Jeep Hacking Aftermath: Patches & New Legislation
Image from StarTribune.com
Well-known security researchers Charlie Miller and Chris Valasek made waves last week with their zero-day exploit that can remotely access and control Jeep Cherokees over the Internet. [Sidenote, Chris Valasek presented some of his previous research at a Duo Tech Talk back in January of last year at the old Duo office].
They were able to send commands over the vehicle’s entertainment system to other, somewhat more critical, parts of the car, including dashboard functions, steering, brakes, transmission and more. Terrifying? Obviously.
Patching for Security...In Less-Than-Secure Ways
Fiat Chrysler responded to security concerns by issuing a voluntary safety recall to update software in 1.4 million vehicles (including several Jeep, Dodge and Chrysler models) susceptible to remote manipulation. The company released a patch that would prevent remote control, according to NPR.org.
But NetworkWorld.com reports on the rather problematic way they went about issuing that patch - by mailing USB thumb drives to owners of the affected cars. Um…? Seriously. They want you to plug in a USB drive directly into your car’s USB port in order to patch for this software vulnerability.
Naturally, it makes it pretty easy for a malicious hacker to exploit the method by mailing individuals USB drives loaded with malware that could, alternatively, give them control over their cars. And apparently, the fix is also available on their website, so it was never really necessary to mail out USB drives in the first place.
This isn’t the first, and likely won’t be the last time that a large company issues a fix in a much less-than-secure way. In the major hack against the U.S. agency, the Office of Personnel Management (OPM) that breached the personal information of more than 22 million people, the agency sent email notices to affected federal employees.
The problem was, the email asked recipients to click on links to a private contractor’s website to sign up for credit monitoring, creating a prime opportunity for phishing email schemes.
New Automobile Security Bill Introduced
On the legislation side, a new bill dictating standards for automobile information security (“cybersecurity”) and consumer privacy was recently introduced by Senators Ed Markey and Richard Blumenthal. The legislation would require cars sold in the U.S. to meet certain requirements to protect against digital attacks.
Some of the broader points include:
- Protect all entry points to the electronic systems of each vehicle with reasonable measures to protect against hacking
- Incorporate isolation measures to separate critical software systems from noncritical software systems
- Evaluate systems for security vulnerabilities with techniques such as pen testing
Furthermore, the bill seeks to ensure that driving data collected by electronic systems built into vehicles are also secured against unauthorized access.
The legislation also calls for the addition of a “cyber dashboard” that would be affixed to each vehicle. The dashboard would easily inform consumers about the security and privacy of their vehicle (somewhat vague terms here about what’s included but I get what they’re trying to achieve).
Either way, car hacking has called attention to the main issue, which is the need to protect remote access to all Internet-connected things.