Tag Archives: Chrysler

Chrysler Lawsuit Goes to Trial

Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch.  All while the reporter videoed it (see this CBS web page).

Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.

According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.

The researchers took over the car via its radio (OK, it is a little more complicated than that;  through the “infotainment” system).  It is all interconnected and there is very little security in it.

Over the last three years this case has been working its way – slowly – through the courts.  The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.

A year later the researchers figured out how to break through the patch, although that required physical access to the car.

And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode.  The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park.  That will unlock the cruise control.

You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.

At this point the U.S. Supreme Court said that the car owners do have standing.  This is a huge win for attorneys who want to sue over cyber-security issues.

Chrysler says that they are looking forward to the trial (sure they are.  If they were so confident, why have they been fighting to avoid going to trial for the last three years).  They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed.  The plaintiffs say that the resale value of their cars has been damaged.

The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.

For businesses, this is yet another step in holding companies liable for software bugs.  Potentially, in this case, bugs that they knew about but did not fix.

Does your insurance cover this?  Is it product liability insurance or cyber insurance?  It is probably not general liability insurance.  Maybe none of them.

This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.

Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.

This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,

Details from this post came from The Register.


Chrysler Recalls 1.4 Million Cars After Researcher Hacks Jeep

Earlier this week, I wrote about a hack that two security researchers demonstrated for a Wired reporter.  The researchers were able to disable the brakes and the accelerator, along with turning on the radio, wipers and windshield washer, remotely, from miles away.

Chrysler’s response was to put an obscure  notice on their web site that there was a security upgrade for some vehicle owners.

Today, Chrysler issued a voluntary recall on 1.4 million vehicles.  The owners will be sent a flash drive with the patch on it.   For Chrysler, this is a whole lot cheaper than having 1.4 million cars in dealership service bays.

Exactly how owners will know that the flash drive they get in the mail really came from Chrysler and was not tampered with is unclear.

Such is the new world that we are getting into.  Our parents did not have to worry about hackers disabling their brakes on their cars or manufacturers releasing unsecured patches for those hacks.

The interesting part of the news release is that Chrysler has worked with Sprint, the vendor who Chrysler uses for their UConnect system, to block the traffic that allows the hack to work over the Internet.  The researchers tested that and found that it did effectively block the attack.  This is a much better solution because it is effective immediately and is not dependent on almost 1.5 million people not throwing a flash drive that they got in the mail into the junk pile.

As Chrysler tried to spin the story, they said that, to their knowledge, the attack was never used outside the Wired demonstration.  While it is likely true that they are unaware, I am not sure how they would know if the attack had been tried – successfully or not.

Chrysler also said that no defect was found.  I am not sure what you would call something that allows an unauthorized user to disable your brakes from miles away.  Maybe that is a feature?

In any case, I am quite certain that because of the attention the Wired article and TV coverage of that article got, Chrysler actually paid attention to this problem.

What we don’t know is how many more of these non-defects exist in other connected vehicles.

The earlier post can be found here.

Information for this article came from Wired.

Jeep Hacked By Remote Control

The media has been reporting the demonstration done by two security researchers  and a Wired magazine reporter where they completely controlled a Jeep, including the brakes and accelerator.  To quote Wired:

I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

There have been a number of reports of hacking of cars through their online cellular connection, called telematics in the trade.

In this case, Chrysler’s UConnect is the culprit and it is pretty amazing what the hackers can do.

If they can find the IP address of the car,  through the UConnect cellular connection, they can completely control the car remotely from anywhere in the world.

In this case, they were able to disable both the brakes and the accelerator,  among a number of other things.

Due to a vulnerability, the hackers are able to rewrite the firmware in the car’s entertainment system.  From there, they are able to send commands on the CANBus and take over the car.

Part of the problem, as I have written before, is that the CANBus architecture has been described as the best car network we could design in 1980.  It has not changed much since.

Quietly, Chrysler has issued a patch – since the researchers are good guys and have been sharing their data with Chrysler for 9 months.  What if they were bad guys.  It is an interesting way for a nation state actor to kill people that they want to get rid of.  Likely, no accident investigator is going to examine the firmware in the car’s entertainment system for symptoms of an attack.

This is all due to the fact that cars are no  longer hardware.  True, there still is some metal and plastic in the frame and body, but more and more, cars are a rolling computer.  Or, more accurately, tens of computers.  High end cars might have 50 computers or more.  Those computers contain millions of lines of software.

And, just like your iPhone or Android phone, which you patch regularly, often behind the scenes, cars need to be patched too.  Unfortunately, for the most part, that does not happen unless researchers like these guys plan to make a big splash at the security convention Black Hat in Las Vegas next month.

Senator Markey, who has been a big critic of auto safety (see post), has introduced the SPY Car Act (Safety and Privacy in Your CAR).  The bill, which was just introduced this week aims to both set standards and rate cars numerically on their cyber security.  While no one knows how this legislative sausage will wind up, you can count on the fact that no car manufacturer wants their rating to be at the bottom of the heap.  Unfortunately, if it is anything like the government’s miles per gallon numbers, it may wind up being mostly a myth.  No matter what, it will likely take years.

Oh, I forgot, If you have a 2013-2015 Chrysler vehicle with UConnect, you should patch it.  You can do that via a USB stick with a patch downloaded from the Chrysler web site (details in the Wired article below) or take it to your dealer.

Unlike the BMW patch from a few months ago (see post) where they could patch it over the air (which adds even more security concerns), the Chrysler patch requires physical contact.

Earlier this month Range Rover issued a patch that allowed a hacker to unlock the car.

So now, just like with your phone and your laptop, you may need to plan on patching your car every month.  in car makers’ defense, their software has generally been pretty reliable.  In part this is due to the fact that unlike your iPhone, there are no standards when it comes to your car’s computers.  Not only won’t a hack designed for your 2013 Chrysler work on a 2013 Ford, it likely won’t work on your 2012 Chrysler.

Chrysler, while happy that the researchers told them about the problem, are unhappy that they told the world.  They would have been much happier if they could have quietly released a software update with no one the wiser.

Consumers, on the other hand, need to understand how much software exists in their car and the fact that likely it is no less buggy than any other software in the world.

As car manufacturers continue to add computers and software to new vehicles, this is likely to continue to be a problem.

And for those people who said, after the Toyota accelerator pedal crashes a few years ago “why didn’t they just turn off the car?”, in many cars turning off the key is just software and does not really turn off anything.  Unlike you old desktop computer, where unplugging it would really turn it off, you cannot do that in many cars any more.  A brave new world.


Information for this post came from Wired Magazine.