How *not* to patch a security vulnerability

If you’re a vendor… don’t do what Fiat Chrysler did:

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

It’s hard to believe a company as Fiat Chrysler could be this boneheaded about security. But somehow, this ridiculous plan to send USB sticks out to Jeep Cherokee owners got greenlit. Some 1.4 million Jeeps are said to be affected by the aforementioned vulnerability, which is a lot of vehicles.

Fiat is making a bad problem much worse, as Pete Bassill explains:

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

Fiat did issue a voluntary recall, allowing owners to bring affected vehicles into dealerships to get their firmware upgraded. They should have left it at that — if pushing out updates over the air wasn’t possible. Perhaps Fiat went with USB sticks thinking it would be an inexpensive way to help their customers update their vehicles’ firmware. But in the long term, I imagine it’s going to be more expensive, because of the can of worms they’ve opened for themselves.