Sunday, July 26, 2015

The most expensive computer security bug ever?

Chrysler has issued a recall of 1.4 million vehicles that are vulnerable to remote hacking via the Intermet. Basically everything they've built in the 2013 through 2015 model years are effected, including RAM pickup trucks and Viper sports cars. Basically the whole product line.

Owners don't need to take their cars back to the dealer; rather, Chrysler will send them a software update on a USB stick. That got me thinking about what this cost.

Short answer, maybe $20M.

This is based on an estimate of $15 per car to cover the cost of the USB device, loading the software on it, and mailing it to the owner. Sure, customers can download it from Chrysler's website to their own USB. That should cover a couple thousand out of the $1.4M ...

Man, you could have gotten a lot of security design work for $20M.

And the punch line? Good chance the "fix" won't fix everything and so they'll have to do it again. And that we'll hear this from other vendors too.

3 comments:

matism said...

The hackers admit that they chose the Jeep because it was the easiest, but that others were good targets as well, including the Cadillac Escalade:
http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11754089/Hacker-remotely-crashes-Jeep-from-10-miles-away.html
But then Cadillac is owned by Government Motors, so they don't have to worry about the Feds coming after them.

One should expect that ANY vehicle with remote connectivity built in (OnStar, anyone?) has more holes that Windows. Including backdoors intentionally put in for the FedPigs.

SiGraybeard said...

Someone should ask the obvious question: who would ever think it's a good idea to tie safety critical system together with the entertainment WiFi system?? And then fire whoever it was.

aczarnowski said...

Did the same guy that came up with interconnected control systems come up with USB idea?

Send people USB sticks with software on it which they'll stick in their car and let it do whatever it wants? Nobody with bad intentions will start sending USB sticks in envelopes with official looking Chrysler logos. Nah. This'll work great.

Will the mailers include leading phrases which might be interpreted to mean I may have won a sweepstakes?

Idiots.