BillyW wrote:
I went there, downloaded the file, which is an executable that extracts an ISO. The instructions I've seen say nothing about that part. I haven't seen where they want the ISO extracted to the flash drive or how they expect you to accomplish that part. Unless someone has a suggestion, I'll either wait for their flash drive in the mail or maybe have a local dealer take care of it. In reality I'm not all that worried about my truck being digitally hijacked in the near term.
Please note, no vehicles in Australia or any other international market outside of the USA were affected by this issue, as it is an American-only system not present in Australia l
itguy08 wrote:
Again, they are not talking how they did it. Sure in theory all that could do it. Bu how did it happen. The fact they are not talking is interesting at the least.
itguy08 wrote:
Sure. But that's no different than any car on the road today. Brake lines can be loosened/cut, tires can be deflated, GPS trackers can be installed. Once anyone has physical access the game is over. It's the #1 defense in any security system. Secure physical access.
Heck, it's a long shot but I'd bet someone could take your true for a few hours each day without you even noticing it if you're like many who do not have views of the parking lot and go into work at, say 8am, lunch @12, and out at 5.
itguy08 wrote:
You and I don't know that. I would hope that the TPMS has no capabilities to backed into the ECU. And if it does then that's a bigger issue, especially for those that use wireless sensors. Probably what they did was flood the TPMS wireless radio and used that to gain access to the ECU for reprogramming. Similarly to how they jailbreak and root iPhones and Android phones.
itguy08 wrote:
The scary thing with the Chrysler hack is that as long as they were on the Sprint network they got VIN, IP's, and GPS coordinates for vehicles in a large geographic area. That should not be possible. That sort of stuff should be protected via SSL at the least or some sort of encryption algorithm tied to the VIN. Once I have your IP it's easy to attack it and that seems precisely what they did.
itguy08 wrote:
Yet this is the one that is getting (and I shudder at the thought) Congress to do something. So either the Onstar stuff was not that great or this is the tipping point. Take your pick.
itguy08 wrote:
Nice try. Don't get me started on the security mess that is Windows and how poorly programmed that ecosystem is. Microsoft is trying but until they do a ground up re-code that ain't going to happen. That's another topic for another board. And, FYI I don't run Windows so I am concerned about security (again nice try). So rather than trying to defend poor practices, I choose to avoid them. I also don't use the excuse "they all do that".
itguy08 wrote:
GM and BMW also have poorly engineered systems. There, I said it. Doesn't change the fact that the Chrysler system seems to be the worst.
jtallon wrote:
Nice supposition, but the second article clearly states found that they could wirelessly penetrate the same critical systems Miller and Valasek targeted using the car’s OnStar-like cellular connection, Bluetooth bugs, a rogue Android app that synched with the car’s network from the driver’s smartphone or even a malicious audio file on a CD in the car’s stereo system." Wirelessly. No black box. No physical access.
Sure. But that's no different than any car on the road today. Brake lines can be loosened/cut, tires can be deflated, GPS trackers can be installed. Once anyone has physical access the game is over. It's the #1 defense in any security system. Secure physical access.
Heck, it's a long shot but I'd bet someone could take your true for a few hours each day without you even noticing it if you're like many who do not have views of the parking lot and go into work at, say 8am, lunch @12, and out at 5.The very section you quoted stated that Scarier yet, another group took control of a car's computers through cellular telephone and Bluetooth connections, the compact disc player and even the tire pressure monitoring system. It seems unlikely that all of them started with a OBD port hack.
You and I don't know that. I would hope that the TPMS has no capabilities to backed into the ECU. And if it does then that's a bigger issue, especially for those that use wireless sensors. Probably what they did was flood the TPMS wireless radio and used that to gain access to the ECU for reprogramming. Similarly to how they jailbreak and root iPhones and Android phones.
I'd also never pop in an unknown CD, USB stick, etc. But that's me.
I'm curious as to the exact details of the exploit so we can gauge the threat. If it's through BT the threat is small as they'd have to be practically on top of me to get it to work.
The scary thing with the Chrysler hack is that as long as they were on the Sprint network they got VIN, IP's, and GPS coordinates for vehicles in a large geographic area. That should not be possible. That sort of stuff should be protected via SSL at the least or some sort of encryption algorithm tied to the VIN. Once I have your IP it's easy to attack it and that seems precisely what they did.
That's a pretty simple explanation. Notoriety. Doing something first. OnStar has already been exploited on at least a couple of occasions. There's no great fame in being the THIRD guy to do something. No one writes an article about that.
Yet this is the one that is getting (and I shudder at the thought) Congress to do something. So either the Onstar stuff was not that great or this is the tipping point. Take your pick.And Microsoft's poor engineering with Windows, and GM's, and BMW's. But you're not concerned about security, or you'd at least be AWARE of those situations, too. You're just looking for a tool to brand bash, regardless of accuracy. It appears to be your primary contribution to this forum.
Nice try. Don't get me started on the security mess that is Windows and how poorly programmed that ecosystem is. Microsoft is trying but until they do a ground up re-code that ain't going to happen. That's another topic for another board. And, FYI I don't run Windows so I am concerned about security (again nice try). So rather than trying to defend poor practices, I choose to avoid them. I also don't use the excuse "they all do that".
GM and BMW also have poorly engineered systems. There, I said it. Doesn't change the fact that the Chrysler system seems to be the worst.
itguy08 wrote:They had to target someone first. Did you read this article? They explain exactly how the decided to target Jeep first. "Based on that study, they rated Jeep Cherokee the most hackable model. Cadillac’s Escalade and Infiniti’s Q50 didn’t fare much better; Miller and Valasek ranked them second- and third-most vulnerable."bwanshoom wrote:
Don't kid yourself that other car manufacturers are handling security any better.
Then why target Chrysler? Why not go after the biggest target, OnStar? OnStar has been doing this for quite a long time and offers many of the same features as Uconnect, all through the cellular vote and data networks. OnStar can remotely unlock doors, start the car, etc...
It could just be that Chrysler's system (like their vehicles) was poorly engineered.
itguy08 wrote:
It's unclear how the hack happened. If someone has physical access to your vehicle, then game over. No different than any other "hack". Installing a black box on your OBD port enables you to control 100% of the car and that's on every car made with that system. Especially if you can install custom code on it. So nobody is talking about how this hack happened. But it did happen.
itguy08 wrote:
Again nobody is talking and one wonders if these hacks all start out with something connected to the OBD port? The Bluetooth thing is scary but I'd want to know a lot more about how it happened. Was it a BT dongle like we use for scanning for codes or was it through the BT Cell connection. The latter is more scary than the former.
itguy08 wrote:
So the question is: if OnStar was hacked first, why did the researchers pick Uconnect? It would have made a much bigger splash to single out OnStar since they have by far the largest installed base!
itguy08 wrote:
Again, it's poor engineering on FCA's part. Par for the course with them.
Although the intentionally-disguised vehicle was described by "60 Minutes" correspondent Lesley Stahl as a “regular new car,” it was actually a 2009 Impala running an older version of the OnStar software, according to GM spokeswoman Deana Alicia. The automaker isn’t sure, however, if the software was modified by DARPA in any way.
It’s also not clear if DARPA hacked the vehicle over a public cellular network, or through other means, but it was apparently able to install malignant code via the OnStar connection that gave researchers control over many of the car’s functions, according to the 60 Minutes report. DARPA has not yet responded to a request from Fox News for more details on the exact method used to access the car.
In one case, a pair of hackers manipulated two cars by plugging a laptop into a port beneath the dashboard where mechanics connect their computers to search for problems. Scarier yet, another group took control of a car's computers through cellular telephone and Bluetooth connections, the compact disc player and even the tire pressure monitoring system.
