>"Hackers will be able to pull the data off the USB stick and reverse-engineer it. They'll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit," he told the BBC.

So? Never thought I would hear a "Security Expert" argue for, and not against security through obscurity. Perhaps this is not the best source for critique.

Also they could download the bin from the car itself.

No, that's not how it works. In some cases sure, but this is not something you just do out of the blue like plugging in a USB.

Sure, but there is no evidence of that, so why even bring it up as an example/excuse as to why anyone would argue this way? It is totally unfair to assume that the content has not already been signed prior to distribution without evidence.

Unfortunately modern "news" is not based on evidence, merely the event of a claim.

> If the USB stick accidentally contains private keys for signing, that might be of concern.

That would still be a problem if the updates were only distributed to repair shops, however (you'd need someone on the inside, but given the number of people involved, that probably wouldn't be too hard).

Can't believe that they didn't think to include a way to verify the USB's integrity with strong crypto, and clear instructions on how to do this. Yes, non-tech savvy customers would be vulnerable to phishing (since such a letter would simply omit this step), but at least it would be possible for tech-savvy individuals to do so.

If they had done this right, they would have sent the USB with a validation step and widely advertised this step, so that all users would be aware of the need to do it, maybe even branding a simple software package to verify the contents as something like "UConnect SafeCheck".

Hopefully, they at least have a secure way to download it online (but given actions up to now, I'm not optimistic).

Edit: Owners can download it via https (albeit with SHA-1), but I'd be surprised if there's a way to validate the integrity of the downloaded file. Also, they're advertising that link without the SSL (and indeed, it allows non-SSL connections).

Better would be to have the car perform the validation. I'd be shocked if this didn't actually happen.

My understanding of the original hack is that the root of the hack is a flaw in the existing platform validation. In particular that the random seed is set from the clock [not a bad practice in itself] and the clock is activated the first time the car is fired up [a somewhat problematic, since an attacker can be assumed to have the vehicle date via the VIN]. However, it's not even that hard since the first time the vehicle is fired up, the clock is at it's default time and date, and this narrows down the seeds to the range of potential latencies between the clock coming on line and the generation of the entropy pool.

In other words, the USB key can't use stronger crypto than vehicle and that crypto is poorly implemented [again, based on my understanding of the original hack].

Yep and Chrysler have managed to change the open 6667 IRC channel into a closed one. Without access to that, the hack is now obsolete

These cars use IRC?

I wonder what the 'Secure' printed on it stands for. Maybe each car has it's own private key, meaning you'd have to physically hack the car first in order to get a fake update stick to work?

Does anyone know where I could download an image of the update? I just want to poke around.

The disk image is available via their website but requires your VIN number. I poked around a past update and it appeared to just be a *nix disk image.

Wasn't sure if it was signed or if there was much security or not so I wasn't brave enough to change anything for fear of borking my car.

But I would have loved to figure out how to enable the nav system that's already built into my car but disabled (Jeep charges $XXXX for the privilege)

It's incredibly easy to get the VIN of a car. For example, most (UK) DVLA APIs include the VIN when you put a registration plate in.

Or you could walk through a parking lot and look at the corner of the windshield...

I can't edit my original comment, but I eventually figured it out. here's a link: https://mega.nz/#!51V1zBIJ!u4Ewgv-yOJR-fsRTUKSVov4lzDqM9iuyj...

Do you mind if I write a short article on this?

No problem - Although all I did was to download and rehost a semi-publicly available file.

I'm wondering if it has your VIN in it though. Will report back.

I just got a random vin from the internet. I don't think the downloads are personalised. I'd be interested to know what you find!

I'm not sure I can add much over http://www.ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf - I'm a bit jealous. I'd love to get paid to pull firmware apart like that.

After the False Promises of Inheritance emails, it seems that we'll switch to False Security Updates USB keys letters.

If hackers goes into hardware, maybe should we also start working on Scam letters filters?

Research the last year your favorite car model was made with mechanical steering and mechanical accelerator and only buy those. You only have to go a decade back at most like I did.

You might want to stick with those years considering industries that have little knowledge or care about security are endangering your very life at highway speeds.

It's going to take them another half decade to care about these things and they will probably just solve it by lobbying politicians to waive liability instead.

To me, it's turtles all the way down. A three letter state agency isn't going to be stopped by the tamper resistant packaging on a Tylenol bottle and it's probably easier for a criminal or a military to just shoot their victim [at least in the US]. Disabling the victim's vehicle with software is a bit Rube-Goldbergian and a psychopath doing it on a mass scale just for the lol's could just as well poison a water system.

Industries at the scale of the automobile industry are always making actuarial bets on fatality rates. Software or hardware or mechanical or digital is irrelevant, e.g. GM cheapening ignition switches without changing part numbers. Anyway, brakes have been digitally controlled for many many years. Avoiding that means no traction and stability control systems and the ordinary hazards [e.g. hydroplaning] that those mitigate are orders of magnitude more likely than my car getting hacked.

I feel like this is one of those examples of attempting to prevent a low-risk concern and instead increasing overall risk. Is the risk savings of avoiding a car with modern steering and accelerator worth the added risk of lacking other safety features of more recent advances in designing safe automobiles?

You can get virtually all safety features from today in a car a decade old, it just cost more then and was optional so you have to look for the options.

Modern cars with high security have a wide array of sensors that pay attention to everything that goes on around the car and warn you or take actions to avoid dangerous situations. They also pay attention to your driving pattern and can warn you when you are starting to get tired or start dosing off.

Many insurers will increase your pricing for older cars. Just something to be aware of.

Mechanical steering? You'd have to go back significantly more than a decade to find cars without power steering for most cars.

Fluid pumping is still mechanical. They mean electric steering.

Operating a vehicle with that level of maintenance would seem to pose a substantially more proximate risk than the unrealized potential risk posed by hackers.