Jeep parent company FCA has issued a recall of 1.4 million cars — including such popular vehicles as the Jeep Cherokee, Dodge Charger, and Chrysler 200 — following revelations that hackers can take over a multitude of car functions, including disabling the brakes and engine.
In an article posted on Wired, software engineers Charlie Miller and Chris Valasek demonstrated the ability to remotely access a Cherokee and take over a variety of features, including those key parts of driving via a vulnerability in the Uconnect infotainment system. This provides many internet-based services by way of a cellular connection. FCA initially released a statement playing down concerns and distributing a software update to plug the proverbial hole; On Friday the company expanded that action to a voluntary safety recall.
“FCA U.S. has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015,” says FCA’s recall announcement. This action coincides with the voluntary recall in which the initially released software patch will be installed.
Ron Montoya, senior consumer advice editor at Edmunds.com reached out to Digital Trends on Wednesday when the patch was initially released to explain why drivers need not panic.
“Car owners might read about this hack and become understandably concerned, but they need to know that this is not an issue that should keep them up at night,” Montoya adds. “This week’s hack was an isolated incident that was performed on one specific vehicle and it was not something that could be replicated on a mass scale. Nevertheless, automakers recognize this as a very important issue and they’re proactively working to identify flaws in their own connected systems and address whatever issues they may find.”
Montoya also expanded on FCA’s statement that the cyber security breach “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle, and extended periods of time to write code.”
“It’s important to note that these weren’t any old hackers, this was a team that had a grant from DARPA assigned to find vulnerabilities in vehicles,” he said. Miller –a former NSA hacker — and Valasek — director of vehicle security research at the consultancy IOActive — had to start physically tearing though at least 24 cars of various brands before determining that the Jeep Cherokee was the easiest nut to crack. The message here is that considerable time, money, and resources were required to pull off this wireless feat.
In other words, the likelihood of Johnny Anyhacker wantonly overriding vehicles is unlikely. But should we rest easy? Ron suggests that while we can sleep soundly, it’s automakers that should be taking note and stepping up their game. “[Cybersecurity] is something they already keep in mind, but this is something that makes automakers more aware,” he says.
Miller and Valasek will release part of their hacking software for peer review, and FCA isn’t too crazy about that.
“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” reads a statement from the automaker. The brand further assuages fears stating that “After becoming aware of the vulnerabilities… FCA U.S. and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles. FCA also created a software update that eliminates the vulnerabilities uncovered by Miller and Valasek in their laboratory tests.”
This is something the automaker also wants to make clear: “To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle” (emphasis theirs).
FCA has also expanded the list of cars subject to the vulnerability. They now include:
- 2013-15 Dodge Viper specialty vehicles
- 2013-15 Ram 1500, 2500 and 3500 pickups
- 2013-15 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-15 Jeep Grand Cherokee and Cherokee SUVs
- 2014-15 Dodge Durango SUVs
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
“It’s important to reiterate that there is no real safety threat to FCA owners,” Montoya concludes. “Earlier this week we installed that patch to our own 2014 Ram 1500,” demonstrating the ease of which the patch can be updated. Owners of any FCA vehicles are still encouraged to go to this link and run their car’s VIN number to check if it falls under the recall.