>"Hackers will be able to pull the data off the USB stick and reverse-engineer it. They'll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit," he told the BBC.<p>So? Never thought I would hear a "Security Expert" argue for, and not against security through obscurity. Perhaps this is not the best source for critique.
Can't believe that they didn't think to include a way to verify the USB's integrity with strong crypto, and clear instructions on how to do this. Yes, non-tech savvy customers would be vulnerable to phishing (since such a letter would simply omit this step), but at least it would be <i>possible</i> for tech-savvy individuals to do so.<p>If they had done this right, they would have sent the USB with a validation step <i>and</i> widely advertised this step, so that all users would be aware of the need to do it, maybe even branding a simple software package to verify the contents as something like "UConnect SafeCheck".<p>Hopefully, they at least have a secure way to download it online (but given actions up to now, I'm not optimistic).<p>Edit: Owners can download it via https (albeit with SHA-1), but I'd be surprised if there's a way to validate the integrity of the downloaded file. Also, they're advertising that link without the SSL (and indeed, it allows non-SSL connections).
After the False Promises of Inheritance emails, it seems that we'll switch to False Security Updates USB keys letters.<p>If hackers goes into hardware, maybe should we also start working on Scam letters filters?
Research the last year your favorite car model was made with mechanical steering and mechanical accelerator and only buy those. You only have to go a decade back at most like I did.<p>You might want to stick with those years considering industries that have little knowledge or care about security are endangering your very life at highway speeds.<p>It's going to take them another half decade to care about these things and they will probably just solve it by lobbying politicians to waive liability instead.