26–27 September 2017

Tokyo, Japan

I’m sorry, you want to order how many USB sticks?

A week or so ago, we decided to order some USB sticks to give away as gifts. My colleague found a company that sells promotional merchandise and requested a quote. It turns out USB sticks with your logo printed on them cost about €4 each if you only order a few hundred. The very next day, to help us decide, we received a FedEx package from the company, containing no fewer than 40 samples of different USB sticks in all shapes and sizes, together with some rather excellent sweets.

“Wow” I thought. “USB sticks must be REALLY cheap”.

Good news for Fiat Chrysler who just ordered 1.4 million of them to send to customers, so they can install software patches in the wake of the much-publicised Jeep hack by Wired Magazine. I’m sure this is a perfectly sensible way to deliver the update. It’s cheaper and less hassle than taking the car to the dealership. But I’m not sure it looks great. Maybe it’s just me, but I think that the process of receiving a plastic pen drive in the mail, taking it out to your car and slotting it into the USB port serves to underscore the apparent ease with which software (and therefore malware) can be casually introduced into the deepest levels of your vehicle’s core cyber physical systems.

After you’ve installed the patch, I guess you could keep the USB stick. They’re always handy to have around. I probably have hundreds – each a one a reminder of meeting or show I attended over many years. Presumably this one would be an enduring reminder of the new vehicle you bought which shipped with an inherent security vulnerability so profound that hackers were able to take control of one and literally steer it into a ditch (albeit under very special conditions).

If only they could have deilvered the patch as an Over The Air (OTA) update. Not only does OTA delivery offer maximum convenience, there is surely something to be said for the reassuring discretion it provides. The customer need receive nothing more than a simple email or text saying “our engineers were aware of a potential vulnerability and we have already updated your vehicle to eliminate it”. That’s it. No need to visit a web site and read about it. No USB stick. Just calming reassurance. We’re in control of our sytem and we’ve already fixed the issue.