My take on this is there is so much software that needs to be updated in a Tesla that this is one where all systems had be updatable remotely. They had no other choice and this is by design. And the greater benefit is they could deploy basic autonomous self driving functionality via a simple OTA update. That is cool.
But I hope the "traditional" vehicles are not built like that.
This is all my assumptions based experience in the industrial controls field and simple logic. I don't think RAM thought it was necessary to make it updatable like a Tesla with all the bad things that come with it. But again, I don't have specific knowledge of car design and manufacturing.
Just like I trust the Users' WiFi service in an airplane is 100% physically isolated from the airplane control systems.
But again, Boeing as proven a lot of people wrong...
I agree FCA most likely put considerable engineering effort into security the gateway between the UConnect and the CAN bus, but mistakes can be [and often are] made.
I know this explanation could be considered off-topic for a Ram truck forum, but I'm trying to explain how it relates to the security gateway in the Ram trucks. I will give a few real-world examples of systems that were designed to be secure and how hackers figured out how to circumvent the security. I'm not divulging anyone's security secrets because these are all public knowledge.
Example 1: The Sony private key leaked
Sony uses uses public-private key cryptography to encrypt and sign data. In the PS3 era, Sony made a very simple mistake when they were generating their public-private keys, but the mistake enabled hackers to calculate Sony's private key using simple algebra. Once attackers discovered Sony's private key, they were able to create PS3 updates and content that looked legitimate to the PS3. Sony did their best to recover from this security incident, but it was too late. This example is relevant to the Ram truck because I strongly suspect that the command to start your truck remotely is digitally signed and encrypted by FCA before it is transmitted to your truck. The security gateway verifies the signature and decrypts the start/stop request then sends the start/stop command to the proper control module. If FCA made a mistake similar to Sony's mistake, it might be possible to forge a start/stop command and send it to any vehicle.
Example 2: Side channel-attack to discover the Xbox optical disc drive authentication key
The optical disc drive in the Xbox is "paired" with the Xbox motherboard by a symmetrical key that is stored in the Xbox flash and in the optical disc drive flash. The system was designed so that attackers should not be able to extract the symmetric key out of either the Xbox flash or the optical disc drive flash. However, an attacker used an
electromagnetic inteference side-channel attack to discover the symmetric key. The Xbox flash and the optical flash were not compromised directly, but the key was leaked just the same. This enabled attackers to replace an Xbox optical disc drive with a drive that has custom firmware that enables piracy. Someone might be able to use a side-channel attack to reverse-engineer the Ram firmware and discover exploits.
Example 3: The JTAG interface was accidentally left enabled on the early Xbox 360's
The JTAG interface is used to debug hardware while it is being developed. In some applications, it is desirable to leave the JTAG interface enabled so hardware can be debugged in the field, but the Xbox 360 was not intended to be field serviceable, so the JTAG interface should have been disabled in the retail console, but it was accidentally left enabled (after doing a simple modification). This enabled an attacker to debug the Xbox operating system to find other exploits. FCA could have made a mistake that makes it possible to debug their system which could lead to the discovery of exploitable software bugs. A real example is there is a protocol called UDS that most ECU's implement. UDS supports a "ReadMemoryByAddress" command that can be used to read memory out of devices on the CAN bus. The ReadMemoryByAddress command should be disabled or protected with the security gateway, but in most ECU's it isn't, or it is protected with a simple security challenge that can be brute forced. An attacker might be able to use the ReadMemoryByAddress command to read the firmware of each control module then analyze the firmware for bugs that can be exploited.
Example 4: Row-hammer memory attack
Row-hammer is a security exploit that relies on a side-channel attack to certain types of memory. The attack enables someone to read or even write to memory that is normally protected by a hypervisor, kernel, or (in some cases) a Soc (security-on-chip).
Example 5: Software bugs galore
There are countless ways software developers can accidentally introduce security flaws: buffer overruns, buffer overruns, use-after-free, stack overflow, insufficient (or nonexistent) input parameter validation, and many more. Even though the security gateway is designed to ensure only authenticated commands make it through the gateway, one mistake could make it possible to send undesirable commands through the security gateway. One recent example of a very bad bug that enabled a security exploit is the "
heartbleed" bug. It enabled an attacker to remotely read the memory of a system 64Kb at a time. With enough reads, it was possible to reconstitute large ranges of memory which often contained passwords, encryption keys, and code that could be analyzed for security bugs.
Example 6: Hardware bugs
Hardware devices are not immune to bugs.
Some of the more recent, prominent hardware exploits are listed here. A hardware exploit can be used to obtain the firmware which can be analyzed for software bugs that can be exploited remotely.
Example 7: Rogue employee
Sometimes, systems are secured by security that relies on human honesty. If just one employee decides to leak the source code, it can be analyzed for security exploits.
There are many real-world examples of this happening.
Countless systems have been designed to be secure, but they were eventually compromised. The good news is, one of the systems I was partly responsible for securing is still not hacked. The Xbox One still hasn't been hacked! If you want to know more about how we secured the Xbox One,
please watch this hour-long video that goes into low-level detail.