Fiat Chrysler (FCA) has announced a voluntary safety recall of approximately 1.4 million U.S. vehicles to patch a software flaw that enabled security researchers Charlie Miller and Chris Valasek to commander a Jeep Cherokee remotely with Wired reporter Andy Greenberg at the wheel.
In the demonstration, Miller and Valasek were able to adjust the Jeep’s air conditioning, take control of the radio, turn on the windshield wipers, engage the brakes, and cut the transmission — all by remotely accessing the vehicle’s Internet-connected Uconnect in-car system.
The aim of the demo, Miller said, was to make it clear that automakers need to take responsibility for the digital security of their vehicles. “If consumers don’t realize this is an issue, they should, and they should start complaining to car makers,” he said.
“This might be the kind of software bug most likely to kill someone,” Miller added.
Updating via USB
FCA said in a statement that the recall “aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action.”
“Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report,” the company added. “These measures — which required no customer or dealer actions — block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”
The affected vehicles are are “among the following populations,” according to FCA:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
Owners of affected vehicles will be provided with a USB drive that they can use to upgrade their vehicle’s software, which the company says “provides additional security features independent of the network-level measures.”
Customers with questions or advised to call (877) 855-8400 or visit www.driveuconnect.com/software-update to see if their vehicle is affected.
A federal standard
U.S. Senators Ed Markey and Richard Blumenthal recently introduced the Security and Privacy in Your Car (SPY Car) Act, which directs the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to establish federal cyber security and privacy standards for vehicles, and requires auto makers to notify purchasers of security and privacy measures in place in all new vehicles.
Markey published a report earlier this year entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” which found that almost cars on the market include wireless technologies that could leave them vulnerable to hacking or privacy intrusions, and that most car makers are unaware of or unable to report on past hacking incidents.
“NHTSA needs legal tools to keep up with advancing technology, and only Congress can mandate them,” Blumenthal said in a statement. “The question now is, how many other cars on the road right now leave consumers vulnerable to cyber threats that endanger both safety and privacy.”
The FCA recall may be the first large-scale vehicle recall due to a cyber security issue, but it’s unlikely to be the last. Just as hackers regularly respond to patched Web vulnerabilities by finding new flaws to exploit, it’s safe to assume that hackers will continue to look for ways to access connected vehicles — with potentially disastrous results.
“Like many other manufacturing sectors, the automotive industry appears to have fulfilled the predictions of many security experts and underestimated the challenges of deploying secure systems in today’s challenging operating environment,” ESET senior security researcher Stephen Cobb told eSecurity Planet by email.
A recent eSecurity Planet article examined the challenges of securing connected cars.