In July, security researchers demonstrated their ability to remotely access a Jeep Cherokee SUV without permission through the vehicle’s on-board entertainment system. Chrysler offers the UConnect system, which connects vehicles and their internal Wi-Fi to the public Internet via a cellular network. The hackers were able to take control of the Jeep’s steering, transmission and brakes through the service. More recently, researchers also managed to similarly hack into the Tesla Model S’ infotainment system and shut off the vehicle’s engine with a keystroke.
While both incidents were startling, there were some key differences in terms of execution by the hackers and the reactions of the automakers and consumers, a Time magazine article points out.
The Tesla hack, for one, required physical access to the vehicle. The Jeep attack did not. Fiat Chrysler had to recall 1.4 million Jeeps, which actually meant that it mailed Jeep owners a USB stick that would give the cars a necessary patch to provide protection from such hacks in the future. It’s doubtful that all those Jeep owners will actually take the time to plug in the Jeep’s USB stick. Meanwhile, Tesla automatically sent a patch to all its Model S vehicles via an over-the-air update – kind of like how a smartphone gets software fixes.
It’s a valid analogy. While it may be cutting edge for a vehicle to behave more like a smartphone, automakers are faced with the security risks that come with connecting to the Internet, which presents a whole host of issues they are not used to addressing.
Consumers aren’t taking the Jeep attack lightly. On Aug. 6, a group of Jeep owners filed a class-action lawsuit against Chrysler. According to The Register, the attorneys claim Chrysler’s distribution of the security software update was flawed. Car owners download the patch via HTTP, and not secure HTTPS, which leaves the code vulnerable to tampering by man-in-the-middle attackers, the filing claims.
The automaker’s UConnect service piggybacks on Sprint’s network. Apparently, Sprint has since locked down its network but owners are advised to still install the USB sticks.
Chrysler has not only had to deal with negative publicity, it had to bear the financial burden of mailing 1.4 million USB sticks to Jeep owners as part of its recall. Now it will deal with the expense of defending a lawsuit, which will probably only gain steam as more people become aware of its existence.
The hackers claim Chrysler’s current woes could have been avoided if it had used a basic intrusion detection system they had put together last year, when they reportedly first identified the security flaw.
The incident has shed light on how crucial network security is to automakers and their financial health as vehicles become more connected. In their quest to beat competitors in the connectivity race, automakers (as are other types of manufacturers) are underestimating the additional security exposures created. It seems that to be better prepared against such hacks in the future, automakers need to invest more upfront in network security so they won’t find themselves in the unenviable position of defending themselves in lawsuits later.