Re: Hackers Remotely Kill a Jeep on the Highway
From offlist: On 07/24/2015 01:24 PM, Peter Fairbrother wrote:
Fiat Chrysler recalls 1.4 million cars after Jeep hack
Was just cruising twitter and noticed that @Uconnect is touting the patch for their Chrysler in-car entertainment system. I suspect the lack of 'firewall' between it and the car control circuitry was similar to the problem that caused a China-base Mattel contractor to send lead-painted toys to be included in (was it BK?) 'happy meals' for kids. The problem? What the toy was going to be used for simply wasn't mentioned in the specs delivered to the contractor so they never took it into consideration to use a non-toxic coating. In this case it looks like the in-car entertainment system manufacturer simply wasn't aware of the rest of the circuitry in the vehicle, and it wasn't mentioned by Chrysler, so they never even thought about it. RR
On Fri, Jul 24, 2015 at 02:00:45PM -0700, Razer wrote:
From offlist:
On 07/24/2015 01:24 PM, Peter Fairbrother wrote:
Fiat Chrysler recalls 1.4 million cars after Jeep hack
Thanks. The link appears to contradict wired's claim of "wireless exploit", possibly because they are covering their corporate asses. <quote> Fiat Chrysler said exploiting the flaw "required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code" and added manipulating its software "constitutes criminal action". </quote> "prolonged physical access to a subject vehicle" isn't remote. Is the jeep sploit remote or not? "time to write code" doesn't make sense to me once you have written it.
On 7/25/15, Georgi Guninski <guninski@guninski.com> wrote:
... Thanks. The link appears to contradict wired's claim of "wireless exploit",
incorrect. it was wireless, and not only that, it was remote incoming over Sprint infrastructure.
possibly because they are covering their corporate asses.
so much ass covering right now!
Fiat Chrysler said exploiting the flaw "required unique and extensive technical knowledge,
ahahahah
prolonged physical access to a subject vehicle and
lololololol
extended periods of time to write code" and added manipulating its software "constitutes criminal action".
motherfuckers, did you learn nothing? this is how not to respond to severe, critical, architectural defects in critical systems. guess auto industry gonna play it ugly. (too bad, we all lose!) best regards,
On 7/25/15, coderman <coderman@gmail.com> wrote:
...
two points of clarification: 1. there is assumption that information is silo'ed, also cannot be shared. not! 2. the difficulty regarding SprintPCS is that their lease space spans class A's. see https://peertech.org/files/cidr-privacy-space-cell-data-2009.txt for a unique set sample across five devices for a month in a particular configuration at a single tower. for example. this is why the mandatory Sprint block was actually an unconventional but exceptionally effective mitigation for this path to remote control. best regards,
On Sat, Jul 25, 2015 at 03:58:48AM -0700, coderman wrote:
On 7/25/15, coderman <coderman@gmail.com> wrote:
...
two points of clarification:
1. there is assumption that information is silo'ed, also cannot be shared. not!
2. the difficulty regarding SprintPCS is that their lease space spans class A's. see https://peertech.org/files/cidr-privacy-space-cell-data-2009.txt for a unique set sample across five devices for a month in a particular configuration at a single tower. for example.
this is why the mandatory Sprint block was actually an unconventional but exceptionally effective mitigation for this path to remote control.
best regards,
Do you mean for additional ownage one needs network sploits? Is Sprint's network equipment up to date and safe? (Having in mind Cisco/BGP and the like we doubt it)
On 7/25/15, Georgi Guninski <guninski@guninski.com> wrote:
... Do you mean for additional ownage one needs network sploits?
correct. like cell site simulators which put you in the data path.
Is Sprint's network equipment up to date and safe? (Having in mind Cisco/BGP and the like we doubt it)
they peer differently than most, out of Kansas. it's kinda weird :) also more secure than most, so i suspect the next weak link is GSM... best regards,
On Sat, Jul 25, 2015 at 03:52:17AM -0700, coderman wrote:
extended periods of time to write code" and added manipulating its software "constitutes criminal action".
motherfuckers, did you learn nothing?
no, like every industry first hit by our train.
this is how not to respond to severe, critical, architectural defects in critical systems.
guess auto industry gonna play it ugly.
there was already this news item: "Fiat Chrysler Recalls 1.4 million Cars After Software Bug is Revealed" this is not very sustainable i guess. my bet for their next step is fixing this OTA. m( -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
participants (4)
-
coderman -
Georgi Guninski -
Razer -
stef