Fiat Chrysler Automobiles (FCA), the world's seventh largest automaker, today issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.
The National Highway Safety Administration also plans to look into the matter.
Security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into -- and control -- the entertainment system and more vital functions of a 2015 Jeep Cherokee.
"We could have easily done the same thing on one of the hundreds of thousands of vulnerable vehicles on the road," Miller told Computerworld
The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems; the head unit is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.
Miller and Valasek shared their cyber security work with Chrysler, which this week issued a software patch to fix the hole. But drivers were left to their own devices to install the patch, which would typically be done by downloading the patch to a USB drive; the USB drive is then plugged into a vehicle port and uploaded.
In explaining the voluntary recall, FCA said it plans to update U.S. vehicles equipped with 2013-2015 UConnect head unit systems.
"Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report," the company said in a statement. "These measures - which required no customer or dealer actions - block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015."
Chrysler customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures. Vehicle owners can also visit the FCA's software update website to determine if their vehicle is included in the recall.
Owners will need to input their Vehicle Identification Number (VINs).
Affected are certain vehicles equipped with 8.4-in UConnect touchscreens:
- 2013-2015 Dodge Viper specialty vehicles;
- 2013-2015 Ram 1500, 2500 and 3500 pickups;
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs;
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs;
- 2014-2015 Dodge Durango SUVs;
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans;
- And 2015 Dodge Challenger sports coupes.
While Chrysler may fix this particular security flaw, others in its software could likely be exploited, Miller said.
Miller and industry analysts have said that patching security holes and building firewalls to stop cyber attacks is the wrong strategy and is ultimately futile.
"I don't think there's a way to you can make a really secure way for computers to communicate," Miller said. "Hacking a network firewall simply takes time and perseverance.
Instead, Miller said automakers must build computer systems that recognize when a security breach has occurred in order to stop any damage.
The CAN bus is very simple and the messages on it are very predictable, Miller said. "When I start sending messages to cause attacks and physical issues, those messages stand out very plainly. It would be very easy for car companies to build a device or build something into existing software that can detect CAN messages we sent and not listen to them or take some sort of action," he said.
Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) filed legislation this week that would require the federal government to establish standards to ensure that automakers secure a driver against vehicle cyber attacks.
Among other things, the Security and Privacy in Your Car (SPY Car) Act calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time.
Markey, in an afternoon statement, criticized the Chrysler response: ""Despite knowing about this security gap for nearly nine months, Chrysler is only now recalling 1.4 million vehicles to fix [it], and there are no assurances that these vehicles are the only ones that are this unprotected from cyberattack. A safe and fully-equipped vehicle should be one that is equipped to protect drivers from hackers and thieves.
"Both automakers and NHTSA should be immediately taking steps to verify that other similar vulnerabilities do not exist in other models that are on the road," he said. "And Congress needs to pass legislation that ensures automakers put in place minimum standards to protect drivers in these connected cars.”