Remote hack vulnerability makes Chrysler recall 1.4M cars
Just days after two hackers disclosed that they took control of a Jeep Cherokee SUV over the Internet, Fiat Chrysler Automobiles (FCA) on Friday announced that it has recalled about 1.4 million cars and trucks in the U.S. that have a specific 8.4-inch touch-based radio installed in them. The automaker in a statement also said that on Thursday, it had closed a loophole in its internal cellular telephone network with vehicles to avoid similar attacks.
The recall announced involved a wide range of Jeep, Dodge, Ram, and Chrysler cars and trucks manufactured between 2013 and 2015, fitted with touchscreen infotainment radio system, proved to be susceptible to remote hacking.
FCA US, the American arm of the Italian auto group, in a statement said “The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action.”
“Customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures,” the company said on Friday. “Alternately, customers may visit https://www.driveuconnect.com/software-update/ to input their Vehicle Identification Numbers (VINs) and determine if their vehicles are included in the recall.”
However, the National Highway Traffic Safety Administration said it would carry out a formal inquiry into Fiat’s recall to “better assess the effectiveness of the remedy” and would find out which other automakers use the same radios. It came as the industry is adding Internet-connected features such as navigation and WiFi at a fast pace that are convenient for drivers but make the car more susceptible to outside attacks.
“I think it’s a pretty big deal,” said James Carder, Chief Information Security Officer for LogRhythm Inc., a Boulder, Colorado, security company. “This isn’t intellectual property going out the door, this is 1.4 million lives on the line.”
The fix came after two well-known cybersecurity researchers, Charlie Miller and Chris Valasek, who remotely took control of the Cherokee through its UConnect entertainment system, while it was moving 70 mph in downtown St. Louis. The hackers who were 10 miles away took over and changed vehicle’s speed, manipulated the radio, controlled the brakes, windshield wipers, transmission and other features.
As for now, the researchers are able to hijack the wheel only while the vehicle is in reverse.
“The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” the company added. “No defect has been found. FCA US is conducting this campaign out of an abundance of caution.”
A Fiat blog entry by Gualberto Ranieri interestingly stated the company did have knowledge that the hackers over the past year were doing ongoing research deliberately hacking Miller’s vehicle, and that they had shared this information with the company about aspects of their work.
“To [the] FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” said Ranieri.
Over the years, Charlie Miller has made a name for himself by using the weaknesses in cars and mobile payments technology. He was joined by Chris Valasek in car hacking a couple of years ago. In the past, both have exploited the software of the Toyota Prius and Escape.
Fiat played down the susceptibility of the software hack emphasizing that it needed “unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”
In the meantime, Miller and Valasek are gearing up to disclose findings of their exploit during the Black Hat security conference in Las Vegas on the Internet next month. On the other hand, FCA is requesting its customers to get the software update to avoid hackers from taking over their vehicles. Any queries regarding the same, the customers can call the customer care center in the U.S. at 1-800-853-1403.