Or, how not to handle a software patch. After Wired showed two hackers remotely gain access and immobilize a moving Jeep by exploiting software vulnerabilities last week, Fiat Chrysler responded by patching the vulnerability in several Jeep, Dodge, and Chrysler models that were equipped with the Uconnect software that was hacked. How they went about issuing the patch, however, may just put the company’s customers further at risk. Rather than simply treating the software patch as a traditional recall (i.e. requiring them to visit a service center and have an expert make the fix), Fiat Chrysler is mailing a USB thumb drive to owners of the affected cars. From there, the cars’ owners can plug the USB drive into the cars’ USB port to patch the software vulnerability. This seems like a convenient way to issue a recall for something that car owners can fix themselves. However, as anybody with cybersecurity experience would well know, this opens a huge procedural window for hackers who may be inclined to exploit the vulnerability to take control of the car. Carl Leonard, principal security analyst at Raytheon Websense, says this creates an easy social engineering opportunity and uses a notoriously vulnerable distribution method in the USB drive. “The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull,” Leonard says. “Hackers, highly adept at taking advantage of indecision and social engineering tactics in times of crisis, could potentially utilize this USB fix opportunity for nefarious gain.” For those who own these cars, attempting to patch the security vulnerability could end up backfiring if they are targeted by hackers. “[Hackers] could, for instance, parody the update with a bogus letter and USB stick of their own, allowing them to launch a multitude of real-life threat scenarios, including crashing or stealing the car,” Leonard added. “This doesn’t even take into account the uncertainty that the USB patch has been applied properly without any negative consequences for the safe operation of the vehicle.” This all seems especially foolish when considering that Fiat Chrysler has also made the update available to download on its website, as well as offering service at its dealerships. So the offer to mail a pre-loaded USB device was never really necessary in the first place. Related content news analysis A $1 billion 'ghost city' is planned for testing IoT, driverless cars The IoT playground is being designed to give potentially dangerous technologies a realistic urban testing ground. By Colin Neagle Feb 16, 2016 3 mins Internet of Things news Hacking Slack to keep your house in order Some interesting uses for today's most popular messaging and collaboration service. By Colin Neagle Feb 11, 2016 3 mins Small and Medium Business Collaboration Software Careers news analysis U.S. intelligence chief touts IoT as a spying opportunity Stating the obvious, James Clapper says the U.S. government could use the IoT for surveillance. By Colin Neagle Feb 10, 2016 3 mins Internet of Things Security news analysis Netflix tags in PayPal to cut off VPN users, but will it work? Why PayPal's move to cut off VPN services may not be as effective as it, or Netflix, might hope. By Colin Neagle Feb 09, 2016 4 mins Internet Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe