Chrysler Catches Flak for Patching Hack Via Mailed USB

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2015/09/chrysler-gets-flak-patching-hack-via-mailed-usb/

By Andy Greenberg
Security
Wired.com
09.03.15

Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee 
that they could use to take over its transmission and brakes, Chrysler has 
pushed out its patch for that epic exploit. Now it’s getting another round 
of criticism for what some are calling a sloppy method of distributing 
that patch: On more than a million USB drives mailed to drivers via the US 
Postal Service.

Security pros have long warned computer users not to plug in USB sticks 
sent to them in the mail—just as they shouldn’t plug in thumb drives given 
to them by strangers or found in their company’s parking lot—for fear that 
they could be part of a mass malware mailing campaign. Now Chrysler is 
asking consumers to do exactly that, potentially paving the way for a 
future attacker to spoof the USB mailers and trick users into installing 
malware on their cars or trucks.

“An auto manufacturer is basically conditioning customers into plugging 
things into their vehicles,” says Mark Trumpbour, an organizer of the New 
York hacker conference Summercon whose sister-in-law’s husband received 
the USB patch in the mail Thursday. “This could have the potential to 
backfire at some point in the future.”

When WIRED reached out to Chrysler, a spokesperson responded that the USB 
drives are “read-only”—a fact that certainly wouldn’t protect users from a 
future spoofed USB mailing—and that the scenario of a mailed USB attack is 
only “speculation.”

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/