In-brief: Fiat Chrysler is recalling 1.4 million vehicles to fix a software flaw that leaves the cars vulnerable to wireless hacks that could affect braking, steering and acceleration.
Fiat Chrysler Automobile (FCA) said on Friday that is expanding the recall of late model vehicles following a demonstration of remote, wireless hacking of a Chrysler Jeep Cherokee by researchers Chris Valasek and Charlie Miller.
In a blog post on Friday, the company said it is expanding the recall of vehicles to apply a software security update beyond what the company initially indicated. Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars are included in the recall.
The change in direction builds on an optional software update released on July 16th and targeted at the vehicles’ touchscreen. The update, unlike the earlier patch, is mandatory according to the post.
On Thursday, Fiat Chrysler “applied network-level security measures to prevent the type of remote manipulation demonstrated in the July 21 WIRED story,” the company said. “Those security measures block remote access to certain vehicle systems and were fully tested and implemented within the cellular network.”
Vehicle owners will receive a USB device with the latest software to upgrade their vehicle’s software with additional safety features, beyond the network-level measure. They can also visit a Jeep dealer to have the upgrade installed.
[Read about the researchers’ wireless hack of a Jeep Cherokee here.]
As reported by Wired’s Andy Greenberg on Sunday, Valasek and Miller developed methods to exploit holes in the software that powers late model vehicles including a 2014 Jeep Cherokee. The researchers plan to unveil a remote exploit of Chrysler’s Uconnect connected car platform that can also be used to jump to the vehicle’s CAN bus – or internal network- and from there to systems that manage the operation of the engine, braking and other critical functions. Attackers would only need to know the IP address of the vehicle to control it, wirelessly, from anywhere in the country, the researchers told Wired.
Wired released video of Greenberg driving a Cherokee on an interstate highway and at the mercy of Valasek and Miller . In the video, the two researchers bombard the passenger cabin with loud music, blur the windshield with wiper fluid and – worryingly – force the car to decelerate. In another demo, the two showed how their attacks can control the car’s steering or tamper with its brakes.
The research has been shared with Fiat Chrysler for nine months and the company issued a software update addressing the vulnerabilities the researchers discovered on July 16, before the story became public, according to an alert issued this week by the Department of Homeland Security’s ICS CERT.
In its blog post, FCA said the following vehicle models were affected:
- 2013-2015 Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep® Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
Vehicle owners who want to know if their car needs the update can visit this web site and input their Vehicle Identification Numbers (VINs) to figure out if their vehicle is affected.
In a demonstration for Wired, Miller and Valasek claimed that a would-be attacker equipped with their tools would only need to know the VIN of a vehicle to exploit a known hole in the FCA UConnect technology over Sprint’s cellular network. FCA said the latest software doesn’t render its vehicle unhackable, but does raise the bar for hackers considerably and eliminate the possibility of wireless hacks.
“The software update addressed by the recall, after the security steps we took July 23, would require unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write the appropriate code,” the company said.
In an interview with Security Ledger, Valasek said that the introduction of wireless Internet connectivity requires automakers to improve the robustness and security of the underlying software that is used to operate vehicles. “With added connectivity comes added security risk,” he said. Valasek and Miller advocate the introduction of security and monitoring tools akin to those used on enterprise networks. For example: logging capabilities that can help to spot changes to firmware and other components that might be associated with malicious activity.
One security expert noted that the FCA emergency software patch isn’t the first update for a vehicle related to a security flaw, but that the capabilities demonstrated by the two researchers were unusual – and unusually scary. That may be a good thing in the long run.
“The risks of the connected car lie in the ability to affect the operations of the vehicle from the outside world,” said Tim Erlin, director of IT security and risk strategy at Tripwire in an e-mailed statement.
“A recall has very real, material costs for an automotive manufacturer. Experiencing an urgent recall for a security patch to the vehicle’s software is likely to drive changes around how software is updated for all manufacturers,” Erlin wrote.