Automotive > Infotainment & Telematics Blog



Sprint IoT Credibility on the Line in Fiat Chrysler Hack

by Roger Lanctot | Jul 27, 2015

If you are going to connect things to other things the first thing you need to get right is security. It’s a little like building the mote before you let down the drawbridge.

It looks like Sprint has been caught mote-less in the hack of FCA’s Jeeps by IOActive, as widely reported last week. FCA’s Chrysler division is taking the fall for Sprint’s failure to properly secure its network and the Jeep in question – which was subjected to some comical and terrifying remote control in real-time on the highway thanks to an IP address vulnerability.

Wired coverage: “Hackers Remotely Kill a Jeep on the Highway with Me in It - http://tinyurl.com/oaabx46

Sprint has the dubious distinction of being the first wireless carrier implicated in an automobile hack. FCA has the dubious distinction of being the first car company to initiate a cybersecurity-based recall.

New York Times: "Fiat Chrysler Issues Recall over Hacking" - http://tinyurl.com/q457bcx

The timing could not have been worse for FCA. The company is facing a fine from the National Highway Traffic Safety Administration for breaching recall protocols and the Jeep hack made Chrysler the focal point of proposed automotive cybersecurity legislation announced last week.

The Detroit News: “Feds to Impose $105M Fine on Fiat Chrysler” - http://tinyurl.com/p3ugug9

Forbes: “SPY Car Act Hopes to Save American Cars from Digital Disaster” - http://tinyurl.com/ojqqfa9

The Jeep hack was also the first “zero-day” intrusion experienced by an automaker. In this way, the hack highlighted both the connectedness and disconnectedness of the auto industry.

A zero-day hack is so-called because the owner of the hacked system has zero days to respond. The hacker, in this case IOActive, announces the penetration and makes details of the vulnerability available and the owner of the system is left to scramble to recover.

In the case of Chrysler, the zero-day hack exposes the challenges that car companies face in combating cyber attacks on vehicles that are not capable of receiving remote software updates. Chrysler’s 1.4M-vehicle recall, the first of its kind, reflects the fact that car makers are almost universally obliged to bring cars back to dealers to update software.

Chrysler is providing software patches to consumers that can be downloaded to flash drives and installed via USB ports in Chrysler vehicles. All of this suggests that the integrator of the systems, Sprint, provided for complete vehicle system integration – meaning vehicle network access via the telematics control unit - without providing for security or over-the-air software updates.

The hack (and NHTSA fine) falls in the midst of a record-breaking sales year for FCA. Just as Toyota and GM have bounced back from recalls and government sanction, FCA will put its recall missteps and the Jeep hack in the rearview mirror.

For Sprint, though, the blow may be a fatal one for its Velocity telematics platform. FCA had already made the decision to shift to AT&T for future connected car systems. But Sprint’s newest customer, Mitsubishi, will now be rethinking the reliability of its partner. Industry sources say Sprint is seeking to sell the Velocity unit – which will now be seen as damaged goods.

As I have written in previous posts, telematics is forever and FCA and Sprint will be living with one another for the next 10 years or more – as long as those embedded Sprint modems can still connect with a Sprint network. You can rest assured that AT&T, Verizon, Vodafone, Telefonica, Orange, Deutsche Telekom, China Unicom, Claro and many other wireless carriers are taking note of Sprint’s gaffe. IoT is a tough business.

Previous Post: More Drivers, More Cars, More Deaths | Next Post: CEOs in IoT Spectrum Smackdown
Leave a comment