Fiat-Chrysler recalls 1.4 million vehicles after hackers turn them into lethal weapons

August 6th, 2015, by

Fiat-Chrysler is voluntarily recalling approximately 1.4 million vehicles fueled by fears of remote control hacking.1

WIRED security researchers Charlie Miller and Chris Vassalage were able to take control of a Jeep Cherokee with a laptop and mobile phone from ten miles away. The two hackers had been working with Chrysler for several months. They were testing the vulnerability of the Jeep’s Uconnect system. Andy Greenberg, a reporter who was in the driver’s seat of the Jeep whenever the hacking took place, recapitulated his experience in an article for the magazine.

According to Greenberg, the hackers were able to abruptly turn the air conditioning to full blast, switch the radio station, crank up the volume and turn on the windshield wipers. These mild annoyances were superseded whenever the hackers cut the engine, causing a mild traffic disturbance on the freeway. The two hackers then slashed the breaks and guided the Jeep into a ditch. 5

The hackers were able to take control of the Jeep by accessing the vehicle’s IP address. They were also able to know the vehicle’s speed and location through the onboard GPS system. While Miller and Vassalage only took control of the Jeep, any automobile with a Uconnect system could be hacked. Greenberg speculated that there may be as many as 471,000 hackable automobiles. Since news of the hacking broke, however, Chrysler has issued a recall on an astonishing 1.4 million vehicles.

Vehicles that made the recall list include:
013-2015 Ram 1500, 2500 and 3500 pickups
2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
2014-2015 Jeep Grand Cherokee and Cherokee SUVs
2014-2015 Dodge Durango SUVs
2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
2015 Dodge Challenger sports coupes
2013-2015 MY Dodge Viper specialty vehicles 1

In an effort to mitigate fears of hacking, Chrysler claims that the methods used to take control of the Jeep were complex and difficult to replicate. “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” according to Fiat Chrysler. Nevertheless, the two hackers were able to take control of the Jeep with nothing but a laptop and mobile phone. According to Miller and Vassalage, the Uconnect system has “super nice vulnerability” for hackers. 7

Chrysler issued a patch in early July after the results of the study. Due to widespread media coverage, however, the patch quickly turned into a recall. Chrysler is sending car owners affected by the recall a USB to provide software updates and install additional security features. Car owners can upgrade the software themselves or hire a mechanic to do it for them. 3

Sprint, the cellular carrier that connects Chrysler’s vehicles to the internet, is working with the automaker to smooth out glitches in the system. Chrysler claims to have “launched network-level security measures” on the Sprint cellular network in an effort to thwart future hacks. Vassalage posted on social media that Sprint’s network had been blocked whenever he tried to hack into his test jeep. 6

Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation on July 21, that would place federal rules on this technology. Fiat Chrysler and regulators “should be immediately taking steps to verify that other similar vulnerabilities do not exist in other models that are on the road,” Markey said in a statement. 6

Miller and Vassalage claim that they conducted the research to hold automakers accountable for any glitches in their technology. The two plan to present their data at the Black Hat Security Conference in Las Vegas August 5th. 2

Sources:
(1) activistpost.com
(2) eweek.com
(3) pcworld.com
(4) nytimes.com
(5) wired.com
(6) wsj.com
(7)wired.com