430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fiat Chrysler distributes the fix for flawed Jeep via mailed USB

The decision of Fiat Chrysler for providing a software update via Mailed USB is considered disconcerting for the security industry. Do you remember the hack of the Fiat Chrysler Jeep? In response to the disclosure of the details of the successful attack, the company recalled nearly 1.4 vehicles in the US in order to update the firmware running […]

Fiat Chrysler distributes the fix for flawed Jeep via mailed USB

The decision of Fiat Chrysler for providing a software update via Mailed USB is considered disconcerting for the security industry.

Do you remember the hack of the Fiat Chrysler Jeep? In response to the disclosure of the details of the successful attack, the company recalled nearly 1.4 vehicles in the US in order to update the firmware running on the vulnerable component.

Customers could visit a dealership to receive the update, Fiat Chrysler also published the software update on the official website, it is available for tech-savvy car owners that want to update their card in autonomy.

Fiat Chrysler also has started distributing the patch for its vehicles by sending it via a USB stick sent in the post.

Fiat Chrysler USB stick

It is easy to imagine why the majority of security experts are disconcerted by the mechanism chosen by Fiat Chrysler to update the flawed software on its vehicles.

Personally, I am disappointed by this choice like many colleagues. Without a method easy to use for the verification of the authenticity of the software sent by Crysler, its customers continue to be exposed to further attacks.

Someone could substitute the legitimate update sent by Chrysler with a malicious one and send it to the owner of the vulnerable vehicle.

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security, to the BBC.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.”

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

Using a USB to distribute software update has wider security implications.

How does a Chrysler customer can verify that the software is genuine?
We can think of the verification of the hash of the code present on the USB, an operation that can result difficult for the majority of car owners.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” Bassill told the BBC.

Pierluigi Paganini

(Security Affairs – Fiat Chrysler, Patch Management)