1.4mn vehicles recalled over remote hack vulnerability

© Rebecca Cook
Just days after hackers demonstrated that they could remotely access Jeep Cherokee’s electronic entertainment system, control cars while engines are running, or even crash one, Fiat Chrysler Automobiles has recalled some 1.4mn vehicles for a software update.

The recall announced on Friday involves a broad range of Dodge, Jeep, Ram and Chrysler cars and trucks manufactured between 2013 and 2015, equipped with touchscreen infotainment radio system, proved to be vulnerable to remote hacking.

“The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action,” said FCA US, the American arm of the Italian auto group, in a statement.

The drivers of the recalled cars will receive a USB device that can be used to update the vehicle’s software. Meanwhile the company says it has already implemented additional security measures wirelessly.

The National Highway Traffic Safety Administration however said it would investigate Fiat’s recall to “better assess the effectiveness of the remedy.”

Earlier this month, two well-known cybersecurity researchers, Charlie Miller and Chris Valasek, showed that merely working from theirs laptops they could compromise the Jeep Cherokee’s electronics via its radio system.

During the experiment a Wired reporter drove the Jeep Cherokee on a St. Louis highway at 70 miles an hour – and the hackers from 10 miles away took over and changed vehicle’s speed, manipulated the radio and windshield wipers.

READ MORE: Automakers stumped: Report says hackers can hijack almost any car

“Though I hadn’t touched the dashboard, the vents…started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” wrote Andy Greenberg.

Hackers badly frightened Greenberg after they cut the Jeep’s brakes, causing the vehicle to roll into a ditch. As for hijacking the wheel, for now researchers are only able to do it while the vehicle is in reverse.

Interestingly, a Fiat blog entry by Gualberto Ranieri stated the company was aware the hackers were doing ongoing research intentionally hacking Miller’s vehicle over the past year, and that they had communicated with the company about aspects of their work.

READ MORE: Car-hacked: Cyber-criminals could target driverless vehicles, cause chaos – expert

“To [the] FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” said Ranieri.

Charlie Miller has made a name for himself over the years by exploiting weaknesses in mobile payments technology and cars. Chris Valasek joined Miller in car hacking a couple of years ago. They’ve previously exploited the software of the Escape and the Toyota Prius.

Fiat downplayed the vulnerability of the software hack stressing that it required “unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”

Meanwhile the two hackers will present their findings to Defcon in Las Vegas in August.