UConnect firmware vulnerabiltiy - Page 2 - Jeep Garage - Jeep Forum

Go Back   Jeep Garage - Jeep Forum > Jeep Platform Discussion > Grand Cherokee - WK2 - > 2014+ Jeep Grand Cherokee Ecodiesel 3.0

Reply
 
Thread Tools Display Modes
 
  #13  
Old 07-22-2015, 10:11 PM
schmieg's Avatar
Premium Member
My Jeep: 2014 3.6L WK2
 
Join Date: Jun 2013
Location: Cincinnati, Ohio
Posts: 590
Thanks: 6
Thanked 84 Times in 69 Posts
Rep Power: 2088
schmieg has a reputation beyond reputeschmieg has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by jaje View Post
I tried to go to the software update website (have a 2014) but it gives me an error when I enter my VIN. Tried it with Internet Exploder browser.
Try disabling your anti-virus software.

__________________
--- Mike
2014 Grand Cherokee Overland, 3.6 Liter, OAII, Adv. Tech Group, MoPar Rock Rails

Reply With Quote
Sponsored Links
Advertisement
 
  #14  
Old 07-23-2015, 12:47 PM
AirBull's Avatar
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Jun 2015
Location: Central Texas
Posts: 192
Thanks: 11
Thanked 44 Times in 34 Posts
Rep Power: 1586
AirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond reputeAirBull has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by schmieg View Post
Try disabling your anti-virus software.
Note that it was not compatible with Firefox 37 or newer. Changed browser and d/l'ed it with no problems. Installed easy last night with no worries, as well.
__________________
2015 Jeep Grand Cherokee Summit California Edition 4x4 EcoDiesel

Reply With Quote
  #15  
Old 07-23-2015, 08:25 PM
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Nov 2014
Location: Chicago
Posts: 127
Thanks: 24
Thanked 13 Times in 11 Posts
Rep Power: 1083
thrawn86 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Roadkill View Post
The ideal solution would be to install a notch filter on the cell antenna, as was proposed in the other thread.

It's not like the services provided by uConnect are worthwhile, and the manufacturers admit they are using the telematics module to track you around (and they keep track of when you break the speed limit, etc).

All that really needs to be done is to install a notch filter inline on the antenna; one that blocks sprint frequencies. Other alternatives are likely to annoy the head unit, causing it to bitch about things being awry. However if you've blocked the sprint frequencies there's no way for the unit to tell you aren't simply in a dead zone.
The simple solution would be to find the RF connection coax input on the head unit and load it off, assuming its even a removeable connector. The GPS and cellular antennas will have separate paths so navigation shouldn't be affected.

Filtering like that would not be cheap and would result in a fair amount of stuff you'd have to cram behind the head unit or in your ceiling.

Personally I'm not worried. Plenty of beautiful ways to be hacked these days and thats never going to change. Patch it, update your security practices, and move on. In fact, they've developed a device now that can suck up encryption keys from thin air by reading the EMI produced by your computers CPU, even with wifi/bluetooth turned OFF. I guess dom could start selling faraday cages
Reply With Quote
Sponsored Links
Advertisement
 
  #16  
Old 07-24-2015, 06:53 AM
Senior Member
 
Join Date: Sep 2013
Posts: 1,352
Thanks: 49
Thanked 176 Times in 139 Posts
Rep Power: 17580
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by thrawn86 View Post
The simple solution would be to find the RF connection coax input on the head unit and load it off, assuming its even a removeable connector. The GPS and cellular antennas will have separate paths so navigation shouldn't be affected.
I haven't dug around back there, but it wasn't at all clear from the material I *could* find that they have run distinct antenna cables back to the shark fin.

Anyone have the service manual for the 2014 or later model? I agree that if there is a distinct antenna connection for the air card it would be simplest to disconnect it, but that wasn't the impression that I got.

Removing the air card altogether leads to an unhappy system.

Quote:
Plenty of beautiful ways to be hacked these days and thats never going to change.
Oh please. We both know there is a strong difference between an exploit that requires direct physical access to a machine vs a remote exploit of a system that shouldn't be externally addressable in the first place, coupled with privilege escalation/executing arbitrary code and crossing over into critical control systems.

I don't understand this defeatist perspective on security. There is zero reason, besides incompetence, negligence, or not wanting to pay for adequate engineering, why the critical control systems should be peered on the same network as the entertainment/nav system. These two domains should be virtually (if not literally) air gapped.
Reply With Quote
  #17  
Old 07-24-2015, 09:26 AM
Diesel Dan's Avatar
Member
My Jeep: 2015 3.0L WK2
 
Join Date: May 2015
Location: Mi.
Posts: 151
Thanks: 6
Thanked 27 Times in 17 Posts
Rep Power: 15237
Diesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

I just called the dealership. The security issue is just for the 2013 and 2014 GC's. I looked on Netboys link and sure enough it is only for 13/14.

However I used the other link and there was an update for my 2015. Guess that is for something else.

Service Bulletin ID: 8-31-15 & 8-35-15Version: UCONNECT« 8.4A_RA3_15_17_5_MY15Release Date: 2015-07-15
__________________
'15 GC Limited, Diesel, Adventure 2, Luxury 2, CD, Block Heater, Blue/Black.
Reply With Quote
  #18  
Old 07-24-2015, 09:58 AM
Member
My Jeep: 2014 3.6L WK2
 
Join Date: Aug 2014
Location: Belton, MO
Posts: 14
Thanks: 1
Thanked 4 Times in 3 Posts
Rep Power: 1077
OldMarineGy is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Anyone having issues with the UConnect iPhone app connecting since applying the firmware update?
Reply With Quote
  #19  
Old 07-24-2015, 10:52 AM
Member
 
Join Date: Mar 2015
Posts: 586
Thanks: 57
Thanked 114 Times in 75 Posts
Rep Power: 1532
farfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by OldMarineGy View Post
Anyone having issues with the UConnect iPhone app connecting since applying the firmware update?

iOS 8.4 doing fine here before and after uConnect firmware update.
__________________
'15 GC 4x4 Summit - GDE Hot Tune, Berger N54 ccv catch can, 4300k Philips HID fogs, VLED TRITON V3 LED brake lights
Reply With Quote
  #20  
Old 07-24-2015, 11:02 AM
macfan's Avatar
Member
My Jeep: 2014 3.2L KL
 
Join Date: Oct 2013
Location: Fenton, Michigan USA
Posts: 608
Thanks: 130
Thanked 93 Times in 78 Posts
Rep Power: 6111
macfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond reputemacfan has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

The dealers are confused right now. FCA changed the wording of the latest Uconnect upgrade from upgrade to Recall this morning so people would not ignore it. It is the same upgrade, mostly security, but now just reworded as a Recall. FCA did this with the Cherokee 9 speed transmission flash as well a while back as it too was being ignored. So apparently this is FCA's new plan of attack to get owners to stop ignoring upgrades. This also gets the government off of FCA's back as the government can't say FCA did not notify owner's like in the GM ignition switch case.
Reply With Quote
  #21  
Old 07-24-2015, 12:01 PM
Premium Member
My Jeep: 2014 5.7L WK2
 
Join Date: May 2013
Location: Colorado
Posts: 4,123
Thanks: 74
Thanked 298 Times in 262 Posts
Rep Power: 46578
lstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond reputelstowell has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by macfan View Post
The dealers are confused right now. FCA changed the wording of the latest Uconnect upgrade from upgrade to Recall this morning so people would not ignore it. It is the same upgrade, mostly security, but now just reworded as a Recall. FCA did this with the Cherokee 9 speed transmission flash as well a while back as it too was being ignored. So apparently this is FCA's new plan of attack to get owners to stop ignoring upgrades. This also gets the government off of FCA's back as the government can't say FCA did not notify owner's like in the GM ignition switch case.
Straight from the horse's errr, mouth:

http://www.media.chrysler.com/newsrelease.do?id=16849

Suspect someone's heinie may be a tad overcooked due to all the publicity on pretty much every news source.

I wonder if they pre-populate the alleged USB device with the update, or you would have to do it yourself?

Wonder what quality of USB device it will be and if it will be logo'd?

I plan to install the update this weekend, but a Jeep logo'd USB to put my music on would be something I wouldn't turn down:

"Customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures. Alternately, customers may visit Uconnect® Software Update - Update your Uconnect® System to input their Vehicle Identification Numbers (VINs) and determine if their vehicles are included in the recall."
Reply With Quote
  #22  
Old 07-24-2015, 01:26 PM
netboy's Avatar
Premium Member
My Jeep: 2014 3.0L WK2
 
Join Date: Aug 2013
Location: CT
Posts: 407
Thanks: 47
Thanked 92 Times in 56 Posts
Rep Power: 581939
netboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond reputenetboy has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Diesel Dan View Post
I just called the dealership. The security issue is just for the 2013 and 2014 GC's. I looked on Netboys link and sure enough it is only for 13/14.

However I used the other link and there was an update for my 2015. Guess that is for something else.

Service Bulletin ID: 8-31-15 & 8-35-15Version: UCONNECT« 8.4A_RA3_15_17_5_MY15Release Date: 2015-07-15
The 2015's are also vulnerable. They simply have a different RRT (which is now a voluntary recall) as the firmware is different and there are additional included updates in the new code (see the "**" items in each of the RRT documents). Here's the 2015 link: http://www.wk2jeeps.com/tsb/tsb_wk2_0803115a.pdf
__________________
Summit 4x4 Turbo-Diesel, Black / Jeep Brown.
Reply With Quote
  #23  
Old 07-24-2015, 01:57 PM
GCOverland's Avatar
Jeep Addict
My Jeep: 2015 3.6L WK2
 
Join Date: May 2010
Location: Tampa Bay, FL
Posts: 1,524
Thanks: 102
Thanked 99 Times in 78 Posts
Rep Power: 4167
GCOverland has a reputation beyond reputeGCOverland has a reputation beyond reputeGCOverland has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Well, I just updated to 15.17.5.

I hope that is the required (and latest) update. At least that's what I got for my VIN from the uconnect website...
__________________
2015 Grand Cherokee Summit 3.6L 4x4, Bright White, Dark Brown interior, Platinum Package, CD-Player.
2015 Lincoln MKZ Hybrid Reserve, Ruby Red Metallic, Light Dune interior, Technology Package, Panoramic Roof, 19" Painted Pockets Wheels, Multi-Contour Seats, THX Audio.
Reply With Quote
  #24  
Old 07-24-2015, 02:01 PM
Diesel Dan's Avatar
Member
My Jeep: 2015 3.0L WK2
 
Join Date: May 2015
Location: Mi.
Posts: 151
Thanks: 6
Thanked 27 Times in 17 Posts
Rep Power: 15237
Diesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond reputeDiesel Dan has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Thanks for the heads up Netboy. Will flash it myself this weekend.

Do you really have to keep the motor running thru the process?

8. With the engine running and radio powered on, insert the correct
USB flash drive with


new software into USB port.



__________________
'15 GC Limited, Diesel, Adventure 2, Luxury 2, CD, Block Heater, Blue/Black.
Reply With Quote
Reply

Tags
uconnect

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New Uconnect Firmware Thanandon Audio/Visual/Navigation 26 07-27-2015 11:33 AM
New Uconnect Firmware seedar Export Grand Cherokee 2011+ 2 08-20-2014 09:13 PM
REC NAV radio with uconnect latest firmware? jeepmanjim Grand Cherokee - WK 3 12-02-2013 01:51 AM
My uConnect 8.4AN with 13.28.2 Firmware rebooted on me mswlogo Grand Cherokee - WK2 - 12 09-18-2013 05:49 AM
430N RHB Firmware Update DieselvRR Audio/Visual/Navigation 20 10-05-2011 11:23 PM

» Premium Vendor Showcase
Powered by vBadvanced CMPS v3.2.3

All times are GMT -5. The time now is 03:21 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2012 - JeepGarage.Org
The Jeep Grand Cherokee Owners Community

JeepGarage.org is in no way associated with or endorsed by FCA US LLC. Chrysler, Dodge, Jeep, Ram, Mopar and SRT are registered trademarks of FCA US LLC.