9 years ago
1
Why Chrysler’s car hack ‘fix’ is staggeringly stupid
If you receive a USB stick through the mail, you really should not plug it in. By Zack Whittaker.
Continue Reading http://www.zdnet.com
Join the Discussion
The article seems to be taking an especially negative approach to Chrysler. I agree it's not a good solution. But before taking my view, I'll try to step into Chrysler's shoes to see it from their view...
1) Software MUST be updated
2) Customers HATE coming into dealers for unplanned service
3) In this case it's a software update, hey! Tech-savvy customers can do it on their own with a download, and avoid the hassle!
4) But what about non-tech savvy people? Oh! We can mail them a USB stick, if they want
Conclusion: Win-win-win! We avoid burden on our dealers, customers are empowered to fix at their own convenience, and we have solutions for both tech-savvy and layman consumers!
That's why I don't like the article's take on the situation. They take affront that gasp Chyrsler wants people to take this burdensome 12-step process for a fix. No they don't... that's only for people that can manage it. For those that can't they'll ship you a USB drive, or you can go to your dealer.
BUT! Here's my big beef with this...
Mailing USB keys to car owners is massively, incredibly stupid. Especially for a hacking fix?? Are you kidding me?? This is a potential gold-mine for hackers. Most hackers don't care about effecting the whole world. They're after a 1 or 2 specific targets. Now that you've created the process that the company can ship USB keys to update your vehicles, what is to stop a hacker from building a custom ROM, dropping it into an official looking Chrysler-branded package, mail it to your mark, and then sit back and watch as the car owner updates the payload onto their own vehicle.
If they really wanted to be secure I'd put another layer of protection in there... like tying each USB key to a specific VIN. So your key works JUST for your vehicle. Sure you knock out the "build-your-own" option, but it's more than worth it for the added security.