'13+ jeep Cherokee/ Chrysler UConnect hacked

[hizzo3]

This seemed pertinent since they are doing this through its IoT connected suite. Commands include total brake control, engine shut off, reverse steering control, GPS tracking among other things.

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

So glad I don't even have Bluetooth or OnStar right now


Edit: article from Wired to patch your stuff, please and quietly per Chrysler.

"The car maker posted a notice to its website informing its customers about a 'software update to improve vehicle electronic security.'"
www.wired.com/2015/07/patch-chrysler-vehicle-now-wireless-hacking-technique/

[LynK]

i have a '15 wrangler with uconnect. any work around?

[hizzo3]

Work around: Walk/bike/drive a non-IoT car

Patch:
Call the dealer and see if there is a patch yet, RA3 and RA4 radio/nav systems. Requires physical access to the vehicle to patch it.
Edit: a patch exists to download.
www.driveuconnect.com/software-update

Currently only the Cherokee has been confirmed, but since it is the Uconnect module, an update to the commands in theory could control other vehicles. I'm only aware of the Jeeps getting a patch.

[routerdork]

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.

[deanwebb]

Just read that...

Security should be viewed as an immune system. When a body is overworked, its immune system suffers, even though it may enjoy some short-term productivity improvements. Same thing with computerized systems. Get them to be 100% productive and easy to use, and they will catch something, or fall prey to opportunistic infections endemic to the system.

FUN FACT: your autoimmune system is keeping you from getting a really nasty brain infection from bacteria that have been in you SINCE BIRTH. Would you like to have a productivity boost from diverting the resources dedicated to fighting that brain infection so that you could run faster or jump higher?

I want to make the same arguments at my company. Always the obsession with that marvelous user experience... and then, when we're penetrated they're all surprised and like



And I'm all



Y U NO DO SECURITY IN FIRST PLACE?

[hizzo3]

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.

"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."

[routerdork]

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.

"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."

That's what it feels like.

[hizzo3]

BTW, just glanced over the SPY act. It doesn't even require encryption and authentication.

"In general-all entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks"
It does go on to say that critical software must be kept isolated from non critical... No details given.

That said... What is reasonable. In theory, WEP is reasonable.. 8 bit encryption? Hold on, I have a TI-84 calculator somewhere to crack that. What about maybe using a flawed openSSL?
And critical SOFTWARE isolation? OK throw it in a hypervisor on the car... Because that is always secure right? This bill is laughable in terms of security... Updates not less than 3 years to the bill... Only if hackers played fair, right?

[hizzo3]

Edit to post one for patch article.

[icecream-guy]

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.

"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."

That's what it feels like.

wait, what, you called/emailed the guy's who performed the hack?

[hizzo3]

I've got a Ram with UConnect but it gives me an error with my VIN. Tried to call them and it hangs up after 2 rings. I emailed them to see what they say.

"Were sorry, all representatives are busy taking other's money. Please call back later, your money is important to us."

That's what it feels like.

wait, what, you called/emailed the guy's who performed the hack?

I'm sure that would be a funny conversation.
Routerdork:"Please stop"
Hacker:"No"
Routerdork:"Why?"
Hacker:"They didn't use a Belkin" *click*

[deanwebb]

Time to call the hunter... the hunter of hackers!

[routerdork]

Haha officer I swear I wasn't speeding, I was hacked. 

I actually emailed the UConnect guys. I'm actually very unimpressed with the service. It's got a Sprint 3G connection. I spent over 50 hours on the road a few weeks ago and it barely ever had service to do anything.

[hizzo3]

Well a half assed  kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.

[icecream-guy]

Well a half assed  kudos is in order. FCA is starting a recall. Now that said, I wonder how long they can keep patching like this.

Dealers will love this, Monthly patching cycle, with free inspection, and a $1500 list of service items that you need to take care of