Summary: A while back, someone from Wired reported on an exploit present in Jeep automobiles that allowed hackers to remotely control the car, with the potential to turn off the car even, as well as control other settings such as air conditioning. Chrysler, the company that manufactures Jeeps, resolved to ship 1.4 million USB flash drives to owners of Jeeps as well as other vehicles manufactured by Chrysler that had been affected by this problem.
The reliability of the update issued to Jeep owners
may be put into question as it is intended to fix an exploit that allows for
the vehicle to be turned off in the middle of the road. Should it be applied or
coded incorrectly, then the vehicle’s problem may not be fixed or the vehicle
may not turn on at all.
(b) Describe the relationship of one primary stakeholder to the IT system in the article.
Jeep owners drive the vehicles for any purpose and
hence regularly use it and a condition of normal use is that it is constantly
operable according to the settings they have configured.
Criterion B — The IT concepts and processes [6 marks]
2. (a) Describe, step by step, how the IT system works.
The Jeep owner receives a USB flash drive from
Chrysler. After receiving the flash drive, they will then use their car keys to
open the car door at which point they will then find the USB port in their car
and plug the flash drive into the port. Then, they will turn on the car to boot
up the car’s firmware. The computer in the car should then recognize the flash
drive. There are probably hardware and/or software buttons in the car with
which to navigate the relevant menus to find the flash drive, then execute the
application to install the update, confirm whether you would like to install it
and then install the update. At this point, turn off the car and then turn it
on again in order for the updated firmware to start up.
IT system: Jeep update
(b) Explain the relationship between the IT system and the social/ethical concern described in Criterion A.
Jeep owners will have applied the update in order to
prevent the possibility of the car being remotely controlled and turned off in
the middle of the road. However, if the owners are not competent or the update
was not coded correctly, then their car may malfunction or even be unable to
turn on in which case they will have to send in the car to Chrysler to
reinstall the firmware or find a mechanic to repair the car or sell the car as
it would be completely useless.
Criterion C — The impact of the social/ethical issue(s) on stakeholders [8 marks]
3. Evaluate the impact of the social/ethical issues on the relevant stakeholders.
Criterion C — The impact of the social/ethical issue(s) on stakeholders [8 marks]
3. Evaluate the impact of the social/ethical issues on the relevant stakeholders.
Chrysler – management
Chrysler – developers
Authenticity
Reliability – The developers should run a system to
emulate the Jeep firmware or run the firmware on an actual Jeep in order to
test the update. In doing so, they should cover as many potential scenarios as
possible in order to rectify any particular problems with any specific memory
addresses that could be vulnerable to buffer overflows or some other form of
attack.
Security – In patching this error, Chrysler developers
should prevent external connections to the Jeeps or if the cars are
Internet-enabled, then a whitelist setting should be made that only allows
external connections from particular people with unique identifiers (e.g.
Chrysler developers, Jeep owners)
Jeep owners
Reliability
Security
Privacy – Receiving the update would not be
prioritized as a privacy concern as the error in question is one relevant to
the operation of their car and any use or manufacture of the update by Chrysler
would not be viewed as a privacy invasion. However, those that previously
hacked Jeeps would find they cannot do so do to the update being applied. If
they obtained any identifying information about the vehicle before, then they
could use this to determine which have had the update applied.
Chrysler – dealerships
Integrity – The dealerships may disclose news of this
exploit to affected consumers and provide flash drives in order to keep
faithful customers, maintain ethical practice or to signal potential customers
that they are technologically aware. However, the dealerships may also not make
customers aware of the update, but provide flash drives or also not in order to
gain profits from customers who come in to get the car serviced for this update
or better yet to buy new cars or perhaps prevent the loss of profit due to
people selling their Jeeps knowing of this exploit or due to criticism of
Chrysler regarding the incident being widespread enough that sales may be
hindered, hence making it preferable to hide the news.
People that previously hacked Jeeps
Security – The people that previously hacked Jeeps may
attempt to circumvent the updated code and exploit it in order to reassert
control over Jeeps either for malicious intent or for entertainment (though the
entertainment is Schadenfreude for the hacker and unfortunate for the victim)
Criterion D — A solution to a problem arising from the
article [8 marks]
4. Evaluate one possible solution that addresses at least one problem identified in Criterion C.
4. Evaluate one possible solution that addresses at least one problem identified in Criterion C.
Chrysler could also
include in the update a scheme to change how Jeeps identify on an
Internet-enabled car network once the update has been applied. This could be
done by changing the identifier the Jeep uses to denote itself (e.g. changing
its name from JEEP-0198628 to $857@hgbd*0245j) or by using a different IP
address every time the car connects to the network or by using encrypted
connections between services the car accesses and itself as much as possible to
prevent hackers from gaining unauthorized access to the car and controlling it
to their whim. In addition, this would allow users to maintain their privacy
from hackers after having been previously hacked and after installing the
update since their identifier would change and the identification that the
hacker used to correspond to any data he had about the car (e.g. license plate,
color, model, year) would no longer register or correspond as that car would have
been technically decommissioned, not exist anymore, or be a different car
altogether.
Criterion A = 4 marks due to appropriate social/ethical concern was mentioned and a descriptive relationship between the user and the IT system.
ReplyDeleteCriterion B = 5 or 6 marks, an in-depth understanding of the IT system and how it functions, knowledge outside the article is clearly stated. Didn't mention the social/ethical concern, should mention it again to make it easier for examiners to link to it.
Criterion C = 6 or 7, Impacts of the social/ethical issues are realized and analyzed to an extent but doesn't really show the advantages and disadvantages for each stakeholder, however there is a constant use of appropriate ITGS terminology throughout.
Criterion D = 5 or 6 marks, An appropriate solution is identified however you did not mention the potential weaknesses of this solution therefore I would say that you are in the 5 mark band, there is ITGS terminology used throughout the text.
Overall I would say that you scored 20/26
Delete