Fiat Chrysler says it has fixed vehicles’ software vulnerabilities

23 Jul 2015 | Author: | No comments yet »

A hacked Jeep should be a wake-up call to automakers.

PITTSBURGH (AP) – Chris Valasek celebrated his new-found fame as part of a two-man team that successfully hacked into a high-end Jeep Cherokee by downing a Primanti’s sandwich and a 22-ounce Iron City Light. The fix is a response to a recent article in Wired magazine about two well-known hackers, Charlie Miller and Chris Valasek, who remotely took control of a Jeep Cherokee through its UConnect entertainment system.Security fears could put a dampener on future self-driving cars after hackers showed they could wirelessly take control of hundreds of thousands of US-built cars built by FCA, owners of the Fiat, Jeep and Chrysler car brands.Two men used a laptop and a mobile phone to seize control of the Cherokee model as it drove at 70mph along the motorway – and turned off its engine, slammed on the brakes and ramped its wind-screen wipers to maximum speed. FCA hastily released a software update after two professional hackers showed Wired magazine they could use a laptop from their own homes to take over a 2014 Jeep Cherokee as a reporter drove the car.

The Jeep incident was the latest warning to the auto industry, which is rapidly adding Internet-connected features like WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks. This was swiftly followed by his music system springing into noisy life and his windscreen wipers suddenly whipping back and forth at their fastest speed. Greenbery wrote: “Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. “Next the radio switched to the local hip-hop station and began blaring Skee-lo at full volume.

Then came the worst bit by far – without him doing a thing, the Jeep’s engine died, leaving the car crawling along at a snail’s pace on a busy freeway. They notified FCA of the vulnerability in the Uconnect infotainment system in the US-built cars, and drew the car firm’s ire by planning to release part of the code at a security conference next month in Las Vegas.

Then the windshield wipers turned on, and wiper fluid blurred the glass. “As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display … wearing their trademark track suits. The problem with the Jeep was that its manufacturer, Chrysler, didn’t follow a basic rule of security, which is to keep the parts that communicate with the outside world completely separate from the parts that control the crucial systems, such as steering and brakes.

Yet both Audi and Mercedes-Benz say they remain unconcerned, insisting their security development is at a different level to the potentially impacted Chryslers, Dodges, Rams and Jeeps. “Safety-critical systems get a lot of work from us,” Audi’s head of electronics said, while Mercedes-Benz insisted there was no way their cars could be hacked from the outside. A nice touch, I thought.” Security experts Miller and Valasek say they accessed the Jeep’s on-board controls via its wireless internet connection, called Uconnect, used by 470,000 cars made by Fiat Chrysler, SUVs and trucks, including some in Britain.

He worked at a job in Atlanta for a few years before his employer allowed him to start working from home. “They said I could move anywhere in the world, and I came back here,” Valasek, 33, told the Tribune-Review Wednesday. “I love it. The two German premium carmakers have insisted it’s not possible today to use the internet connectivity of their cars to hack into its control systems. They say that Uconnect – which controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot – needs to make urgent security upgrade. Greenberg, with his permission, by two “white hat” hackers – computer security specialists who break into protected systems and networks to test and assess their security. He had agreed to be hacked by two of his tech buddies who, though miles away, had taken control of his vehicle’s on-board computer in order to highlight the security vulnerabilities of modern cars that are hooked up to the internet.

Audi, pointedly, regularly uses professional hackers to test their electronics security work, Hudi admitted. “We pay companies to take our cars away to hack them, before they get to production. Chrysler has issued a patch to deal with the security breach – but it must be implemented via a USB stick or by a dealership mechanic, meaning many vehicles are unlikely to remain vulnerable.

In response to the published findings, Fiat Chrysler Automobiles on Wednesday released a free software update for vehicles with its UConnect systems: 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, and some models of the 2015 Chrysler 200. And with a growing number of internal car functions being controlled by chips and software, the list of things that could conceivably be commandeered by hackers is steadily expanding. We give them our cars and say ‘Take as long as you want but please try to attack it, in whatever way you can’. “Basically we tell them they can use all ways available including straight vandalism to get access to control the car’s electronic systems.

Although the company did not directly acknowledge the hacking, it said in a statement that “vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems.” Valasek said he and Miller have been working with Chrysler officials since October on a patch for the software flaw. Unsurprisingly, Fiat Chrysler, this particular vehicle’s manufacturer, has now issued a “patch” that befuddled car owners must download or beg their local dealer to do for them. For what I can see, that’s the best way to improve security. “Connectivity is a way of life, but the systems are not the same as the car’s systems. Nevertheless, the incident should set off alarms throughout the industry, which still relies on protocols developed long before cars could connect electronically to other, potentially hostile devices.

There is networking as one point and the other is how you do your modularity and scalability and safety functions across the system.” While the Jeep hacking scandal has caused widespread public concern, it hasn’t slowed Mercedes-Benz’s push for autonomous and semi-autonomous driving, according to the company’s head of transmissions. “Even when you have a remote start, there is a link there from the phone. Security experts say there has been no concerted effort by automakers or parts suppliers to redesign internal communications channels to guard against attackers.

Mercedes Me can open the doors of the car, but this is only for unlocking the doors, not starting the engine or driving away or disabling safety features. Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation tasking the National Highway Safety Administration and Federal Trade Commission with developing standards that prevent hacking of vehicle control systems.

For the Wired article, Valasek and Miller took the journalist through a bit of a freak-out moment by first controlling the radio, wipers and washer fluid on the Cherokee as he was driving on a St. That hasn’t stopped two US Senators from introducing a bill to mandate minimum levels of security for cars that have any kind of internet connection. Personally, I think it’s too easy when something like this happens to moan and mourn the days when you, and you alone, had control of your car, or who saw your saucy honeymoon snaps. The bill, which would ultimately affect all US-built cars exported to other markets, including those from Mercedes-Benz and BMW’s US plants, wants real-time monitoring of hacking threats and attempts on cars.

One of the drafting senators polled 16 carmakers on security policies earlier this year and found inconsistencies and vagueness on data collection from telematics, internet connectivity and security threats Senator Edward Markey also wants to give drivers the ability to disable data collection for vehicle tracking and marketing reasons, and banning carmakers from cancelling navigation systems for drivers who opt out. Valasek wore a Pitt T-shirt.) By merely typing the right series of computer commands, the researchers said they could hack into these vehicles, almost anywhere they might be driving.

Although mandating a specific security approach would be a bad idea — lawmakers and regulators can’t keep pace with ever-changing technology — having the agency shepherd the industry’s efforts to identify and respond to vulnerabilities would be welcome. And putting a security grade next to the mileage estimate on a new car’s sticker would bring needed pressure on the industry to make vehicles more resistant to hackers before they hit the showroom floor. Automation, to varying degrees, has offered salvation to billions – from those of us profoundly grateful for the domestic dishwasher all the way through to the patients of doctors performing “telesurgery” – remotely operating on patients miles away.

The deal of this modern age must be that if we consumers put our faith into the hands of companies using cutting edge technology, these businesses need to meet us half way with assurances of total security. For instance, while I love how Google continues to push the boundaries with driverless cars and its forays into artificial intelligence, I don’t much like it when it randomly collects people’s information without their prior consent. Nor do I feel assured about putting my family photos into Apple’s iCloud soon after intimate images of Hollywood A-listers have been hacked (and no before you ask, they aren’t those kind of snaps) – even though I’m an iPhone and Mac fan.

They will hack our cars, our emails and in years to come, no doubt, our thermostats, fridges, pacemakers, even airliners – anything and everything that will be connected to the so-called “internet of things”.

Here you can write a commentary on the recording "Fiat Chrysler says it has fixed vehicles’ software vulnerabilities".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site