I agree they may not make news if they did this in a safe manner.
However, the goal of people researching security, shouldn't be to make news. And these people while admittedly working with Chrysler to see it fixed, seem to be forgetting that. Especially since they plan to release their code, despite the fact that Chrysler has to get people to manually update their cars.
"The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review."
Their justification for releasing their code, as someone who works in peer reviewed industries is weak and they clearly are prioritizing attention over security at this point.
I saw a presentation at a departmental colloquium 3 years ago which demonstrated similar capabilities. The point is, car companies are not responding well to this threat even though it is well known to them. In such situations it is in the public's best interest that information about the vulnerabilities be widely disseminated in order to keep the general public safe. Those with know how can already exploit these flaws and likely have been for years. The car companies need to act to secure their customer's systems.
> In such situations it is in the public's best interest that information about the vulnerabilities be widely disseminated
This assumes many facts not in evidence.
It may, in fact, be the best thing. But security people, as a rule, are strongly biased to love things that increase the social standing of security researchers, and chaos does that.
There are other ways of pressuring the car companies. I'd like to see companies failing to fix disclosed security holes in safety critical applications in a certain period of time face monetary damages, even without need to show harm was caused.
But lobbying is boring and getting on the top of HN is fun.
>> The point is, car companies are not responding well to this threat even though it is well known to them.
I think the problem is related to core competencies (sorry to throw in the MBA speak).
The old-school car companies are good at making cars, and not secure computer systems.
You can likely say the same about the skill sets of the decision-makers running these companies. Many of them just can't wrap their head around security implications, because they don't fully understand them.
Car companies, possibly more than anyone else in the world, are the home to people who understand how mechanical failure affects lives.
The car companies' failure to patch defects ought to have them facing severe fines. In fact, I would support a bounty system of millions of dollars for researchers who can demonstrate 1) finding a flaw, 2) telling the company, and 3) the company not fixing it in X months. All this finances by fines on the car companies.
The above facts doesn't mean that what these guys did was okay.
>> Car companies, possibly more than anyone else in the world, are the home to people who understand how mechanical failure affects lives.
You're completely right, but the key phrase in your sentence is "mechanical failure".
I've worked on analytics projects in the automotive industry for analyzing defects before they get into the "campaign" (aka recall) stage. They are incredibly good at that type of analysis. Most mechanical parts "make sense", since they're designed for only a few functions.
An Internet connected computer and software, on the other hand, doesn't always make sense to auto execs because they are significantly more complex.
As it relates to the article, I wouldn't be surprised if the car's computer system was perceived more as just a part having a particular set of features by Chrysler's top executives than as a computer system requiring the same types of security controls as, say, an ATM would.
They could have made still made the news if they had taken a few extra precautions to reduce the risk of an accident.
However, they do need to make the news. Them making the news makers it easier and more likely that politicians will prioritize the political capital of working to solve this over the lobbyist from the automotive industry.
If Chrysler and other car manufacturers were taking this sufficiently seriously the releases might not be necessary. They gave Chrysler plenty of warning, Chrysler could have issued a recall (and still can), the consequences are on Chrysler, not on the security researchers.
You do realize a recall doesn't make all the cars come back on their own to get fixed right? Hell many consumers don't even realize there was a recall till their product fails for the reason it was recalled.
Chrysler seems to be taking this sufficiently seriously enough that releasing the code will do more harm than good. Could they take it more seriously? Well everything can always be taken more seriously, and someone will always claim it should. So I will say that's a matter of opinion.
EDIT: If their plan to 'release their code' is nothing more than a bluff to raise awareness I would consider that a much more appropriate course of action.
>> I agree they may not make news if they did this in a safe manner.
Maybe, maybe not. All they need to get eyeballs is a linkbaity FUD headline with a few extra scary sentences thrown in.
It's not as if the TV news doesn't already do this with their teasers for "Is eating too much XYZ going to kill you? Find out after the commercial break" only for you to find out that the story about XYZ is overblown and poorly vetted.
However, the goal of people researching security, shouldn't be to make news. And these people while admittedly working with Chrysler to see it fixed, seem to be forgetting that. Especially since they plan to release their code, despite the fact that Chrysler has to get people to manually update their cars.
"The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review."
Their justification for releasing their code, as someone who works in peer reviewed industries is weak and they clearly are prioritizing attention over security at this point.