Well...that's a bit unnerving. I would not pay to use the wireless features of the car as I can tether from my phone. Is there any way to disable the car's cellular data link?

 

possibly you could disconnect the ceullar antenna lead and hope that kills the signal enough to make it not connect, but otherwise even if it's "off" i doubt it's really off. Sort of like 'permanently deleting" one's profile on Ashley Madison still isn't going to stop a hacker from posting your infidelity all over the net...

 

It's good to know that Chrysler is taking this seriously for once.

 

not to be a jerk- but you think 9 months to come up with a fix and then releasing it by a TSB without a recall, email, phone call, text message, or notification on their app or website is taking it seriously?

A hacker can disable your transmission so you can't move, disable your brakes so you can't stop, and sounds like possibly even STEER your vehicle into whatever they want given some time (I guess it needs the electric steering on the v6?) remotely while you are driving down the highway?

I'm not a hacker, network engineer, nor anything else- but the vehicles are on sprints network too- I'd guess they could just ask sprint to implement firewall rules on their end not to route traffic that didn't come from a trusted server to our vehicles.

They should have a plan in place so every vehicle ever produced is flashed with a fix before these guys release the code on their planned date.

 

Good thing is, it should be fixed by the latest uConnect update:

**Improved Radio security protection to reduce the potential risk of unauthorized and
unlawful access to vehicle systems (U.S. Market Only).*

 

Yeah. This is incredibly troubling. I work in the airline industry and our carrier is talking about implementing a system that would allow our maintenance teams access to the aircraft's ARINC data stream (similar to a CAN bus) in flight. I know nothing about digital security other than having a pretty good scheme for picking secure passwords and to me this is pretty scary. Who knows what hackers will get into next...

 

My vehicle is over 1 yr old and I didn't renew my Uconnect subscription I was hoping that would protect me.

 

The interesting thing is that they need to know your IP address in order to "hack" your vehicle. That's not exactly easy to get. But just not subscribing to the UConnect System will not disable the system. I just checked, it does have an IP address via the wireless network. I think that it's time to go back to 8Track players.

 

So... If I don't have Internet access, or nav (I just have the stock 5.0 system, no sxm even) then I have a lower risk?

 

kinda continuing my soapbox rant...

This is the product of a failure of the Engineering/CS postsecondary (and maybe secondary) educational system going back at least a generation.

And I'm as much at fault as anybody, being a part of that ..

the goal is to push out software/firmware/hardware that "works" - for some definition of "works"

Not a lot of engineers/coders want to think about attack vectors, the robust-ness of their security stack, etc etc when they are under pressure to get out something that "works" and get a stock pop.

and, to be fair, the entire architecture of the Internet (back circa 1970) had no concept of malicious intent.

It all seems easy and obvious, until it is YOUR house that is broken into.

/rant

 

serious question- why the thoughts that secure over the air updates are impossible? I'm unaware of anyone pushing a bad update to an iphone or android phone and they deliver over the air updates to (hundreds of ?) millions of phones and tablets on a regular basis. Before them I'd guess blackberry did it too and their devices are secure enough that the leaders of our government use them. Blackberry is apparently the owner of the QNX operating system in the 8.4. So why is it implausible that a secure system could be built?

If they can do it securely why not FCA?

 

It certainly is possible with a Public Key Infrastructure (PKI) and digital signature checks, but I don't know if the UConnect system has the necessary pieces in place to do that today. As you mentioned, lots of other software updates (e.g. Apple and Android apps) are already distributing digitally signed updates to verify the authenticity of the author, but the auto industry is going to have to play catch-up here. Cars (and other embedded systems) are just the next battleground.

 

This is why I'm building my own RF relay switch for the uConnect systems (or any system with the right connectors). I don't need or use this crap.

FYI, it does NOT matter about uConnect. It matters that your vehicle has a constant cellular connection (most FCA using Sprint) that you as a user can not turn off. Chrysler is NOT the only one with the issue.

FCA = uConnect
GM = OnStar
so on and so forth, all the vehicle makers have something.

I disagree with the education system failing engineering, it's a standard information security issue in that most times, product/marketing beats infosec. Look at Sony, OPM, HackingGroup, Ashley Madison, Eaton Power Systems, Siemens power Systems.... all too often security is second, third, forth thought in product design, placement, and deadlines.

 

This is why I'm building my own RF relay switch for the uConnect systems (or any system with the right connectors). I don't need or use this crap. ...

Do you need to basically just disconnect the cellular antenna lead or is it more complex than that?

 

As somebody who has been in the Cyber Security field for 20 years, just wanted to share a few thoughts on this,

1) Don't blame these researchers, they did car owners a huge favor by releasing this information in an ethical manner. They gave Chrysler 9 months to fix the issue. We should be thanking these guys, not criticizing them. Do you really think Chrysler would have spent the money to fix these problems if the information had not been released? There is an underground market for these types of zero-day bugs, they could have made a lot of money selling this information.
2) This is just the beginning of these types of issues. It is only going to get worse.
3) Securing these systems is going to be very hard. The current problem is patched, but more will be found in this system and others.
4) A very small percentage of owners are actually going to patch their system unless they visit their dealer. This may yet turn into a recall in order to get these systems patched.
5) Good to see Chrysler co-operating with these researchers. The rookie move would have been to send in the lawyers and try to silence them.

 

FCA getting egg on their face now.

Bunch of media picking it up- 175 articles and counting according to google news

Hackers Remotely Hijack a Jeep, Crash it Into a Ditch | News & Opinion | PCMag.com with great title

WSJ, Reuters, ABC, even the international media....

They're going to look even dumber when next month these guys share the code publicly and FCA only has a small percentage updated.

 

Engine, transmission, steering, braking and any other drive or safety system should never have been connected to the uConnect system in the first place. Those should be isolated!
They need to provide us with a way to completely disable the cellular system!

 

and an OTA update hack on an iPhone is far less dangerous than an OTA update hack on a motor vehicle..

 

agreed- but dead serious members of congress, the Pentagon, even i think the president use blackberry's - presumably the DOD or NSA or someone has decided there's a reasonably robust way to do it.

Obviously rational people can agree to disagree but i just dont see it as impossible to do safely. Or maybe i should say with less issues of not geting updated in a timely way.

In 5-10 years there are going to be fleets of google and uber and whoever else cars driving around autonomously. They're going to be networked for a pile of reasons. There's no point to put it off and ignore what's coming. The mindset should be to get out in front and figure out how to make these things safest, and along those lines- what to do WHEN they DO get hacked. This isn't going to be the first time- I'm sure that there will be more with the uconnect, my money is the NSA and china have other ways in even with the "fix"- so my personal preference is they can just push an update to me as soon as they have it. What if i'm on vacation for a couple weeks and dont check the net? i'd rather not drive around two weeks with a vulnerable vehicle- i'd prefer they just push the update.

There's ways to have secure wireless communication- If i recall the latest generation fighter jet radars actually talk among friends and pool their resources so that (hypothetically) if one plane can track and display 5 targets, a group of 5 can track and display 25. I think there's all sorts of other battlefield networking going on to.

the problem, in my humble opinion, is FCA used car people to write code for a wifeless internet tablet/smartphone rather than getting smartphone people to write code for the car. Their mindset is all wrong. It's evident on sooo many fronts- updates are too sparse, no more new feature addtions, not an open app 'store', no ability to push, crappy feature list for the price, still no real time maps, etc, etc. They should hire some of the people that MS and Blackberry are laying off from their cell phone groups.

 

Finally, FCA has issued a recall

http://media.fcanorthamerica.com/newsrelease.do?&id=16849&mid=

 

I've already done the update, the article says they will be sending USB flash drives out.

So does that mean we will all be getting a free flash drive ? Or do you think they will only send to those that haven't done their own update ?

 

I would doubt they would take the time to reconcile the VIN numbers we enter to get the software with all of the ownership records. Much easier just to ship everybody a USB drive. And much less risky on the legal side - with the bad press out there, they don't want any chance of "but I didn't get my recall USB stick!" complaints.

Media article about recall:

Fiat Chrysler recalls 1.4 million vehicles to prevent hacking - Business - The Boston Globe

 

It would be so much more helpful if they included the necessary Uconnect firmware number.

 

Should I assume mine will come with the updated software? It hasn't been built yet, so I would guess it would come updated, right?

 

...
Yes, everything that hasn't been delivered should have the update; the production line should be loading the new bits, and everything off the line and not yet delivered will get the RRT either in inspection or during PDI at the dealer.

I'd still check just to be sure.

I was surprised that mine was delivered with an out of date uconnect firmware version despite the build date of the vehilce being months younger than the date of the latest uconnect version.

Granted this is a recall but i personally dont trust my dealer farther than i could throw the 300lb service writer.

I took my Durango in for an oil change the other day just before they issued a recall. At the time it was a rapid response TSB. Supposedly all the VIN's get entered into some computer database. You would think that when they check you in for service their screen would notify them there is a RRT pending. They said nothing.

THIS SERVICE BULLETIN IS ALSO BEING RELEASED AS RAPID RESPONSE
TRANSMITTAL (RRT) 13-071. ALL APPLICABLE SOLD AND UN-SOLD RRT VIN's
HAVE BEEN LOADED.

again- it's now a recall so hopefully they pay more attention. But i'd still check myself to be sure.

 

I would doubt they would take the time to reconcile the VIN numbers we enter to get the software with all of the ownership records. Much easier just to ship everybody a USB drive. And much less risky on the legal side - with the bad press out there, they don't want any chance of "but I didn't get my recall USB stick!" complaints.

Agree. for what a usb stick costs, just send one to everyone. Maybe with a nice Jeep/Dodge/RAM/etc logo

Should I assume mine will come with the updated software? It hasn't been built yet, so I would guess it would come updated, right?

Yes, everything that hasn't been delivered should have the update; the production line should be loading the new bits, and everything off the line and not yet delivered will get the RRT either in inspection or during PDI at the dealer.

 

Moved to recall section

 

Ok question.....is the recall that was just announced for ALL vehicles with the 8.4" screen or just certain ones?

 

The press release says "certain vehicles", so I'm guessing not all of them, but 1.4mm vehicles is a lot. Both of mine needed the update

 

Is it an update you do yourself or do you have to bring it to the dealer and how do you know if your affected or not?

 

Uconnect® Software Update - Update your Uconnect® System
Just go here and enter your VIN. Then it will give you instructions on downloading and installing the update. I would not bother with the akamai download manager. Just do the direct download and extract it directly to your USB drive. (Format your usb drive to fat32 first. That will wipe it!)Then you plug the drive into the usb port in your car and set it to run or start it. After about 45 seconds it will ask you if you want to install the update and click yes. The update takes about 5 to 10 mins and your done! Much easier than getting your dealer to do it.

 

According to the recall notice, they will be sending the update on USB devices to effected owners, however you can go to this page and download and install the update - it was the UConnect update that was released last week. If you loaded that update to your system, you should be set. Check to see that you have Version 15.26.1 installed.

Uconnect® Software Update - Update your Uconnect® System

 

Thanks guys

 

That is Cool that they will be sending it out on USB
STEVE