Published Date: 2015-07-21
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving hackers taking control of a Jeep Cherokee and crashing it into a ditch happened in July 2015 as reported in [Article 37776], [Article 37992], [Article 38001], [Article 38009], [Article 38027], [Article 38050]. 2. The incident was specifically mentioned to have occurred on July 15, 2015, as reported in [Article 38001]. 3. Therefore, the software failure incident occurred in July 2015. |
| System | 1. Uconnect internet-enabled software in Fiat Chrysler Automobiles vehicles [37776, 37992, 38001, 38009, 38027, 38050, 51389] 2. Engine Control Units in cars [2616] 3. Energy systems in industrial settings [20899] |
| Responsible Organization | 1. Hackers [37776, 37992, 38001] 2. Fiat Chrysler Automobiles (due to vulnerabilities in their software) [38009, 38027, 38050] |
| Impacted Organization | 1. Fiat Chrysler Automobiles [37776, 37992, 38001, 38009, 38027, 38050, 51389] 2. U.S. government [20899, 38009] 3. Automobile manufacturers [27571, 38046] 4. Truck buyers [80161] |
| Software Causes | 1. Vulnerabilities in car software systems allowed hackers to take control of vehicles, disable engines and brakes, and cause crashes [37776, 37992, 38001, 38050]. 2. Lack of built-in system for releasing software patches in industrial systems, making upgrading difficult and expensive [20899]. 3. Unused computer communication channel left open by Chrysler granted outside access to car controls [38009]. 4. Software glitch in the Uconnect system of Fiat Chrysler cars allowed hackers to take remote control of vehicles [38050]. 5. Inconsistent and haphazard security measures to prevent remote access to vehicle electronics across automobile manufacturers [38046]. |
| Non-software Causes | 1. Lack of proper security measures in the design and implementation of the systems, allowing hackers to gain control over critical components of cars like gas and brakes [2616, 20899, 27571]. 2. Vulnerabilities in the supervisory control and data acquisition (SCADA) systems used in industrial facilities, which were installed at a time when cyberattacks were not a major concern [20899]. 3. Inadequate security measures in the onboard software of Fiat Chrysler Automobiles vehicles, leading to hackers taking control of a Jeep over the internet and disabling the engine and brakes [37776, 37992, 38001, 38027, 38046, 38050, 50540, 51389, 80161]. |
| Impacts | 1. Hackers took control of a Jeep over the internet, disabled the engine and brakes, and crashed it into a ditch, leading to a 1.4 million product recall by Chrysler [Article 37776, Article 37992, Article 38050]. 2. The vulnerability exposed by the hack led to a formal recall affecting 1.4 million vehicles, causing significant concerns about the security of connected vehicles [Article 37992, Article 38001]. 3. The incident highlighted the startling security vulnerabilities of American automobiles, raising concerns about remote-controlled car accidents and the inconsistent security measures across automobile manufacturers [Article 38046]. 4. The software glitch allowed hackers to potentially take remote control of a car, emphasizing the risks associated with connected devices and the Internet of Things [Article 38050]. 5. Fiat Chrysler acknowledged the problem and offered a software upgrade to customers, emphasizing the need for software updates for improved security protection [Article 38009]. |
| Preventions | 1. Designing systems with security in mind from the ground up rather than retrofitting high-level security later on could have prevented the software failure incident [2616]. 2. Implementing built-in systems for releasing software patches for industrial systems, similar to those in personal computers, could have helped prevent vulnerabilities and address issues promptly [20899]. 3. Ensuring that car software is built to high standards of security, similar to applications in other industries like banking or software from major companies, could have prevented the hackable vulnerabilities in automobiles [27571]. 4. Applying network-level security measures to prevent remote control access to vehicles, as done by Fiat Chrysler after the incident, could have potentially prevented the hackable software vulnerability [38050]. 5. Taking proactive measures to secure vehicle software to prevent even malicious hackers with physical access from hacking the system could have helped prevent such incidents [50540]. 6. Addressing known vulnerabilities and defects promptly after they are revealed by cyber security researchers could have prevented the software failure incident [80161]. |
| Fixes | 1. Upgrading industrial systems with built-in systems for releasing software patches [20899] 2. Designing secure cars with detection mechanisms and minimum cybersecurity standards [37992] 3. Issuing software updates and patches to secure vehicles against vulnerabilities [38046] 4. Securing vehicle software to prevent remote manipulation and hacking [38050] | References | 1. Adriel Desautels, chief technology officer and president of NetraGard [2616] 2. Wenyuan Xu, assistant professor in the Department of Computer Science and Engineering at the University of South Carolina [2616] 3. Researchers Billy Lau, Yeongjin Jang, and Chengyu Song [20899] 4. Ed Adams, a researcher at Security Innovation [27571] 5. Sachin Lawande, Harman's infotainment division lead [27571] 6. Tejas Desai, Continental's head of interior electronics for North America [27571] 7. Fiat Chrysler Automobiles [37776, 37992, 38001, 38009, 38027, 38050, 51389] 8. National Highway Traffic Safety Administration [38001, 38027] 9. Charlie Miller and Chris Valasek, security researchers [38001, 38027, 38046, 80161] 10. Kathleen Fisher from the federal Defense Advanced Research Projects Agency (DARPA) [38046] 11. Senator Markey [38046] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to hackable automobiles has happened again at Fiat Chrysler. Security researchers demonstrated a hackable software vulnerability in Chrysler's Uconnect dashboard computers, leading to a 1.4 million product recall [37992]. Additionally, Fiat Chrysler faced a recall affecting 1.4 million vehicles due to a software vulnerability that allowed hackers to remotely manipulate vehicles [38001]. The company disclosed that hackers got into a Jeep through an electronic opening in the radio and issued software updates to fix the problem [38027]. Fiat Chrysler applied measures to prevent vehicle manipulation and conducted a recall out of caution, stating that no defect had been found [51389]. (b) The incident of hackable automobiles has raised concerns about similar vulnerabilities in other organizations or industries. The vulnerability in industrial systems, particularly in critical infrastructure like oil and gas pipelines and water treatment plants, was highlighted as potential targets for hackers due to older SCADA systems connected to the Internet over unsecured networks [20899]. The article also mentions that auto manufacturers, in general, are not up to speed in terms of building car software to the same standards as other applications, indicating a broader industry issue [27571]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase is evident in the articles discussing vulnerabilities in car software systems. For example, Article 2616 highlights the issue of safety critical systems not being isolated from non-safety critical systems, such as entertainment systems, which can lead to subtle interactions and potential security holes. It mentions the need for automakers to design systems with security in mind from the ground up to avoid disasters [2616]. (b) The software failure incident related to the operation phase is seen in the articles discussing hackers gaining remote access to vehicles' systems. For instance, Article 37776 reports on hackers remotely accessing a Jeep's systems through a security hole in the Uconnect software, allowing them to disable the engine and brakes and crash the vehicle. This incident demonstrates how the operation of the system, in this case, the internet-connected software, can lead to critical failures [37776]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the vulnerability in FCA's Uconnect internet-enabled software that allowed hackers to remotely access the car's systems and take control was a result of contributing factors that originated from within the system itself [37776]. The vulnerability in the software allowed hackers to access driving systems such as GPS, windscreen wipers, steering, brakes, and engine control [37776]. (b) outside_system: The software failure incident related to the security vulnerabilities in cars, particularly in the context of potential hacking threats, was influenced by contributing factors that originated from outside the system. For example, the article highlights the risks associated with connecting cars to the Internet and the potential for hackers to access core controls through breaching the Internet-connected entertainment system [27571]. Additionally, the article mentions the challenges faced by industries like oil and gas pipelines or water treatment plants in upgrading their supervisory control and data acquisition (SCADA) systems due to their age and remote locations, indicating external factors influencing the vulnerability of these systems [20899]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - Researchers were able to take control of a Toyota Prius and a Ford Escape by physically connecting a computer to the cars through a diagnostics port and writing custom software to hijack the cars' systems [Article 20899]. - Security experts urged owners of Fiat Chrysler Automobiles vehicles to update their onboard software after hackers took control of a Jeep over the internet, disabled the engine and brakes, and crashed it into a ditch [Article 37776]. - Fiat Chrysler applied measures to prevent vehicle manipulation demonstrated in a media report, blocking remote access to certain vehicle systems [Article 51389]. (b) The software failure incident occurring due to human actions: - Researchers demonstrated how hackers could access a car's core controls by breaching its Internet-connected entertainment system and tamper with brakes, highlighting the lack of good firewall or security measures in place [Article 27571]. - The researchers, Charlie Miller and Chris Valasek, planned to make their findings public about taking control of vehicles through hacking, leading to the release of a patch by Fiat Chrysler to address the vulnerability [Article 38001]. - The issue of cyber security vulnerabilities in vehicles received attention when researchers hacked a Jeep Cherokee while it was driving, showcasing the potential risks of remote manipulation [Article 80161]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - Article 37776 reports a software failure incident where hackers took control of a Jeep over the internet, disabled the engine and brakes, and crashed it into a ditch. This incident was a result of hackers manipulating the vehicle remotely, indicating a hardware-related vulnerability that allowed external access to critical vehicle systems. (b) The software failure incident occurring due to software: - Article 38050 discusses a software glitch in Fiat Chrysler vehicles that could allow hackers to take remote control of a car. This vulnerability was attributed to a bug in the software, highlighting a software-related issue that could potentially lead to dangerous outcomes. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) Malicious: - Researchers Charlie Miller and Chris Valasek demonstrated how hackers could take control of a Toyota Prius and a Ford Escape by physically connecting a computer to the cars through a diagnostics port and using custom software to hijack the cars' systems [Article 20899]. - The same researchers, Miller and Valasek, also found vulnerabilities in the Uconnect system used in vehicles across Chrysler's lineup, allowing them to take control of the vehicles remotely [Article 38001]. - The vulnerability in the Uconnect system was highlighted as a serious issue that could allow someone to essentially crash a vehicle, leading to a potential recall due to the unreasonable risk to safety posed by the hacking [Article 38001]. - The software manipulation addressed by the recall required unique technical knowledge, prolonged physical access to a vehicle, and extended periods of time to write code, indicating a deliberate effort to exploit the system [Article 37992]. - The plaintiffs in a lawsuit alleged that cyber security researchers had revealed vulnerabilities in the software used in vehicles as early as 2011, suggesting a long-standing awareness of the defects [Article 80161]. (b) Non-malicious: - Automakers were criticized for not being up to speed in terms of car software standards, with concerns raised about the safety of car software compared to other applications like banking software or Microsoft products [Article 27571]. - The article mentions that bugs are a fact of life for software, indicating that software failures can occur unintentionally [Article 38050]. - The challenges faced by companies in securing autonomous vehicles' software to prevent hacking are highlighted, suggesting that software vulnerabilities can exist without malicious intent [Article 50540]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor_decisions: - The software failure incidents in the articles were primarily due to poor decisions made in the design and implementation of software systems in vehicles, industrial facilities, and other critical infrastructure. - For example, in Article 2616, it is mentioned that car manufacturers are not designing security into the software from the ground up, which is described as a recipe for disaster. - Similarly, in Article 38050, it is highlighted that the vulnerability in the software could prove deadly to a driver, indicating poor decisions in ensuring software safety and security. - The incidents involving hacking into vehicles' systems, as described in various articles, point to the poor decisions made in the design and implementation of software systems in automobiles, leading to vulnerabilities that could be exploited by hackers [2616, 38050]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incidents discussed in the articles do not seem to be primarily related to accidental decisions. Instead, they are more focused on the deliberate actions of hackers exploiting vulnerabilities in software systems. - The incidents involving hacking into vehicles' systems, as described in various articles, were not accidental but rather intentional actions by hackers to manipulate the software systems [38001, 38027, 38046, 50540]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) development_incompetence: - Article 2616 highlights the issue of car manufacturers not designing software with security in mind from the ground up, leading to vulnerabilities in the systems [2616]. - Article 27571 mentions that auto manufacturers are behind the times in building car software to the same standards as other applications, indicating a lack of professional competence in software development [27571]. - Article 38046 discusses the security vulnerabilities in American automobiles, pointing out that car makers have been slow to respond to criticism from researchers, indicating a lack of proactive measures in addressing software security [38046]. (b) accidental: - Article 37776 reports on hackers taking control of a Jeep over the internet due to a security hole in FCA's Uconnect software, allowing remote access to the car's systems [37776]. - Article 38050 mentions a software vulnerability in Fiat Chrysler vehicles that required unique technical knowledge and prolonged physical access to exploit, indicating that the vulnerability was not intentional but accidental [38050]. - Article 80161 discusses how cyber security researchers revealed vulnerabilities in Jeep Cherokee, indicating that the software failures were not intentional but discovered accidentally [80161]. |
| Duration | permanent | (a) The software failure incident in the articles appears to be more of a permanent nature. The vulnerabilities and security flaws in the car software systems, particularly in the context of remote hacking and control manipulation, indicate a persistent and ongoing risk that requires long-term solutions and security measures to be implemented [2616, 20899, 27571, 37992, 38001, 38027, 38046, 38050, 50540, 51389, 80161]. (b) The software failure incident does not seem to be temporary as the articles discuss the need for long-term security measures, ongoing vulnerabilities, and the potential for future attacks, indicating a continuous and lasting issue rather than a one-time or short-lived event. |
| Behaviour | crash, value, byzantine, other | (a) crash: - Article 38046 highlights incidents of remote-controlled car accidents due to security vulnerabilities in American automobiles, where hackers could wreak havoc remotely without being physically present in the vehicle. - Article 38050 mentions that the bug in the software could prove deadly to a driver, indicating a potential crash scenario. - Article 80161 discusses a litigation involving Fiat Chrysler where cyber security researchers hacked a Jeep Cherokee while it was driving, indicating a crash scenario. [38046, 38050, 80161] (b) omission: - There is no specific mention of a software failure incident related to omission in the provided articles. (c) timing: - There is no specific mention of a software failure incident related to timing in the provided articles. (d) value: - Article 38050 mentions that the bug in the software could prove deadly to a driver, indicating a failure in performing the intended functions correctly. - Article 38001 discusses how hackers could essentially crash a vehicle, indicating a failure in performing the intended functions correctly. [38050, 38001] (e) byzantine: - Article 38046 discusses security vulnerabilities in American automobiles, highlighting inconsistent and haphazard security measures across all automobile manufacturers, leading to potential erratic responses and interactions. - Article 38050 mentions that the hack demonstrated by researchers required unique and extensive technical knowledge, indicating a complex and potentially inconsistent response from the software. [38046, 38050] (f) other: - Article 20899 describes researchers staging a mock hack of an oil well using pumps and a liquid container filled with teal liquid, indicating a unique scenario not covered by the other options. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, actuator, processing_unit, network_communication, embedded_software | (a) sensor: The articles discuss how hackers could trick sensors into feeding false information to the driver, such as false location, speed, and proximity of other cars or objects [Article 20899]. Additionally, researchers demonstrated how they could access a car's core controls by breaching its Internet-connected entertainment system, potentially tampering with sensors like the brakes [Article 27571]. (b) actuator: The articles mention the nightmare scenario where hackers could tamper with a car's brakes by accessing the core controls through breaching the Internet-connected entertainment system [Article 27571]. (c) processing_unit: The articles highlight the vulnerability of the processing units in cars, where hackers could take control of the car's systems by connecting a computer to the car through a diagnostics port and hijacking the systems [Article 20899]. (d) network_communication: The articles discuss how hackers could take complete control of a car over wireless networks or trick sensors by manipulating network communication [Article 20899]. They also mention the risk of hackers accessing a car's core controls through its wireless communication hub [Article 27571]. (e) embedded_software: The articles emphasize the lack of security in the embedded software of cars, with vulnerabilities being exploited by hackers to gain control over critical components of vehicles [Article 2616]. Additionally, the articles mention the need for secure design in car software and the challenges in retrofitting security into systems not originally designed with security in mind [Article 2616]. |
| Communication | link_level | (a) The failure related to the communication layer of the cyber physical system that failed is evident in the articles. Researchers were able to hack into wireless tire pressure monitoring systems by exploiting vulnerabilities in the wireless system [2616]. Additionally, researchers were able to take control of a Toyota Prius and a Ford Escape by physically connecting a computer to the cars through a diagnostics port, indicating a failure at the physical layer of the communication system [20899]. The vulnerability in the Uconnect system allowed hackers to wirelessly access and control features of a Jeep Cherokee, highlighting a failure at the communication layer [38001]. These incidents demonstrate failures related to the link-level of the cyber physical systems. |
| Application | TRUE | The software failure incidents described in the articles were related to the application layer of the cyber physical system. Researchers were able to exploit vulnerabilities in the software to take control of various systems in cars, including critical components like steering, brakes, and engine control [Article 20899, Article 37776, Article 38001, Article 38046, Article 50540]. These incidents involved custom software that allowed hackers to hijack the cars' systems, indicating a failure at the application layer due to bugs and vulnerabilities in the software. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, harm, property, theoretical_consequence | (a) death: The articles discuss the potential for deadly consequences due to software failure incidents in vehicles. For example, Article 20899 mentions that someone hacking your car can be deadly. Additionally, Article 27571 describes a scenario where hackers could tamper with a car's core controls, leading to a situation where the car crashes and someone could lose their life [20899, 27571]. (b) harm: The articles highlight the physical harm that could result from software failure incidents. Article 38046 mentions the security vulnerabilities of automobiles that could lead to remote-controlled car accidents, potentially causing harm to individuals. It also discusses the broader threat to public infrastructure like railways, airplanes, and power plants [38046]. (d) property: Article 38050 discusses a software vulnerability in certain vehicles that could be exploited by hackers. While there were no reported injuries, accidents, or complaints related to the software vulnerability, the potential impact on drivers' safety and property is highlighted [38050]. (h) theoretical_consequence: The articles discuss theoretical consequences of software failure incidents. For instance, Article 2616 mentions the theoretical threat of hacking cars due to the increasing number of computers in vehicles. It also discusses the challenges hackers would face due to the lack of a dominant platform like Windows in cars [2616]. |
| Domain | information, transportation | (a) The failed system was related to the information industry as it involved hacking into cars' infotainment systems, which are part of the information and entertainment solutions in cars [2616, 27571, 38009]. (b) The transportation industry was impacted by the software failure incident as hackers were able to gain control of critical functions like brakes, steering wheel, and accelerator in cars, affecting the movement of people and things [38009]. (c) The incident did not directly involve the natural resources industry. (d) The incident did not directly involve the sales industry. (e) The incident did not directly involve the construction industry. (f) The incident did not directly involve the manufacturing industry. (g) The incident did not directly involve the utilities industry. (h) The incident did not directly involve the finance industry. (i) The incident did not directly involve the knowledge industry. (j) The incident did not directly involve the health industry. (k) The incident did not directly involve the entertainment industry. (l) The incident did not directly involve the government industry. (m) The failed system was related to the automotive industry, specifically affecting the security and safety of vehicles due to vulnerabilities in the software systems controlling various functions in cars [2616, 27571, 38001, 38027, 38046, 80161]. |
Article ID: 38050
Article ID: 37776
Article ID: 38027
Article ID: 2616
Article ID: 38052
Article ID: 51389
Article ID: 27571
Article ID: 80161
Article ID: 37992
Article ID: 38009
Article ID: 20899
Article ID: 50540
Article ID: 38001
Article ID: 38046