there's two different parts
1. releasing redacted code after the vendor has been notified and had time to develop a fix: perfectly fine
2. demonstrating on a live highway: not fine at all
Yeah, I found the demonstration far more risky than they let on, and the driver certainly agreed and did panic slightly. An established test track or large open parking lot should have been used for this purpose. They realized they should when cutting the brakes, I think they just didn't actually think through the true risk potential. He was physically safe, but you cannot account for the perfect reactions of all other motorists on an otherwise smooth-flowing highway when encountering a slowed vehicle. Perhaps he and immediate cars would have been fine, but some hard braking could have actually induced a crash a quarter or half a mile back. One bad driver with bad reactions or distracted by phone or head unit would have been all that was necessary. Nobody typically expects to come upon a vehicle going 20mph when everyone else is going 60mph. Had that happen recently and that actually scared me a little, it was broad daylight thankfully, but I feared it would have caused an accident and kept an eye behind me to see if anything happened once I got myself far away from that risk.
As for public release of potentially very harmful code: I'm fine with it when it is handled properly, that is, they give the original developers more than enough time to address the issue. Public release serves not only as a means to give real black hat hackers a tool to do devious things, but more importantly, give code to the community so that more people can take the idea, find additional holes elsewhere, and help implement fixes. Many white-hatters follow the black-hat community so that they can help develop fixes with original developers so that the public risk is minimized.
As long as they give Chrysler plenty of time, and also help extensively with creating a fix, I find zero issue with that idea. The key thing here is it does not require a trip to a service center. It only requires creating a USB disk and plugging that into the car, and following a few on screen directions.
Ideally, Chrysler would mail out pre-loaded USB disks to all registered owners, and do as much as they can otherwise to get the warning to everyone who needs it and provide thorough instructions. I suspect they'll at least do the latter, but I'd love to see them take on the former concept. It's a small cost to chiefly maintain public safety, and it also maintains customer loyalty. It's a small touch with truly a very small cost for such a large corporation, especially compared to the potential lawsuit costs if anyone were to become a victim to the security flaw.
Facebook
Twitter