Why Chrysler's car hack 'fix' is staggeringly stupid

If you receive a USB stick through the mail, you really should not plug it in.
Written by Zack Whittaker, Contributor

More than a million Chrysler vehicles, including Jeeps, Ram pickups, and Dodge vehicles, are vulnerable to a major vulnerability that could drive them -- literally -- off the road.

Last week, the company recalled 1.4 million vehicles at risk of a remote hijack vulnerability, which, as detailed by Wired, can result in a hacker remotely operating the brakes, interfering with the driver's visibility by switching on the windshield wipers, and even shutting off the engine.

The company's response, however, has been staggeringly naive and ill thought-out, potentially putting its customers at risk for a second time.

Chrysler, unable to patch the core software flaw automatically over-the-air, gave its customers three options to update their vehicles. Either the owner can download the security update onto a flash drive and install it manually, or owners can also drive to a local dealership to have the update installed there -- which, granted, puts the inconvenience on the vehicle owner.

There is a third option: Chrysler is mailing out USB sticks to customers directly.

"That is the dumbest move I have heard of in a long time," said Khalil Sehnaoui, founder of Krypton Security, in an email. "It's like if after surgery the doctor forgets a pair of scissors in your stomach, and when you find out, he just sends you a scalpel to fix it yourself."

"It's like Chrysler is telling its customers, 'you know where you can stick it'," said Sehnaoui.

This isn't the first time Chrysler has recalled a vehicle, nor is it the first time it's been for a software issue. However, this is the first time (which a Chrysler spokesperson confirmed) it's dished out USB sticks to more than a million vehicle owners as part of a recall. And that's a problem both logistically and from a security standpoint. Not only does it assume the vehicle owner knows how to download, build, and install the patch -- of which there are more than a dozen separate steps to follow in the tutorial -- but it also assumes nothing will go wrong in the process.

The bigger question remains: How do vehicle owners know that what they're plugging into their cars is what they think it is?

"Plugging in a USB device to one's computer without some strong sense of its origin is a bad idea," said Tod Beardsley, research manager at Rapid7. "Training users to simply trust that a device they get in the mail ... sets a dangerous pattern of behavior, opening the door for criminals to take advantage of that trust."

"While using a USB drive presents a convenient, straightforward method of sharing information, or in this case, deploying a patch, I have to stress that this is an unsafe practice -- especially for something as serious as vehicle repair," he added.

And Beardsley isn't alone in thinking that.

Chris Kennedy, chief technology officer at anti-fraud security firm Trustev, called the move "incredibly irresponsible" and "insecure."

One of Kennedy's primary concerns is that there is a risk "far too high" that the USB sticks could be intercepted. Although the National Security Agency has a history of intercepting packages in transit in order to implant bugs in networking routers, the likelihood of government intrusions into your car shouldn't be your biggest worry. It's the ordinary hacker who might want to take advantage of the situation.

Based on a couple of tweets from Twitter, it's not outside the realm of possibility.

"Now would be a good time to mail exploits on USB sticks to random Chrysler owners," said one tweet. Another read: "Thinking of prepping fake auto update USB's and printing loads of fake Chrysler labels."

"It's almost as if someone at [Chrysler's parent company] doesn't understand the most common and viable attack paths for hackers," another person commented.

Clearly something needs to be done. Dave Kennedy, chief executive of TrustedSec, agreed that the industry needs to figure out a way to handle similar situations in the future.

"Right now none of them have a good solution to do mass updates other than Tesla, for example. I think they will from here on out, but this is an industry which hasn't typically needed security in the cars until it became interconnected," said Kennedy.

In the meantime, Beardsley's advice is to go to a licensed dealer for the recall work, "if only because it will guarantee at least a paper trail showing the work was done by someone who ought to be trustworthy."

Chrysler spokesperson Alyse Tadajewski said the company took this step to "optimize easy and convenience for our customers."

That statement speaks for itself.

Editorial standards