Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2015
03:45 PM
100%
0%

Chrysler Recalls 1.4 Million Vehicles After Jeep Hacking Demo

National Highway Traffic Safety Administration will be watching to see if it works.

Today, Fiat Chrysler recalled 1.4 million vehicles possibly affected by a vulnerability in the UConnect infotainment system that could allow attackers to hijack the vehicle's steering and braking. Car hacking researchers Chris Valasek and Charlie Miller demonstrated proof of concept in striking fashion, when they wirelessly took control of a 2014 Jeep Cherokee driven by Wired reporter Andy Greenberg and brought it from 70 mph to a screeching halt.

The National Highway Traffic Safety Administration (NHTSA) is launching an investigation to determine the effectiveness of Fiat Chrysler's recall.

As Dark Reading's Kelly Jackson Higgins wrote yesterday in an interview with Valasek:

Miller and Valasek were able to control a 2014 Jeep Cherokee's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

Although Miller and Valasek said that only up to 400,000 vehicles were affected by the vulnerability, 1.4 million are listed in the voluntary recall, including 2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.

"The interesting thing about this recall is not that it’s going to be expensive and inconvenient (it will)," says Jeff Williams, CTO of Contrast Security, "but that it shouldn’t have had to happen. We already know the importance of auto-update. Remember those painful years of downloading Windows updates only to have them fail, crash, and re-release? If cars are going to have software, then they absolutely need to have auto-update."

"You can develop that most advanced vehicle that has all of the latest safety features and high tech gadgets in it, but if it can be bricked by remote exploits, you are going to have wary consumers who may choose the next brand of vehicle because they put more emphasis on security," says Ken Westin, senior security analyst for Tripwire. "The automotive industry understands the importance of security and they are not only working with researchers, but also each other to help develop standards and best practices for more secure vehicles and the work that researchers are doing like Miller and Valasek is actually helping to make our vehicles more secure in the future.”

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobertP244
50%
50%
RobertP244,
User Rank: Apprentice
7/27/2015 | 12:22:58 PM
GM's OnStar also has a major security flaw
When you call in about your OnStar account they ask you for your PIN.   To me that is like your bank asking for your ATM card PIN before they will talk to you.    It means their people can see your PIN in the clear.    Now, heavens to muurgatroyd, should you use the same PIN for OnStar that you used for your ATM card (which may have been the account you gave them to pay for OnStar)...

Sorry, can't finish, gotta run to the car.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.