Saturday, September 5, 2015

How to securely distribute security patches (not?)

Chrysler was some time ago in the centre of the news after a ridiculously easy hack was demonstrated that allows an attacker to completely take over a vehicle, including crashing it with a push of a button.

Props to Chrysler for reacting fast(-ish) (as if they had an option given the Safety rating of the vulnerability) but a company like that should know better that sending a USB stick over the post is not the best way of doing it and is opening a precedent: anything that in the future arrives in the post and looks legit will be installed by enough car owners.

Then again, what are the options? Not many that serves well a heterogeneous group of people (1.4m vehicles). Recalling all vehicles was probably less efficient and too costly.

I do see, however, they sending blank USB sticks over with instructions to download & install the patch to it from a website with login credentials sent by post and the usb stick having further means to verify the patch -- along with a bold note advising never to insert a usb disk under no other circumstances. People unable to follow the procedure would be redirected to a Chrysler garage.

What am I missing? You're welcome to send comments on

No comments:

Post a Comment