Monday, July 27, 2015

The scariest thing about the Chrysler hack is how hard it is to patch


Chrysler is having a bad week. On Tuesday, Wired published a fantastic and gripping report detailing an open vulnerability in Chrysler's UConnect system, allowing attackers to take control of transmission, brakes, or even steering. There was already a patch available when the article was published, but because cars required physical updates, most cars hadn't received it. Today, Chrysler upped the ante, asking 1.4 million cars to report to dealerships or install a patch mailed out over USB. It's the biggest vulnerability we've ever seen from a car company, and a firsthand demonstration of how hard it is to patch a problem once it pops up.

The hack looked bad — Wired's Andy Greenberg was literally forced into a ditch by hackers — but the patching process is even more important, and Chrysler's failure there should be much more troubling. Bugs are an inevitable part of software development, so the important question is how quickly you respond when a bug is inevitably found, giving attackers as small a window as possible to exploit the newly discovered weakness. As long as Chrysler has to update car software by hand, that window is wide open — and that should be scarier than any highway demo.

While alarming to read about, this week's bug represents the best-case scenario for security research. The good guys found the bug first: the researchers, Charlie Miller and Chris Valasek, have no interest in using this bug to exact vengeance on their enemies or selling it to the mob for a quick buck. By the time the bug was reported, Chrysler had a patch ready, and there's no evidence anyone ever exploited the vulnerability for nefarious ends.

The problems came once Chrysler tried to get that patch out to its cars. There was no way to update the cars automatically, so the company was reduced to in-person dealership updates and, in some cases, mailing USB sticks to affected customers. The result was a clear mismatch of offense and defense: UConnect makes the cars vulnerable to remote attack, but there's no way for Chrysler to remotely defend them by pushing out patches. Chrysler also made network-level changes that seem to have blunted the attack, but fixing the car's software still required in-person USB contact.

That was embarrassing in this case, but it could be catastrophic in the years to come. The attack published in Wired isn't the only way to break into UConnect — it's just the only one we know about. It's a safe bet that more vulnerabilities will be discovered in the years to come, and if Chrysler is going to keep its drivers safe, it needs a way to patch those vulnerabilities fast. As long as the company sticks with manual updates, new attacks will be developed faster than the old ones can be patched, and attackers will run circles around defenders.

Tesla has a head start on this, already delivering over-the-air updates, but even seasoned software companies have problems pushing out patches. The most common single security flaw in most systems is an old computer running an outdated and vulnerable version of Flash or Internet Explorer, simply because no one bothered to install the update. The problem is even more serious on mobile devices. The biggest difference between iOS and Android security is simply that Apple can push out automatic updates whenever it wants. Carriers mean that when a vulnerability like the recent WebView bug pops up, Google simply has no way to fix it. It's the biggest single security problem for smartphones — and it's primed to be the biggest single security problem for cars, too.

When I first read the story, my first thought was why give a car a modem at all? The current benefits are relatively minor, and the downside is terrifying. Why not just keep cars off the grid?

Then after my initial reaction, I don't believe that. The benefits of networked software are too profound to keep cars cut off forever. But security is a serious problem, and there are no partial solutions. Networked systems are always vulnerable to networked attacks, and that puts a grave responsibility on manufacturers. Taking on that responsibility means maintaining a whole array of security measures, from research teams to bug bounties to a full and considered patching system. Until that hurdle is cleared, car makers may want to reconsider the benefits of giving cars an IP address to defend.

No comments:

Post a Comment