Fiat Chrysler recalls 1.4 million vehicles

Source: LA TImes.com (Photo by Joe Raedle/Getty Images)

Source: LA TImes.com (Photo by Joe Raedle/Getty Images)

A Jeep Cherokee hack causes a massive recall by Fiat Chrysler in America

Risk Level: Safety Critical

Background:

In July of 2015 two professional white-hat hackers, Charlie Miller and Chris Valasek , announced that they had successful remotely hacked a 2014 Jeep Cherokee. In order to prove their assertions Miller and Valasek teamed up Andy Greenberg, a journalist with technology magazine “Wired”, to produce a video in which they demonstrate the affects and possibilities of their hack. In the video Miller and Valasek remotely hack a 2014 Jeep Cherokee, which Greenberg is driving. They proceed to take control of various vehicle controls including the air conditioning, the centre console, the wipers. Most worryingly was their ability to switch the engine off while the vehicle is moving and their ability to disable the braking system.

Actual Failure:

            Definitions:

  • Uconnect- is an infotainment system, which allows users to integrate their smartphone with the vehicle’s hands-free communication capabilities. It also offers users a number of purpose built communication and entertainment applications, as well providing WIFI connectivity through an in in-built cellular connection.
Source: telematicsnews.info

Source: telematicsnews.info

  • CAN bus- The Controller Area Network (CAN bus) is a central networking system used in  the automotive sector that allows communication between various individual systems or modules within a vehicle.

The Uconnect system employs an always-on Internet connection that allows it to reply to information requests and also accept certain commands that are sent to it. Once Miller and Valasek had identified the IP address of a vehicle they were then able to exploit a weakness in security of this connection. After they had exploited this vulnerability they then introduced there own code into the system, which in turn allowed them to communicate with the CAN bus. Using the CAN bus and CAN bus commands there were effectively able to take control of the systems connected to the CAN bus.
File - PDF

Fiat Chrysler Recall Notice

 

 

Repercussions

Fiat Chrysler were forced to develop a system patch for all of the vehicles produced with the Uconnect system, this lead to a recall of 1.4 million vehicles in North America including:

  • 2013-2015 Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep® Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

Miller and Valasek had informed Fiat Chrysler of the security flaw before they went public with their accomplishments. This allowed Fiat Chrysler the opportunity to develop a software patch to fix the venerable feature.   Fiat Chrysler then offered owners of the affected veichle’s 3 possible remedies:

  1. The made the patch available to owners through there web site, allow owners the ability to install the patch themselves.
  2. They set all affect owners by post, a USB which contained the patch.
  3. They contacted all of the affected owners and offered to install the patch at the nearest dealership.

As a result of various cyber security concerns in the American automotive sector, which the Fiat Chrysler software failure highlighted in a very public way, legalisation has been introduced to the U.S Senate in the form of the SPY Act. This legalisation is intended to introduce cyber security standards for the automotive industry as well as forcing manufactures to display a rank for their security and privacy protections based on the new standards. This legalisation is still awaiting approval.

 

Failure Analysis

This failure highlights the importance of non-functional testing. This system functioned and executed as it was design and intended. It was a failure of a non-functional attribute that caused the overall system failure. In my opinion this software failure could have been avoided or identified at various stages of the development process.

 

  • Requirements Development:

    If there were an official review of the requirements developed for this system, the standards that were set to measure the cyber-security capabilities of the system would have been examined. This could have and should have ensured that the correct level and standards of cyber-security were employed.

  • Design Phase:

    If testers were involved in the initial design phase of the system they could have and should have been able to identify that any functionality that called for Internet connectivity would need to rigorously tested for cyber-security issues. Also at the design phase a review and testing of the overall system design could have highlighted the possibly ability of a non-safety critical module to communicate and affect a safety critical module.

  • Testing Phase:

    The developers and testers could have employed black-box testing of the Uconnect system’s connectivity. This would have allowed them to test the valid and non-valid commands in order to examine the effects of  of non-valid command code injection .

 

How to be avoided in the future

In our opinion one of the main ways to avoid a security breach in any software system is the employment of white-hat hackers as testers and asking them to vigorously test the security of the system. Had Charlie Miller and Chris Valasek been consultants on this project and tested the security of the system for the company rather than as self appointed regulators, this failure could have been avoided.

Also the implementation of a testing process on how non-safety critical module can possible connect to and affect a safety critical module. This testing must start at the design phase of the project.

 

Source and Reference material :

http://www.autonews.com/article/20150724/OEM11/150729921/fiat-chrysler-recalls-1.4-million-vehicles-to-install-anti-hacking

http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/

http://www.theguardian.com/business/2015/jul/24/fiat-chrysler-recall-jeep-hacking

http://media.fcanorthamerica.com/newsrelease.do;jsessionid=5672FEF1BD9822E05D8CB1C36075D582?&id=16827&mid=1

http://www.autotrader.com/car-tech/what-is-chrysler-uconnect-215353

http://www.driveuconnect.com/

http://www.huffingtonpost.com/entry/spy-act-car-hackers-senators-security_55ae4e72e4b0a9b94852748b

http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system

http://blog.fcanorthamerica.com/2015/07/24/unhacking-the-hack-ensuring-security/

https://sewelldirect.com/learning-center/canbus-technology

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s