Thoughts on Fiat Chrysler's Patching Dilemma

 I am the INFOSEC Hipster.  

I am the INFOSEC Hipster.  

Hi, my name is Aaron and I'm an INFOSEC hipster.  I was worried about the security of our increasingly connected cars back in 2013, which is waybefore it was cool to be worried about such things.  Someone fetch me some thick, black framed glasses and a PBR while I configure my retro NFR IDS.  While you're doing that, let's take a look at Fiat Chrysler's situation and their options.

Auto safety regulators have hit Fiat Chrysler with a $105 million fine and a 1.4 million vehicle recall.  This is their reward for being first car company to have a remotely exploitable software vulnerability affecting the operation of its vehicles released to the public.  As an added reward, they get to blaze the trail for fixing this kind of error and current reports suggest their remediation strategy isn't firing on all cylinders.  Let's take a look at the options they offer according to a ZDNet Report:

  1. Drive to a dealer and have them install the update
  2. Download an update to a flash stick and install yourself
  3. Request Chrysler send the owner a flash stick with the update and install yourself

Over the air updates would be the best solution but they are not an option.  I'm uncertain of the constraints preventing this.  Given the three options above, which is the next best thing?  I'd recommend taking it into the dealer for an update.  While this is a hassle, you have a reasonable expectation that the software is legit and the mechanic is certified to click the "Next" button in the proper sequence.  If something goes wrong, it's clear where the responsibility lies.  You can treat it just like any other recall-related service.

The other two options are interesting but they give me a little pause.  These options provide convenient social engineering vectors.  It would be very easy for someone to spoof the Fiat Chrysler web site and send you a trojaned version of the software update.  Similarly, sending a bunch of USB sticks claiming to be from Chrysler but containing backdoor software and keyloggers would be a low tech, but great way to compromise a lot of systems.

Fiat Chrysler needs to consider how it will authenticate the software it sends out to the DIYers.  For the "Download from the Internet" option, SSL certificates for the site are a good start.  Making the update available only to users that have registered and logged on to a web site would be a good next step.  Finally, I think you'd want to follow up with hash values for the update package.  You might need to provide a YouTube video or similar to help people understand what the hash does and why it's important.

For the "Wel'l send you a USB stick in the mail" option, Fiat Chrysler would have to make it clearly an Opt-In choice.  Their customers would log on to a SSL-authenticated web site and request the USB stick.  Fiat Chrysler might also want the users to pick code word or unique image of their choosing to include in a letter accompanying the USB stick.  This would help the customer get comfortable that the USB stick is actually from Chrysler and not a social engineering attack.

That's my take on the situation.  Rather than throw stones at the first guys in the chute, let's help them figure out how to solve the problem effectively and securely.  Let's be clear: Fiat Chrysler is just the first car maker with a big public vulnerability.  They are not the only one.  Get ready to see more of this kind of thing in the future.

What options have I missed?  How would you do it differently?