Today the DHS ICS-CERT published an alert for yesterday’s
report of the hack on a Jeep Cherokee. This is the same
hack that most of the control system cybersecurity community was discussing
yesterday on social media.
ICS-CERT notes that the unnamed researchers (we are playing
that game again) have been in contact with Fiat-Chrysler Automotive (FCA) for
about 9 months about the vulnerability and FCA published a security
notice [Note: there are minor problems with the link on the Alert] and
firmware update on the problem last week. There is also an FCA
blog post (entitled “Unhacking the
hacked Jeep”; nice catchy title) explaining the situation.
It seems to me that
this should have been an advisory (with appropriate credit to the researchers)
instead of an alert. While ICS-CERT may not have been involved, there was
enough coordination that the vendor was able to get a patch out a week before
the demonstration (not exploit code) was released to the public.
This alert did
nothing more than make ICS-CERT look late and ineffective.
BTW: It will be
interesting to see if other automakers using the Uconnect system will publish
their own alerts or just offer the patch.
Posts
No comments:
Post a Comment