Dangerous control of my Jeep over the internet

[jlrocks]

Your jeep is not connected to the big bad internet

Go to mopar.com, click Start Engine, then go outside and shut your engine off.

I'm not concerned.

Most of us are concerned and somehow that's an issue for you.

Sponsored

 

[MrZappo]

Go to mopar.com, click Start Engine, then go outside and shut your engine off.

That statement right there ^. The one you keep making only serves to highlight your ignorance on this subject.


Most of us are concerned and somehow that's an issue for you.

I don't know about "most of us", but never the less, the people that aren't the least bit concerned are the I.T. Guys ... Don't you find it the least bit odd that the people who do this professionally don't seem to care much and others whom define computers as a "black box" are all deeply concerned ?

I understand exactly where you are coning from and honestly I'm done responding. You have an opinion without basis that you wont budge from ... If it makes you happy to ignore those who are experts feel free ...

 

[jlrocks]

All I'm saying is let people decide for themselves. Doesn't cost you a thing.

 

[SwampNut]

One of my developers calls people like this "internet roadkill." They make assumptions and assertions without actual knowledge of how anything works, and then think service providers and products should be oriented around that misinformation. I've spent the last 35+ years forcing people to get with the times and stop doing stupid things like printing emails. I truly thought I would be out of a job long ago because surely the next generations would be smarter about tech. Turns out, they seem to be getting dumber.

Good thing is, now I know I will die before I run out of people to drag into modern times.

 

[LostWoods]

One of my developers calls people like this "internet roadkill." They make assumptions and assertions without actual knowledge of how anything works, and then think service providers and products should be oriented around that misinformation. I've spent the last 35+ years forcing people to get with the times and stop doing stupid things like printing emails. I truly thought I would be out of a job long ago because surely the next generations would be smarter about tech. Turns out, they seem to be getting dumber.

Good thing is, now I know I will die before I run out of people to drag into modern times.

The problem here is that with a car, connectivity is a primary requirement for most buyers but the industry at large has very little experience with security as it's never been a concern. It's been rough for the industry because much like in general IT, it took time for the industry to actually prioritize security against functionality that makes money.

Like I said, the security module is now there because someone was able to hack a Jeep and other companies like Nissan have had colossal issues with their security (the famous API key = VIN snafu).

Your developers should understand the concept of minimizing an attack surface and I think that's most peoples' concern here. I don't mind it as a feature, I mind it as a feature that I cannot fix on my own nor can I disable it in the case an attack does come to light. I have no need for my truck to communicate with anyone but myself and being forced into it so they can gather data on me is unnerving to say the least.

 

[jlrocks]

Your developers should understand the concept of minimizing an attack surface and I think that's most peoples' concern here.

Why is that so hard to understand by purported professionals?

 

[SwampNut]

Not hard at all, the attack surface is already minimized in the Jeep.

 

[LostWoods]

Oh, my bad, I wasn't aware we had the Chief of Engineering among us.

 

[SwampNut]

Oh, my bad, I wasn't aware we had the Chief of Engineering among us.

A title I've actually held, so thank you for acknowledging.

 

[jebiruph]

Be gentile with me, I'm a lowly sport owner without any fancy internet interaction with my JT. With that said, isn't it true that regardless of how secure the internet connection is to the web site, if my endpoint is compromised, then can't the information that I provide to the website be compromised from my endpoint?

 

[jlrocks]

Yes.

 

[SwampNut]

Be gentile with me, I'm a lowly sport owner without any fancy internet interaction with my JT. With that said, isn't it true that regardless of how secure the internet connection is to the web site, if my endpoint is compromised, then can't the information that I provide to the website be compromised from my endpoint?

Not necessarily. It would depend a lot on the specific compromise, and the specific web site, browser, and much more. Nobody can give just a blanket yes or no with that being the info given.

 

[Higher_Ground]

Sounds like something that could be mitigated to some extent with 2 factor authentication. If I log into the mopar website and try to send the vehicle a command, I could get a prompt to enter a PIN delivered by SMS or email.

 

[jebiruph]

Not necessarily. It would depend a lot on the specific compromise, and the specific web site, browser, and much more. Nobody can give just a blanket yes or no with that being the info given.

My computer has been hacked (as in I'm running Solarwinds) and the malware has access to my internet communications before they are encrypted and after they are de-encrypted. The malware would have access to my website credentials before they are encrypted.

 

[SwampNut]

Sounds like something that could be mitigated to some extent with 2 factor authentication. If I log into the mopar website and try to send the vehicle a command, I could get a prompt to enter a PIN delivered by SMS or email.

If the sky-is-falling scenarios posed by some people in this thread were to happen, then that would also be compromised. Meaning that all the safeguards that are built in currently, unless hacked, would prevent any real issue. If those are hacked, then 2FA would probably be useless too.

Sponsored