Hacked Jeep USB software patch criticized

carLast month, as you’ll no doubt remember, Fiat Chrysler recalled 1.4 million vehicles following Charlie Miller and Chris Valasek’s hacking of a Jeep Cherokee via a vulnerability in its onboard computer.

The automotive giant has now started issuing security patches to address the vulnerability – a very sensible move. As anyone will tell you, patch management is an essential component of basic cybersecurity; away from the Internet of Things (IoT), Verizon’s 2015 Data Breach Investigations Report found that over 90% of attacks exploited known vulnerabilities for which patches were already available.

Of course, you can’t exactly run an automatic software update while you’re driving down the freeway, can you? Recognizing this problem, Fiat Chrysler has decided that the best way to distribute the software update is to send a USB stick to each registered car owner in the mail, which they can then install themselves.

This is problematic.

For one thing, it makes it easy for criminal hackers who get hold of one of the USB sticks to reverse-engineer its contents to find other potential vulnerabilities – no great stretch of the imagination as there must be some cyber criminals who drive Fiat Chrysler vehicles or have access to the mailboxes of people who do.

For another, criminals could conduct a very old-fashioned phishing campaign via the postal system and issue malware of their own, masquerading as a legitimate update – there’s no way of determining whether the USB stick is authentic, so vehicle owners could unwittingly infect their vehicles with malware just as they might by clicking a dubious link or opening an infected file in a phishing email.

The importance of patch management

In the age of the Internet of Things, patch management is a very new problem; for sysadmins, however, it’s something that should be addressed on at least a monthly basis.

If your patch management program isn’t up to scratch, one of the best ways of determining which vulnerabilities affect you is to conduct a penetration test.

Vulnerabilities common to off-the-shelf software, CMS platforms, applications, and plugins are being discovered – and exploited – all the time by opportunistic criminal hackers who use automated scans to identify targets.

IT Governance is a CREST-accredited penetration testing service provider and a PCI QSA (Qualified Security Assessor), and is qualified to conduct vulnerability scans and penetration tests to ensure your compliance with standards including the PCI DSS and ISO 27001.

Making sure you close your security gaps and fix vulnerabilities as soon as they are known is essential to keeping your networks secure and your corporate information safe.

For more free information on penetration testing, click here >>