Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: How not to perform a critical software update.  (Read 6768 times)

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
How not to perform a critical software update.
« on: September 04, 2015, 08:30:20 PM »

How not to perform a critical software update.
Hacked Jeep USB update criticised
http://www.bbc.co.uk/news/technology-34156598

Obviously, saving money is more important than security.
This lunacy is worse than the original fault and opens the door to further grief when the update methodology is reverse engineered from the USB stick.

Who could possibly have signed this off ?
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: How not to perform a critical software update.
« Reply #1 on: September 05, 2015, 08:51:06 AM »

Does seem a bit silly with hindsight.

I wonder to what extent take control means "able to take control of a Jeep Cherokee via its internet-connected entertainment system"
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #2 on: September 05, 2015, 10:17:18 AM »

I read about it a few weeks ago, quite disturbing.  My understanding is that these cars are actually internet-connected, via their own mobile radio connection.  That is becoming quite common for new cars.  The remote attackers were able to make the radio play unpleasant music, control the aircon, etc.  And. more scarily, to make the car go faster or slower, and stop altogether.   :o

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

I would personally argue that for any system that connects to the public internet, it is just a matter of time til the bad guys find a vulnerability and do something nasty.  The real problem might then come when modern cars reach such an age - maybe just five or ten years old - that the manufacturers can no longer be bothered offering updates to fix vulnerabilities?  ???
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: How not to perform a critical software update.
« Reply #3 on: September 05, 2015, 11:29:18 AM »

Thanks for that 7LM.   I had wondered if it was just say the radio.   The fact that it can affect steering and speed is really very scary.  :o
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: How not to perform a critical software update.
« Reply #4 on: September 05, 2015, 11:33:46 AM »

@sevenlayermuddle
Ditto.
It has been all over the Internet because it was so serious.
The point is first you discover how to change things in a moving car.
The next you allow the update process to be reversed.
It is only a small step to someone working out how to make system changes on the fly *without* the usb stick.
The rest is an exercise in how good your imagination is. :(

Sent from my LG-D855 using Tapatalk

Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: How not to perform a critical software update.
« Reply #5 on: September 05, 2015, 11:38:24 AM »

The real risk is that it is likely not to be a 'Bad guy' but some clever kid(s) who don't realise the possible consequences.
The old "I didn't mean that, It was a joke" line. :(

Sent from my LG-D855 using Tapatalk

Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #6 on: September 05, 2015, 12:01:09 PM »

Actually, I'm not too alarmed by the USB update.

Relying on the 'secrecy' of an update mechanism is security through obscurity, which is always doomed.   That being the case, they might as well publish the update mechanism from day one, accepting it will eventually escape.

And at least they are clearly taking practical action to fix a very urgent and safety critical problem.   The obvious alternative would be a dealer recall, but the dealer network then has to find time for all this unscheduled work, it can take many months before all cars are updated.

I'm not too clued up on what possibilities there might be for a cryptographic signature on the update to allow phoney updates to be rejected.  I'd very much like to think they have that covered...?
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: How not to perform a critical software update.
« Reply #7 on: September 05, 2015, 12:04:27 PM »

I would like to think it also, but the track record of anticipation seems to suggest this isn't a forgone conclusion, by any measure. :)

Sent from my LG-D855 using Tapatalk

Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #8 on: September 05, 2015, 12:27:14 PM »

I would like to think it also, but the track record of anticipation seems to suggest this isn't a forgone conclusion, by any measure. :)

Sent from my LG-D855 using Tapatalk

Agreed.

I read an article recently (maybe the one I posted earlier?) that compared modern cars to smartphones on wheels.  That must be a steep learning curve requiring new skills for the car makers, figuring out how to handle security aspects.  I would also hazard a guess that as discussed elsewhere recently for software vendors, the car makers will also face temptations for commercially valuable 'data grabs', which might be at odds with the best security interests.   

It would be rash to assume they'd all get it right, and it would be rash to assume that more than a tiny percentage of car buyers understand the risks.
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: How not to perform a critical software update.
« Reply #9 on: September 05, 2015, 12:35:02 PM »

Exactly the point.
Car makers know nothing about IT security. Even the IT industry has problems :)
They have probably 'rolled their own' when it comes to security.
They would have to pay to use something more secure from someone who knows what they are doing.
Such as QNX.
Also such things take time to develop and test, maybe they were in a hurry to beat a competitor??
They sure know the downside to that decision now!
:D

Sent from my LG-D855 using Tapatalk
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: How not to perform a critical software update.
« Reply #10 on: September 07, 2015, 02:49:11 AM »

Security never matters

until ....

A compromise happens that makes the news, then it will temporarily matter until the fuss dies down.

Think of all these sites been hacked as an example.

Only banks seem to take security seriously which is because of course they are responsible for damages, so e.g. they have to refund an account that has transactions due to security breaches in their systems.

As an example pretty much all routers that use linux are using very obselete code, I am surprised router exploits are as low as they are, but they will increase as they started to be targeted more now.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #11 on: September 09, 2015, 04:11:33 PM »

Only banks seem to take security

Banks?  I beg to differ, in the extreme... many banks are IMAO absolutely clueless when it comes to security. :D

They often accept 'postcode and date of birth' as 'proof of identity' for customers calling by phone.  ::)  That is despite the fact that DOB is trivially easy to find out for a great many people.    And when banks call the customer,  customers are expected to provide answers to security questions, even though the call could be fishing. Calling line ID means nothing, it is as easy to spoof a calling line ID on a phone call is it is to spoof a 'from' address in email.

Their liability for fraud is often non existent when the bank thinks you have disclosed passwords or PINs, or even just wrote them down.  They then create password requirements that are so horrendously complicated that most people must write it down to have any chance of remembering it.

They are generally in complete denial about the actual possibility of transaction errors caused by hardware or software bugs (or hacks), despite the fact we all know that all software has bugs, all  servers will eventually be hacked if somebody tries hard enough, and that all cash machines will once in a while miscount some bank notes.   :)
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: How not to perform a critical software update.
« Reply #12 on: September 09, 2015, 06:03:22 PM »

@sevenlayermuddle
Totally agree.

All the high profile institutions engage in 'Security Theatre'.
It looks good and can be backed up by a good story but is in reality not doing much really.
Security that works is hard to do and costs a lot.
The usual compromise is 'Make it look good' and make sure there is a way to re-direct the blame on someone else.
Banks when caught out blame the customer on the basis of a suspicion which does not need to be proven.
The Post Office has had people sent to prison for fraud when the fraud cannot be demonstrated but just the fact that money is missing is enough to win the case.
(The defence is that the software used by the PO franchisee is faulty but this cannot be proven/accepted by the PO.)

'Security Theatre' is everywhere, when you fly on a plane, invest money/trade stocks & shares, Banks (as above), drive a car ........ etc etc.
Everyone wants Security but nobody wants to pay for it.
End result is what we have now.
You get what you pay for sometimes.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #13 on: September 09, 2015, 07:16:39 PM »

As an example pretty much all routers that use linux are using very obselete code, I am surprised router exploits are as low as they are, but they will increase as they started to be targeted more now.

Agreed on the Linux factor.  One has to tread carefully on Kitz forums when criticising Linux so to be clear, I think it is as well written as any other OS and that vulnerabilities are patched in double quick time, generally patched much faster than say Apple or Microsoft.

The trouble is, those who have adopted Linux 'snapshots' for embedded application in everything from electric toothbrushes to telecoms switches, with TVs, DVD players and the likes in between.   For a toothbrush or a coffee grinder, that's not a problem.   For a TV or DVD player, with an Internet connection,  like a router, it is a worry.   But for a critical telecoms switch, it really scares me.   :o
« Last Edit: September 09, 2015, 07:49:06 PM by sevenlayermuddle »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: How not to perform a critical software update.
« Reply #14 on: September 09, 2015, 07:46:02 PM »

Only banks seem to take security

Banks?  I beg to differ, in the extreme... many banks are IMAO absolutely clueless when it comes to security. :D

They often accept 'postcode and date of birth' as 'proof of identity' for customers calling by phone.  ::)  That is despite the fact that DOB is trivially easy to find out for a great many people.    And when banks call the customer,  customers are expected to provide answers to security questions, even though the call could be fishing. Calling line ID means nothing, it is as easy to spoof a calling line ID on a phone call is it is to spoof a 'from' address in email.

Their liability for fraud is often non existent when the bank thinks you have disclosed passwords or PINs, or even just wrote them down.  They then create password requirements that are so horrendously complicated that most people must write it down to have any chance of remembering it.

They are generally in complete denial about the actual possibility of transaction errors caused by hardware or software bugs (or hacks), despite the fact we all know that all software has bugs, all  servers will eventually be hacked if somebody tries hard enough, and that all cash machines will once in a while miscount some bank notes.   :)


talking about internet security.

ultimately tho allowing people to remotely manage their accounts will always carry loopholes or weaknesses as you put it.

But if you compare banks to how other companies approach web site security there is a clear difference.

By the way my first hand experience differs, I suffered fraud some years back, they put the money back in my account extremely quickly, before they even sent out the form for me to fill in.
Logged
Pages: [1] 2
 

anything