The Chrysler Remote Hack Fix - Flawed By Design

Hopefully, the story isn't new to anyone in the security community - some Wired researchers hacked a Jeep through the Sprint-enabled network connection through the infotainment system. The media went ape over the whole thing, as they are want to do, and Chrysler had to issue a recall to fix the problem. The problem is that there seem to be very few security people who have noticed that the fix... is a band-aid.

The issue with a software patch to fix the vulnerability is that the vulnerability should never have existed. As the group I Am The Cavalry has properly been proselytizing, the issue is that cars and other Internet of Things devices that can potentially lead to direct harm of humans need to be designed to be secure by default. With cars, this means that the infotainment system should never be able to CHANGE something that has to do with safety. Yes, it can read what gear the transmission is in, but it should never be able to tell the car what gear to move to. For that matter, it shouldn't be able to control the drive-by-wire steering or brakes, either.

These two systems have very different levels of control necessary because they have very different roles to play. The fix of a software patch ignores the underlying problem that the two systems are hard wired together. The hardware itself doesn't prevent them talking to each other, and THAT is where the fix needs to be. Anyone who has been in security for a long time will tell you that software can never fully protect you against a hardware-level security issue (just check your basic OSI model).

So, as we go down the road (metaphorically) and manufacturers bolt on security as an afterthought, we will see more and more of these kinds of security issues, and it's only a matter of time before someone gets killed because some script on the internet was running a port scan, hit the right IP address, and caused the car's brakes to lock up.

What Chrysler is doing is placating the public and sticking a finger in the dyke. They messed up the fundamental design, and they will likely have no long-term financial impact from it as the media moves onto something else. So, they will continue to make cars less and less secure by design until something tragic happens and they will claim that no one could have seen it coming. Well, I see it coming, and they need to do something about it now. Ignorance is no excuse.


Popular posts from this blog

Elysian Dayglow IPA

I Spit on Your Grave 2 (2013)

The Purge (2013) Security System