Fiat Auto Vulnerability Update

Monday, September 21, 2015 @ 02:09 PM gHale

Fiat-Chrysler Automobile US (FCA US) LLC launched two recall campaigns on July 23 and September 5 where owners of vehicles suspected to suffer from an unauthorized remote access vulnerability ended up mailed USB sticks containing the updated software, according to a report on ICS-CERT.

Chris Valasek of IOActive and Dr. Charlie Miller discovered the vulnerability in the Uconnect telematics infotainment system manufactured by Harman-Kardon.

Chrysler Updates 1.4 Million Vehicles
Schneider Mitigates Plaintext Hole
CODESYS Gateway Server Fixed
GE Mitigates MDS PulseNET Holes

They coordinated with FCA US LLC for nearly 9 months before releasing information about this remote exploit publicly. FCA US LLC released a security notice and a firmware patch to owners of vehicles with the Uconnect feature on July 16.

The details of the exploit released to national news several weeks later at BlackHat 2015 and DefCon23 conventions in Las Vegas.

Valasek and Miller confirmed a missing authorization vulnerability in FCA Uconnect RA3/RA4 radio manufactured by Harman-Kardon. FCA US LLC created a patch that mitigates this vulnerability and worked with Sprint, the network provider to disable access to the vulnerable port. Prior to the Blackhat conference, the researchers tested the patch to confirm it mitigates the vulnerability.

The following UConnect 8.4AN/RA3/RA4 infotainment systems suffer from the issue:
• 2013-2015 Ram 1500/2500/3500/4500/5500
• 2013-2015 Dodge Viper
• 2014/15 Jeep Cherokee/Grand Cherokee
• 2014/15 Dodge Durango
• 2015 Chrysler 200/300
• 2015 Dodge Challenger
• 2015 Dodge Charger
• 2015 Jeep Renegade

The UConnect Infotainment system has direct access to the controls of the vehicle.

An attacker connecting to the UConnect infotainment system could without any form of authentication gain access to the UConnect system. From this connection, the malicious party could take control of connected control units and send commands to the various control systems within the vehicle with the potential to affect:
• Information displayed within the car (e.g., tachometer)
• Vehicle control systems, including brakes, steering, and A/C fans

Stanford, CT-based Harman-Kardon is a division of Harman International Industries and manufactures home and car audio equipment.

FCA US LLC is a North American automaker that maintains offices in several countries around the world and has its headquarters in Auburn Hills, Michigan.

The affected products, Uconnect 8.4AN/RA3/RA4, are vehicle-based infotainment systems. According to FCA, the Uconnect systems are in certain Chrysler, Dodge, Jeep, and Ram makes of vehicles. FCA estimates these products see use primarily in the United States and Europe.

The UConnect infotainment system allowed an unauthenticated connection from other access points on the Sprint Network. After the release of the information on this vulnerability, Sprint blocked access to the vulnerable ports. A malicious party could then issue commands through the infotainment system to other components within the vehicle.

CVE-2015-5611 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

This vulnerability is no longer exploitable remotely because of Sprint’s reconfiguration on the cellular network. The software within the system is still vulnerable until patched.

No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be difficult. Connections to the vulnerable UConnect systems are currently unreachable because of port screening by Sprint. This decreases the likelihood of a successful exploit.

FCA has issued a voluntary recall of 1.4 million impacted vehicles to patch the software of the UConnect Infotainment system.

In addition, Sprint disabled traffic to the vulnerable port on its network.