Hacker-friendly Chrysler hauled into court for class-action showdown

Black Hat 2015 Fiat Chrysler is facing a class-action lawsuit in the US after researchers proved they could wirelessly snatch control of the engine management systems in some of its vehicles.

The lawsuit, filed in the southern district of Illinois, claims Chrysler knew the networking systems in its cars were insecure. The motoring giant offers a service called uConnect that connects vehicles and their internal Wi-Fi to the public internet via the cellular network, allowing people to check Facebook on the move, or whatever.

Security researchers Chris Valasek and Charlie Miller warned last year, at Black Hat 2014, that hackers could reach across the internet, and exploit software vulnerabilities to interfere with hardware and machinery in Chrysler's Jeeps.

Last month, Chrysler recalled 1.4 million vehicles just days after Miller and Valasek proved that, yes, they could remotely control a Chrysler's brakes and engine without permission via uConnect.

Amid the recall, the US National Highway Traffic Safety Administration shed more light on the problem:

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio.

Chrysler released a firmware update to address the remote-control vulnerability, which triggered today's class-action lawsuit. It was brought to court by Brian Flynn, and husband and wife duo George and Kelly Brown. Flynn, of Belleville, Illinois, owns a 2014 Jeep Grand Cherokee, as do the Browns, of Pacific, Missouri. The Cherokee is included in the mass recall.

The trio's legal eagles claim the distribution of the security software update was flawed. Car owners download the patch via HTTP, and not secure HTTPS, which leaves the code vulnerable to tampering by man-in-the-middle attackers, the filing claims.

The key to a civil damages case is proving harm, and since no one has been hacked, such a claim should be hard to prove. So the lawyers are working on the idea that the affected vehicles are now worth less than they should be because of the flaw, and are seeking recompense – at least $50,000 per affected owner.

The only problem with this is that the hack demonstrated by Miller and Valasek is now impossible to exploit. At their Black Hat presentation on Wednesday (which was standing room only), the dynamic duo explained that the hack was possible thanks to an open IP port on the uConnect equipment in the cars.

Port 6667 was reachable from the public internet via the car's uConnect cellular system, which piggybacks on Sprint's network: accessing that port would allow you to control the car's systems without authentication. You'd just need to know the vehicle's public IP address.

The telco has now locked down its network, firewalling off access to that port, so drivers needn't worry about it – but should still install the patch anyway.

The legal challenge notwithstanding, Miller told The Register that Chrysler could have solved all its problems if it had only used a basic intrusion detection system that he and Valasek cobbled together last year. The Can-no Hackalator 3000 system is gathering dust on his desk, but implementing it would have cost very little and saved Chrysler from its current woes.

The two said that the recall was very welcome news, because the vulnerability was a viable attack vector. Valasek said he was sure that the recall wouldn’t have happened if the two hadn't gone public.

Neither of the researchers has since been offered a job by a motor manufacturer, but said that they do speak at car conferences and get a warm response. In particular, attendees tell them that they are finally getting a budget to PEN test vehicles. ®