Jeeps USB security update criticised

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is not the best way of dealing with the situation.

‘This is not a good idea. Now they’re out there, letters like this will be easy to imitate,’ said Pete Bassill, chief executive of UK firm Hedgehog Security.

‘Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.’

‘There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.’

He said that using a device like this had wider implications.

He continued, ‘Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,’ he told the BBC.

In July, security researchers Charlie Miller and Chris Valasek demonstrated that it was possible for hackers to control a Jeep Cherokee remotely, using the car’s entertainment system which connected to the mobile data network.