Fiat
Chrysler Cyber Risk Recall of 1.4M Vehicles Seen as Industry
First
July
26, 2015 by Jeff Plungis and Mark Clothier
Fiat Chrysler Automobiles NV is recalling
about 1.4 million cars and trucks equipped with radios that are vulnerable to
hacking, the first formal safety campaign in response to a cybersecurity
threat.
The move marks a milestone for the
industry, which last year set a record with 64 million autos called back for
fixes in the U.S. The National Highway Traffic Safety Administration, under fire
from Congress for not catching defects more quickly, has been considering
punitive action against Fiat Chrysler for failing to protect vehicle
owners.
Unauthorized remote access to certain
vehicle systems was blocked with a network-level improvement on July 23, the
company said in a statement. In addition, affected customers will receive a USB
device to upgrade vehicles’ software with internal safety
features.
Fiat Chrysler was already distributing
software to insulate some connected vehicles from illegal remote manipulation
after Wired magazine published a story about software
programmers who were able to take over a Jeep Cherokee being driven on a
Missouri highway.
The company, led by Chief Executive
Officer Sergio Marchionne, reiterated that it’s not aware of any real-world
unauthorized remote hack into any of its vehicles. It stressed that no defect
was found and said it’s conducting the campaign out of “an abundance of
caution.”
NHTSA said it encouraged the action to
protect consumers against a vulnerability that could affect a driver’s
control.
Expanded
Action
“Launching a recall is the right step to
protect Fiat Chrysler’s customers, and it sets an important precedent for how
NHTSA and the industry will respond to cybersecurity vulnerabilities,” NHTSA
Administrator Mark Rosekind said in a statement Friday.
The recall covers about a million more
cars and trucks than those initially identified as needing a software patch. The
action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee
SUVs, Dodge Challenger sports coupes and Viper supercars.
“That’s not a small number to go after,”
Mark Boyadjis, an analyst with IHS Automotive, said in a telephone interview.
“This is a pretty quick response and much of it could be P.R. driven. But I
think it will keep consumers comfortable and prevent current ones and future
ones from straying away from the brand.”
This isn’t the first time automobiles
have been shown to be vulnerable to hacking. What elevates this instance is that
researchers were able to find and disable vehicles from miles away over the
cellular network that connects to the vehicles’ entertainment and navigation
systems.
That capability makes the possibility of
remote hacking of cars a reality. Earlier hacks have mostly been achieved by
jacking the researchers’ laptops into diagnostic ports inside the
cars.
Fiat Chrysler’s UConnect infotainment
system uses Sprint Corp.’s wireless network.
“This is not a Sprint issue but we have
been working with Chrysler to help them further secure their vehicles,” said
Stephanie Vinge Walsh, a Sprint spokeswoman.
NHTSA said it would open an investigation
of the remedy “to ensure that the scope of the recall is correct and that the
remedy will be effective,” agency spokesman Gordon Trowbridge said in an
e-mailed statement. The agency said its electronics and cybersecurity experts
will continue to monitor hacking threats and take action when
necessary.
Consumer
Confidence
There’s a possibility the recall could
affect consumer confidence in Fiat Chrysler, even though the company isn’t the
only one with cybersecurity challenges, said Thilo Koslowski, vice president and
automotive practice leader at technology consultant Gartner
Inc.
“It validates that cyber-hacking with
cars is a serious issue that the auto industry must pay attention to,” he said.
“The auto industry needs to develop new technology to combat these technological
problems.”
General Motors Co. has a team working on
cybersecurity and has hired Harris Corp.’s Exelis and other firms to develop
anti- hacking systems, said Mark Reuss, the Detroit automaker’s executive vice
president for global product development. GM seeks to block hackers’ access to
its autos, he said, and if they do get in, it tries to prevent them from gaining
control.
“It’s probably one of the most important
things we spend time on,” Reuss said. “Anyone who wants to do something like
that will probably get on, so you have to look at what happens when they
do.”
Proposed
Legislation
GM has also worked with the U.S. military
and with Boeing Co. on its anti-hacking systems, he said.
Senators Edward Markey of Massachusetts
and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on
July 21 that would direct NHTSA and the Federal Trade Commission to establish
rules to secure cars and protect consumer privacy.
The senators’ bill would also establish a
rating system to inform owners about how secure their vehicles are beyond any
minimum federal requirements. The lawmakers released a report in 2014 on gaps in
car-security systems, concluding that only two of 16 automakers had the ability
to detect and respond to a hacking attack.
Markey questioned why it took nine months
after learning about the security gap for Fiat Chrysler to order a
recall.
‘No
Assurances’
“There are no assurances that these
vehicles are the only ones that are this unprotected from cyberattack,” he said
Friday in an e-mail. “A safe and fully equipped vehicle should be one that is
equipped to protect drivers from hackers and thieves.”
Although general cyber threats have been
acknowledged previously by the industry, the specific ability to take control of
critical vehicle functions in the affected Fiat Chrysler vehicles only became
clear with the Wired magazine
report, said Fiat Chrysler spokesman Eric Mayne.
“Prior to this month, the precise means
of the demonstrated manipulation was not known,” Mayne
said.
Representatives Fred Upton and Frank
Pallone, leaders of the House Energy and Commerce Committee, sent letters to 17
manufacturers and NHTSA in May to gather information about how the industry is
addressing cybersecurity.
“As the underlying technologies seemingly
evolve by the day, so too must our manufacturers and regulators keep pace to
protect drivers from these growing threats,” the Michigan Republican and New
Jersey Democrat said in a statement Friday.
(By Bloomberg Reporters Mark Clothier and
Jeff Plungis; with assistance from Patrick Ralph in New York, David Welch in
Southfield, Michigan, and Jordan Robertson in Washington.)
Copyright 2015
Bloomberg.
Hackers Remotely Kill a Jeep on the Highway—With Me in It
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.
The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”1
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.
“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.
I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.
For the rest of this article, please visit: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
