UConnect firmware vulnerabiltiy - Page 3 - Jeep Garage - Jeep Forum

Go Back   Jeep Garage - Jeep Forum > Jeep Platform Discussion > Grand Cherokee - WK2 - > 2014+ Jeep Grand Cherokee Ecodiesel 3.0

Join Jeep Garage Today
Reply
 
Thread Tools Display Modes
 
  #25  
Old 07-24-2015, 03:15 PM
Member
My Jeep: 2014 3.0L WK2
 
Join Date: Jul 2013
Posts: 158
Thanks: 2
Thanked 39 Times in 23 Posts
Rep Power: 1409
JEB1 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Diesel Dan View Post
Thanks for the heads up Netboy. Will flash it myself this weekend.

Do you really have to keep the motor running thru the process?

8. With the engine running and radio powered on, insert the correct
USB flash drive with


new software into USB port.




In general, it seems to be the safest course to keep it running. I just made sure the software started installing and then drove the Jeep around until it was finished. When the head unit rebooted, I just pulled into a parking lot, said no when it re prompted for install, and shut off the motor.


Sent from my iPad using JeepGarage

Reply With Quote
Sponsored Links
Advertisement
 
  #26  
Old 07-24-2015, 03:17 PM
GCOverland's Avatar
Jeep Addict
My Jeep: 2015 3.6L WK2
 
Join Date: May 2010
Location: Tampa Bay, FL
Posts: 1,472
Thanks: 95
Thanked 81 Times in 67 Posts
Rep Power: 3908
GCOverland has a reputation beyond reputeGCOverland has a reputation beyond reputeGCOverland has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

I did it in my garage without the engine running - just with the ignition in the running-mode.
__________________
2015 Grand Cherokee Summit 3.6L 4x4, Bright White, Dark Brown interior, Platinum Package, CD-Player.
2015 Lincoln MKZ Hybrid Reserve, Ruby Red Metallic, Light Dune interior, Technology Package, Panoramic Roof, 19" Painted Pockets Wheels, Multi-Contour Seats, THX Audio.
Reply With Quote
  #27  
Old 07-24-2015, 03:23 PM
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Jul 2012
Location: South Coast of Mass
Posts: 116
Thanks: 100
Thanked 21 Times in 15 Posts
Rep Power: 1734
NorthstarSRX is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Didn't have to run the engine when I did the upgrade. Just have to have the ignition in the "run" position without starting the engine, ergo don't depress the brake pedal. Takes about 20 minutes to do.
Reply With Quote
  #28  
Old 07-24-2015, 04:04 PM
wraab's Avatar
Member
My Jeep: 2016 6.4L WK2
 
Join Date: Dec 2013
Location: Houston, Tx
Posts: 305
Thanks: 60
Thanked 33 Times in 28 Posts
Rep Power: 1390
wraab is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by GCOverland View Post
I did it in my garage without the engine running - just with the ignition in the running-mode.

^^ This - took less than 15 minutes, and I just went in the house and waited.
Reply With Quote
  #29  
Old 07-24-2015, 04:17 PM
Member
 
Join Date: Mar 2015
Posts: 563
Thanks: 52
Thanked 103 Times in 71 Posts
Rep Power: 1302
farfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond reputefarfromovin has a reputation beyond repute
Re: UConnect firmware vulnerabiltiy

Glad to see FCA doing the right thing here.
__________________
'15 GC 4x4 Summit - GDE Hot Tune, Berger N54 ccv catch can, 4300k Philips HID fogs, VLED TRITON V3 LED brake lights
Reply With Quote
  #30  
Old 07-24-2015, 04:33 PM
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Nov 2014
Location: Chicago
Posts: 122
Thanks: 24
Thanked 13 Times in 11 Posts
Rep Power: 871
thrawn86 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Roadkill View Post
I don't understand this defeatist perspective on security.
The vulnerability is out in the open now, has been patched, and I'm sure we'll see some new security practices come about as a result. After all that, why would I go and pull off my antenna?

Even if I did that, there's nothing stopping a hacker from getting into sprints/FCA's network and stealing plenty of other harmful information about you. They could get bank accounts, addresses, etc...

If it turns out that the current system can't/won't be made secure to everyone's liking...then thats a different discussion.
Reply With Quote
  #31  
Old 07-24-2015, 10:31 PM
Senior Member
 
Join Date: Sep 2013
Posts: 1,287
Thanks: 46
Thanked 155 Times in 126 Posts
Rep Power: 2806
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by thrawn86 View Post
After all that, why would I go and pull off my antenna?
Because it's nothing but a liability with no upside. It's a privacy invading aspect that I didn't want even before it was disclosed that the FCA engineers have the security acumen of the Trojans.

All downsides with no benefits...so what's to love about it? What's to lose by physically disabling the datalink? I mean, besides "losing" FCA's creepy realtime tracking/logging of my vehicle and a pointless attack surface that you *know* wasn't thoroughly secured given the turnaround time on this patch.

Software (by definition) cannot sufficiently airgap something like this that shouldnt be on the canbus anyway. If we can see what's involved in getting back there according to the service manual, I'm not against applying a wire cutter to the datalink antenna if that's what it takes.

Don't simply presume that all is well now. It's far more likely this is just the tip of the iceberg. Remember SQL Slammer? After that debacle, some people patched their database and left it hanging out on the internet because "after all that, why would I pull my database server off the internet?" Other people learned a different lesson, pulled their servers off the internet, and those people weren't victimized by the succession of exploits that followed. And that's *before* we get into the discussion of standards for life-critical systems vs database servers.
Reply With Quote
The Following User Says Thank You to Roadkill For This Useful Post:
  #32  
Old 07-25-2015, 09:14 PM
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Nov 2014
Location: Chicago
Posts: 122
Thanks: 24
Thanked 13 Times in 11 Posts
Rep Power: 871
thrawn86 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Roadkill View Post
All downsides with no benefits...so what's to love about it? What's to lose by physically disabling the datalink?
well, I do make use of the uconnect access often so I'd hate to lose that. A friend of mine has an aftermarket system that has 10 times the connectivity and features of ours so there is some functionality/benefit to be had...though there have been stories about those units being hacked as well.

Don't get me wrong, I agree with you...but I really see tremendous value in this "internet of things" and I want to see it work. No one thinks twice about the fact that their cellphones already track location history and that google/verizon/the FBI/etc can already access personal information.
Reply With Quote
  #33  
Old 07-25-2015, 10:39 PM
Senior Member
 
Join Date: Sep 2013
Posts: 1,287
Thanks: 46
Thanked 155 Times in 126 Posts
Rep Power: 2806
Roadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond reputeRoadkill has a reputation beyond repute
Quote:
Originally Posted by thrawn86 View Post
well, I do make use of the uconnect access often so I'd hate to lose that.
Ah, I have never used any of that shit and would have paid more to *not* have the datalink and uConnect from the factory.

Quote:
No one thinks twice about the fact that their cellphones already track location history and that google/verizon/the FBI/etc can already access personal information.
Haha, I definitely do think twice about that. Maybe even thrice. I take steps as appropriate.
Reply With Quote
The Following User Says Thank You to Roadkill For This Useful Post:
  #34  
Old 07-26-2015, 12:19 AM
New Member
My Jeep: 2012 WK2
 
Join Date: Jul 2015
Location: Victoria Australia
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
amanaussie is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Does vulnerability only apply to US vehicles?? I am assuming other export vehicles and the ones here in Australia do not need a software update.My Grand Cherokee ( MY13) has to be paired to my mobile (cell) phone using blue tooth in order to use the U connect system.I am also assume that in the USA vehicles are some what different in the manner they connect to a mobile phone
Reply With Quote
  #35  
Old 07-27-2015, 10:10 AM
DJP2014's Avatar
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Nov 2014
Location: OH
Posts: 33
Thanks: 34
Thanked 14 Times in 12 Posts
Rep Power: 797
DJP2014 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by chadg2 View Post
I second that....I would prefer to disable the Sprint data.
I third that....I would prefer to disable the Sprint data.
__________________
2015 GC Overland 4x4 3.0CRD
Billet Silver - Indigo/Brown
ATG, ORAII, QD
Reply With Quote
  #36  
Old 07-27-2015, 10:33 AM
DJP2014's Avatar
Member
My Jeep: 2015 3.0L WK2
 
Join Date: Nov 2014
Location: OH
Posts: 33
Thanks: 34
Thanked 14 Times in 12 Posts
Rep Power: 797
DJP2014 is on a distinguished road
Re: UConnect firmware vulnerabiltiy

Quote:
Originally Posted by Roadkill View Post
Ah, I have never used any of that shit and would have paid more to *not* have the datalink and uConnect from the factory.


Haha, I definitely do think twice about that. Maybe even thrice. I take steps as appropriate.
I would also pay more to *not* have the datalink and uConnect from the factory but the only sure way to get away from the problems is to remove the chance for the cellular signal to reach the CAN bus.


The only options I see are to remove the sim card, remove the antenna connection, block/filter the cellular signal, or modify the Uconnect firmware. Each option has some problems, but it definitely can be done given enough time and money.
__________________
2015 GC Overland 4x4 3.0CRD
Billet Silver - Indigo/Brown
ATG, ORAII, QD
Reply With Quote
Reply

Tags
uconnect

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New Uconnect Firmware Thanandon Audio/Visual/Navigation 26 07-27-2015 12:33 PM
New Uconnect Firmware seedar Export Grand Cherokee 2011+ 2 08-20-2014 10:13 PM
REC NAV radio with uconnect latest firmware? jeepmanjim Grand Cherokee - WK 3 12-02-2013 02:51 AM
My uConnect 8.4AN with 13.28.2 Firmware rebooted on me mswlogo Grand Cherokee - WK2 - 12 09-18-2013 06:49 AM
430N RHB Firmware Update DieselvRR Audio/Visual/Navigation 20 10-06-2011 12:23 AM

Powered by vBadvanced CMPS v3.2.3

All times are GMT -5. The time now is 09:03 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Copyright 2012 - JeepGarage.Org
The Jeep Grand Cherokee Owners Community

JeepGarage.org is in no way associated with or endorsed by FCA US LLC. Chrysler, Dodge, Jeep, Ram, Mopar and SRT are registered trademarks of FCA US LLC.