Earlier this week, I wrote about a hack that two security researchers demonstrated for a Wired reporter. The researchers were able to disable the brakes and the accelerator, along with turning on the radio, wipers and windshield washer, remotely, from miles away.
Chrysler’s response was to put an obscure notice on their web site that there was a security upgrade for some vehicle owners.
Today, Chrysler issued a voluntary recall on 1.4 million vehicles. The owners will be sent a flash drive with the patch on it. For Chrysler, this is a whole lot cheaper than having 1.4 million cars in dealership service bays.
Exactly how owners will know that the flash drive they get in the mail really came from Chrysler and was not tampered with is unclear.
Such is the new world that we are getting into. Our parents did not have to worry about hackers disabling their brakes on their cars or manufacturers releasing unsecured patches for those hacks.
The interesting part of the news release is that Chrysler has worked with Sprint, the vendor who Chrysler uses for their UConnect system, to block the traffic that allows the hack to work over the Internet. The researchers tested that and found that it did effectively block the attack. This is a much better solution because it is effective immediately and is not dependent on almost 1.5 million people not throwing a flash drive that they got in the mail into the junk pile.
As Chrysler tried to spin the story, they said that, to their knowledge, the attack was never used outside the Wired demonstration. While it is likely true that they are unaware, I am not sure how they would know if the attack had been tried – successfully or not.
Chrysler also said that no defect was found. I am not sure what you would call something that allows an unauthorized user to disable your brakes from miles away. Maybe that is a feature?
In any case, I am quite certain that because of the attention the Wired article and TV coverage of that article got, Chrysler actually paid attention to this problem.
What we don’t know is how many more of these non-defects exist in other connected vehicles.
The earlier post can be found here.
Information for this article came from Wired.