A Krooklok's not going to help much here...

What can we do about the vulnerabilities of connected cars?

Wired magazine's experience and reporting of a Jeep being "hacked" via a vulnerability in Chrysler's Uconnect system seems to have become a "story with legs" and is being widely reported outside both the technology and motoring arenas. This is, naturally, worrying and many newspapers and blogs are conjuring emphatically-written pieces imagining be-hoodie'd, pizza-eating hackers targeting the readers' cars from darkened hideaways across the globe whilst ignoring that the test took place, irresponsibly in my opinion, on the public highway.

Before we can whip ourselves into a frenzy of rage, we first need to understand the history of how this type of vulnerability has come to light.

Ever since before the BMW 8-series became the first production car to have a full CAN-BUS wiring in the late 1990s, vehicles, like so much in our lives, have been moving further and further from being "wired" and closer and closer to being "networked". The trouble is that the networking of our vehicles seems to be a lot like the networking of our homes, schools and offices of about that period. This hasn't been an issue until recently and our cars have been small, self contained networks trundling about on their own four wheels, absorbing and receiving simple data packets via radio but not communicating with their environment in any meaningful manner. As these data connections have become more complex and of higher bandwidth, car makers have been tempted to add more and more interactions between vehicle and environment until a 3G connection becomes near-vital for a car to function (here's looking at you, Tesla!).

Architecture of the Uconnect Hack - Environment

Architecture of the Uconnect Hack - Environment

The Wired article explains that Uconnect uses a mobile telephone connection to connect between a data center and the car and that if you have the car's IP address you can then use that connection to reprogram a chip in the entertainment system (they don't say how...) to then access all the other control systems once you're in. In other words, there seems to be no way of limiting a Bad Actor's movements once they've exploited an access weakness.

Architecture of the CONNECT Hack - INterconnectivity without security

Architecture of the CONNECT Hack - INterconnectivity without security

So what's the solution to be? Do we simply forget the idea of connected cars and take a step backwards? Well no, I'm not sure that's really going to solve anything. We have to trust this clear demonstration of a security weakness (for which a patch is available from you nearest FCA dealer or for you to install yourself in you're in North America) will be the pointy shoe up the bottom of the vehicle industry that forces them to take the security of vehicle systems seriously, implementing layered security and intelligent connectivity that stops ECUs accepting commands from entertainment systems. It's not as if these corporations don't have security experts on their staff already - they routinely defend their corporate and plant networks through encryption, firewalls and secure protocols as it is. 

In the meantime, does anyone know the option code for the "Firewall Pack" on the ND MX-5?