Do you remember the hack of the Fiat Chrysler Jeep? In response to the disclosure of the details of the successful attack, the company recalled nearly 1.4 vehicles in the US in order to update the firmware running on the vulnerable component.
Customers could visit a dealership to receive the update, Fiat Chrysler also published the software update on the official website, it is available for tech-savvy car owners that want to update their card in autonomy.
Fiat Chrysler also has started distributing the patch for its vehicles by sending it via a USB stick sent in the post.
It is easy to imagine why the majority of security experts are disconcerted by the mechanism chosen by Fiat Chrysler to update the flawed software on its vehicles.
Personally, I am disappointed by this choice like many colleagues. Without a method easy to use for the verification of the authenticity of the software sent by Crysler, its customers continue to be exposed to further attacks.
Someone could substitute the legitimate update sent by Chrysler with a malicious one and send it to the owner of the vulnerable vehicle.
“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security, to the BBC.
“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.”
“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”
Using a USB to distribute software update has wider security implications.
“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” Bassill told the BBC.
(Security Affairs – Fiat Chrysler, Patch Management)