Over the past week we've seen security researchers completely take control over a Jeep Cherokee while sitting in the comfort of their own home via the cellular network. Some of the things they were able to commandeer on the moving vehicle were: the breaks, steering wheel, speedometer, music, windshield wipers, door locks, etc. Pretty much they had complete control of the car while the reporter, who was driving the car, flew down the highway at 70mph at their mercy. You can watch the video here.
Shortly afterwards Chrysler recalled over 1.4 million cars that were vulnerable to this exploit by sending the affected owners a software upgrade via USB drive in the mail. That's right, they pretty much sneaker-netted the software patch it via the post office. The owners of these recalled cars now need to upload the fix from the USB into a port on the dashboard.
Shortly afterwards Chrysler recalled over 1.4 million cars that were vulnerable to this exploit by sending the affected owners a software upgrade via USB drive in the mail. That's right, they pretty much sneaker-netted the software patch it via the post office. The owners of these recalled cars now need to upload the fix from the USB into a port on the dashboard.
There is so much wrong here and it's very concerning. Here are just a few issues:
- Every automotive vendor is pushing to have their features deployed to production as fast as possible and aren't worried about security. Once again we're seeing the same problem plaque developers and their code. If you're not going to learn how to create secure code in this day and age, do us all a favor and pick a different profession.
- If two reseachers were able to do this on a small budget, what could a nation state, criminal gang or terrorist accomplish? Imagine a gang that's able to control your cars and airplanes with nefarious intent. This is not good, we're not talking about your facebook account getting hijacked here. Peoples lives at risk with this exploit.
- I'm still not for them presenting these types of vulnerabilities at Black Hat. Yes, they need to be fixed, but when peoples lives are at stake, releasing the code, even just a little bit, is all those with malicious intent need for a jump start. Creating videos like this are fine, because you got the results you were looking for, but releasing it to the public is not the most responsible way to go about it.
Bad code can kill. We need to be careful.
Security is above all. The value of a car, along with how secure it and how safe it is to drive, can be affected by any previous damage; especially if the damage hasn't been repaired properly. Here https://www.faxvin.com/vin-decoder/porsche you can find out the full damage and repair history of a vehicle. This service provides third-party validation of the history of any vehicle. I’m glad that there are services like this, because you can’t just hope that the car dealer is gonna be honest and clear with you. Unfortunately, when it comes to big money you can only rely on yourself for the sake of not being fooled. I think this site is gonna be useful for you.
ReplyDelete