
Hacked Jeep USB update criticised - daledavies
http://www.bbc.co.uk/news/technology-34156598
======
Ninn
>"Hackers will be able to pull the data off the USB stick and reverse-engineer
it. They'll get an insight into how these cars receive their software updates
and may even find new vulnerabilities they can exploit," he told the BBC.

So? Never thought I would hear a "Security Expert" argue for, and not against
security through obscurity. Perhaps this is not the best source for critique.

~~~
pixelcort
If the USB stick accidentally contains private keys for signing, that might be
of concern.

The more important concern is the phishing issue.

~~~
Ninn
Sure, but there is no evidence of that, so why even bring it up as an
example/excuse as to why anyone would argue this way? It is totally unfair to
assume that the content has not already been signed prior to distribution
without evidence.

~~~
jamesbrownuhh
Unfortunately modern "news" is not based on evidence, merely the event of a
claim.

------
jnbiche
Can't believe that they didn't think to include a way to verify the USB's
integrity with strong crypto, and clear instructions on how to do this. Yes,
non-tech savvy customers would be vulnerable to phishing (since such a letter
would simply omit this step), but at least it would be _possible_ for tech-
savvy individuals to do so.

If they had done this right, they would have sent the USB with a validation
step _and_ widely advertised this step, so that all users would be aware of
the need to do it, maybe even branding a simple software package to verify the
contents as something like "UConnect SafeCheck".

Hopefully, they at least have a secure way to download it online (but given
actions up to now, I'm not optimistic).

Edit: Owners can download it via https (albeit with SHA-1), but I'd be
surprised if there's a way to validate the integrity of the downloaded file.
Also, they're advertising that link without the SSL (and indeed, it allows
non-SSL connections).

~~~
tokenizerrr
Better would be to have the car perform the validation. I'd be shocked if this
didn't actually happen.

~~~
brudgers
My understanding of the original hack is that the root of the hack is a flaw
in the existing platform validation. In particular that the random seed is set
from the clock [not a bad practice in itself] and the clock is activated the
first time the car is fired up [a somewhat problematic, since an attacker can
be assumed to have the vehicle date via the VIN]. However, it's not even that
hard since the first time the vehicle is fired up, the clock is at it's
default time and date, and this narrows down the seeds to the range of
potential latencies between the clock coming on line and the generation of the
entropy pool.

In other words, the USB key can't use stronger crypto than vehicle and that
crypto is poorly implemented [again, based on my understanding of the original
hack].

~~~
NetDissent
Yep and Chrysler have managed to change the open 6667 IRC channel into a
closed one. Without access to that, the hack is now obsolete

~~~
tokenizerrr
These cars use IRC?

------
Retr0spectrum
Does anyone know where I could download an image of the update? I just want to
poke around.

~~~
yeldarb
The disk image is available via their website but requires your VIN number. I
poked around a past update and it appeared to just be a *nix disk image.

Wasn't sure if it was signed or if there was much security or not so I wasn't
brave enough to change anything for fear of borking my car.

But I would have loved to figure out how to enable the nav system that's
already built into my car but disabled (Jeep charges $XXXX for the privilege)

~~~
BillinghamJ
It's incredibly easy to get the VIN of a car. For example, most (UK) DVLA APIs
include the VIN when you put a registration plate in.

~~~
sokoloff
Or you could walk through a parking lot and look at the corner of the
windshield...

------
altharaz
After the False Promises of Inheritance emails, it seems that we'll switch to
False Security Updates USB keys letters.

If hackers goes into hardware, maybe should we also start working on Scam
letters filters?

------
ck2
Research the last year your favorite car model was made with mechanical
steering and mechanical accelerator and only buy those. You only have to go a
decade back at most like I did.

You might want to stick with those years considering industries that have
little knowledge or care about security are endangering your very life at
highway speeds.

It's going to take them another half decade to care about these things and
they will probably just solve it by lobbying politicians to waive liability
instead.

~~~
jnbiche
Mechanical steering? You'd have to go back significantly more than a decade to
find cars without power steering for most cars.

~~~
ck2
My last car the power steering pump was out half the time and I could still
drive everywhere - it just gave my arms a bit of a workout at low speeds.

~~~
brudgers
Operating a vehicle with that level of maintenance would seem to pose a
substantially more proximate risk than the unrealized potential risk posed by
hackers.

