This seemed pertinent since they are doing this through its IoT connected suite. Commands include total brake control, engine shut off, reverse steering control, GPS tracking among other things.
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
So glad I don't even have Bluetooth or OnStar right now
Edit: article from Wired to patch your stuff, please and quietly per Chrysler.
"The car maker posted a notice to its website informing its customers about a 'software update to improve vehicle electronic security.'"
www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking-technique/ (http://www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking-technique/)
i have a '15 wrangler with uconnect. any work around?
Work around: Walk/bike/drive a non-IoT car
Patch:
Call the dealer and see if there is a patch yet, RA3 and RA4 radio/nav systems. Requires physical access to the vehicle to patch it.
Edit: a patch exists to download.
www.driveuconnect.com/software-update (http://www.driveuconnect.com/software-update)
Currently only the Cherokee has been confirmed, but since it is the Uconnect module, an update to the commands in theory could control other vehicles. I'm only aware of the Jeeps getting a patch.
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
Just read that...
Security should be viewed as an immune system. When a body is overworked, its immune system suffers, even though it may enjoy some short-term productivity improvements. Same thing with computerized systems. Get them to be 100% productive and easy to use, and they will catch something, or fall prey to opportunistic infections endemic to the system.
FUN FACT: your autoimmune system is keeping you from getting a really nasty brain infection from bacteria that have been in you SINCE BIRTH. Would you like to have a productivity boost from diverting the resources dedicated to fighting that brain infection so that you could run faster or jump higher?
I want to make the same arguments at my company. Always the obsession with that marvelous user experience... and then, when we're penetrated they're all surprised and like
:kiwf:
And I'm all
:yuno:
Y U NO DO SECURITY IN FIRST PLACE?
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.
BTW, just glanced over the SPY act. It doesn't even require encryption and authentication.
"In general-all entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks"
It does go on to say that critical software must be kept isolated from non critical... No details given.
That said... What is reasonable. In theory, WEP is reasonable.. 8 bit encryption? Hold on, I have a TI-84 calculator somewhere to crack that. What about maybe using a flawed openSSL?
And critical SOFTWARE isolation? OK throw it in a hypervisor on the car... Because that is always secure right? This bill is laughable in terms of security... Updates not less than 3 years to the bill... Only if hackers played fair, right?
Edit to post one for patch article.
Quote from: routerdork on July 21, 2015, 01:07:42 PM
Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.
wait, what, you called/emailed the guy's who performed the hack????
Quote from: ristau5741 on July 22, 2015, 09:15:19 AM
Quote from: routerdork on July 21, 2015, 01:07:42 PM
Quote from: hizzo3 on July 21, 2015, 12:53:00 PM
Quote from: routerdork on July 21, 2015, 11:42:34 AM
I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.
"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."
That's what it feels like.
wait, what, you called/emailed the guy's who performed the hack????
I'm sure that would be a funny conversation.
Routerdork:"Please stop"
Hacker:"No"
Routerdork:"Why?"
Hacker:"They didn't use a Belkin" *click*
Time to call the hunter... the hunter of hackers!
Haha officer I swear I wasn't speeding, I was hacked. C:-)
I actually emailed the UConnect guys. I'm actually very unimpressed with the service. It's got a Sprint 3G connection. I spent over 50 hours on the road a few weeks ago and it barely ever had service to do anything.
Well a half assed kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.
Quote from: hizzo3 on July 24, 2015, 11:00:34 AM
Well a half assed kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.
Dealers will love this, Monthly patching cycle, with free inspection, and a $1500 list of service items that you need to take care of
It's like the "If Microsoft Made a Car" joke from 1995... spooooooooky.
I had to send my VIN, Year, Make, Model, etc. Finally they matched it up and said oh yeah you are vulnerable and need to have your truck serviced for this recall.
But they still had to forward my info to another department because I can register for the service and they will gladly take my money, but when I want to look it up I'm just not important enough to be listed in the database. I did see mention on the UConnect website about the issues now though.
You're surprised that they took your money and then forgot about you?
:haha1:
Sorry, couldn't resist.
But, yes, you're the most important person in the world until you give them what they want most. Corporations are like the worst boyfriends/girlfriends, ever.
Of course what was I thinking. Customer Service is hanging out with Chivalry, Bruce Jenner, and Tupac on a deserted island somewhere...
Quote from: routerdork on July 27, 2015, 11:02:40 AM
Of course what was I thinking. Customer Service is hanging out with Chivalry, Bruce Jenner, and Tupac on a deserted island somewhere...
Good news it was just your car that was affected. Hax can also allow someone to p0wn your house:
https://threatpost.com/pair-of-bugs-open-honeywell-home-controllers-up-to-easy-hacks/113965
:shock: <- guy who had a Honeywell controller that got hacked
Wow... Easy hack too on the Honeywell. Might as well just write code:
If pwd='12345' then
Access.grant
Else
Access.deny
End if
In the JavaScript on the web page.
Quote from: hizzo3 on July 27, 2015, 05:21:56 PM
Wow... Easy hack too on the Honeywell. Might as well just write code:
If pwd='12345' then
Access.grant
Else
Access.deny
End if
In the JavaScript on the web page.
If people are too stoopid to not put their devices behind a firewall, and simply leave devices connected to the open internet, then they deserve to be hacked. If they are too naive about the internet then they should hire someone knowledgeable enough that can install the product securely.
Quote from: ristau5741 on July 28, 2015, 06:59:59 AM
If people are too stoopid to not put their devices behind a firewall, and simply leave devices connected to the open internet, then they deserve to be hacked. If they are too naive about the internet then they should hire someone knowledgeable enough that can install the product securely.
"We have a firewall, but we're only blocking the bad traffic. What's wrong with that?"
:haha4:
Oh for hell's sake...
https://threatpost.com/gone-in-less-than-a-second/114154
While this is a directed, instead of general, attack, it's still something that has to be considered, especially if you've been selected as a random target of a vehicle theft. Keep your valuables with you... or always examine the undercarriage of your car before entering.
Man that's a smart tactic.
Quote from: deanwebb on August 06, 2015, 11:44:25 AM
Oh for hell's sake...
https://threatpost.com/gone-in-less-than-a-second/114154
While this is a directed, instead of general, attack, it's still something that has to be considered, especially if you've been selected as a random target of a vehicle theft. Keep your valuables with you... or always examine the undercarriage of your car before entering.
Or you do as I do... Use the effing key. You know that 2,000 year old technology?
The car companies just don't get it. Security doesn't work as an afterthought, has to be baked into the design. No points for guessing when security came into the picture for all the software and standards under the hood.
http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/ (http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/)
The problem is compounded by the fact that they're dealing with stuff that literally cannot fail without dangerous consequences (who cares if your browser occasionally crashes, for example), and that bricking or even soft bricking your car is a lot bigger deal than messing up your windows install and a lot harder to fix.
Quote from: wintermute000 on August 24, 2015, 03:39:01 AM
The problem is compounded by the fact that they're dealing with stuff that literally cannot fail without dangerous consequences (who cares if your browser occasionally crashes, for example), and that bricking or even soft bricking your car is a lot bigger deal than messing up your windows install and a lot harder to fix.
Which is why what Tesla is doing is very cool, and very scary at the same time. The guys who did the uConnect hack notified Tesla of an issue as well. Tesla fixed it, and pushed the update out to all their cars. I guess the Tesla is a SDC? Software Defined Car? As long as it works, and the testing is there that is awesome. However, the second an update accidentally causes the brake to accelerate the car it becomes very scary.
-Otanx
Excellent article, Wintermute. I do not ever want to have a connected car. Terrifying stuff can result from that decision.
It depends. What I hate most about the IoT, the home security systems, connected cars, smartphones, ... Is the fact that they're closed systems. I want low-level control and I want to be able to customize it and/or patch it myself, because the closed systems are obviously not doing it for us.
Quote from: deanwebb on August 24, 2015, 09:28:14 AM
Excellent article, Wintermute. I do not ever want to have a connected car. Terrifying stuff can result from that decision.
Exactly - some things should be kept separate from each other. Like... things attached to the Internet being physically separated from things that drive critical systems, unless those critical systems have to be connected to the Internet in order to function.