Today the DHS ICS-CERT published an alert for yesterday’s report of the hack on a Jeep Cherokee. This is the same hack that most of the control system cybersecurity community was discussing yesterday on social media.
ICS-CERT notes that the unnamed researchers (we are playing that game again) have been in contact with Fiat-Chrysler Automotive (FCA) for about 9 months about the vulnerability and FCA published a security notice [Note: there are minor problems with the link on the Alert] and firmware update on the problem last week. There is also an FCA blog post (entitled “Unhacking the hacked Jeep”; nice catchy title) explaining the situation.
It seems to me that this should have been an advisory (with appropriate credit to the researchers) instead of an alert. While ICS-CERT may not have been involved, there was enough coordination that the vendor was able to get a patch out a week before the demonstration (not exploit code) was released to the public.
This alert did nothing more than make ICS-CERT look late and ineffective.
BTW: It will be interesting to see if other automakers using the Uconnect system will publish their own alerts or just offer the patch.