A recent Wired article publicized two security researchers (hackers) taking control of a moving Chrysler Jeep by exploiting a vulnerability in the vehicle’s entertainment system – Uconnect. Fiat Chrysler responded by issuing a patch to fix the vulnerability immediately by announcing a formal recall of 1.4 million cars, SUVs and trucks. The way in which the patch was issued, however, may have put Chrysler vehicle owners at further risk, according to a renowned security researcher.
USB drives as a wise plug?
As it stands, Fiat Chrysler is mailing a USB thumb drive to owners of the vulnerable vehicles. This USB drive contains the patch which needs to be manually installed by plugging the device into the Uconnect system. In doing so, the vulnerability is patched.
The automaker has chosen the method of mailing out the patch over that of a traditional recall (i.e. one that involves vehicle owners to drive in the vehicles to a service center or dealership to then have an expert fix the concern). While this seems convenient, there is an underlying threat with malicious hackers and operators inclined to exploit the vulnerability in the car, according to Carl Leonard, principal security analyst at Raytheon Websense, a cybersecurity firm.
“The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull,” says Leonard. “Hackers, highly adept at taking advantage of indecision and social engineering tactics in times of crisis, could potentially utilize this USB fix opportunity for nefarious gain.”
Leonard believes that hackers adept in social engineering could take end up taking advantage of the vulnerable distribution method of mailing in the USB drive.
“[Hackers] could, for instance, parody the update with a bogus letter and USB stick of their own, allowing them to launch a multitude of real-life threat scenarios, including crashing or stealing the car,” Leonard noted. “This doesn’t even take into account the uncertainty that the USB patch has been applied properly without any negative consequences for the safe operation of the vehicle.”
Fiat Chrysler has already issued the ready-to-download update on its website, besides offering the service at the company’s dealerships.
The decision to dispense with USB drives being mailed out to customers could yet backfire if opportunistic malicious hackers have their say in the matter.