...

Ditto.

IMHO, anything that makes me not have to go in to a dealership, is better than anything that does.

There ARE some security concerns, and they could have executed it better though.

I mean, as soon as a dealer gets involved I need to:
  • Make an appointment
  • usually go during business hours
  • take off time from work
  • spend time waiting
  • Deal with terrible dealership people wanting to sell me stuff
  • etc. etc.

Anything that can save me from having to set foot in a dealer is a beautiful thing!
 
You must log in or register to reply here.
Back
Top