Emerging Threats to our Vehicles & Potential Safety

Fiat Chrysler Cyber Risk Recall of 1.4M Vehicles Seen as Industry First

July 26, 2015 by Jeff Plungis and Mark Clothier

Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.

The move marks a milestone for the industry, which last year set a record with 64 million autos called back for fixes in the U.S. The National Highway Traffic Safety Administration, under fire from Congress for not catching defects more quickly, has been considering punitive action against Fiat Chrysler for failing to protect vehicle owners.

Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on July 23, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.

Fiat Chrysler was already distributing software to insulate some connected vehicles from illegal remote manipulation after Wired magazine published a story about software programmers who were able to take over a Jeep Cherokee being driven on a Missouri highway.

The company, led by Chief Executive Officer Sergio Marchionne, reiterated that it’s not aware of any real-world unauthorized remote hack into any of its vehicles. It stressed that no defect was found and said it’s conducting the campaign out of “an abundance of caution.”

NHTSA said it encouraged the action to protect consumers against a vulnerability that could affect a driver’s control.

Expanded Action

“Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities,” NHTSA Administrator Mark Rosekind said in a statement Friday.

The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.

“That’s not a small number to go after,” Mark Boyadjis, an analyst with IHS Automotive, said in a telephone interview. “This is a pretty quick response and much of it could be P.R. driven. But I think it will keep consumers comfortable and prevent current ones and future ones from straying away from the brand.”

This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.

That capability makes the possibility of remote hacking of cars a reality. Earlier hacks have mostly been achieved by jacking the researchers’ laptops into diagnostic ports inside the cars.

Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.

“This is not a Sprint issue but we have been working with Chrysler to help them further secure their vehicles,” said Stephanie Vinge Walsh, a Sprint spokeswoman.

NHTSA said it would open an investigation of the remedy “to ensure that the scope of the recall is correct and that the remedy will be effective,” agency spokesman Gordon Trowbridge said in an e-mailed statement. The agency said its electronics and cybersecurity experts will continue to monitor hacking threats and take action when necessary.

Consumer Confidence

There’s a possibility the recall could affect consumer confidence in Fiat Chrysler, even though the company isn’t the only one with cybersecurity challenges, said Thilo Koslowski, vice president and automotive practice leader at technology consultant Gartner Inc.

“It validates that cyber-hacking with cars is a serious issue that the auto industry must pay attention to,” he said. “The auto industry needs to develop new technology to combat these technological problems.”

General Motors Co. has a team working on cybersecurity and has hired Harris Corp.’s Exelis and other firms to develop anti- hacking systems, said Mark Reuss, the Detroit automaker’s executive vice president for global product development. GM seeks to block hackers’ access to its autos, he said, and if they do get in, it tries to prevent them from gaining control.

“It’s probably one of the most important things we spend time on,” Reuss said. “Anyone who wants to do something like that will probably get on, so you have to look at what happens when they do.”

Proposed Legislation

GM has also worked with the U.S. military and with Boeing Co. on its anti-hacking systems, he said.

Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.

The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report in 2014 on gaps in car-security systems, concluding that only two of 16 automakers had the ability to detect and respond to a hacking attack.

Markey questioned why it took nine months after learning about the security gap for Fiat Chrysler to order a recall.

‘No Assurances’

“There are no assurances that these vehicles are the only ones that are this unprotected from cyberattack,” he said Friday in an e-mail. “A safe and fully equipped vehicle should be one that is equipped to protect drivers from hackers and thieves.”

Although general cyber threats have been acknowledged previously by the industry, the specific ability to take control of critical vehicle functions in the affected Fiat Chrysler vehicles only became clear with the Wired magazine report, said Fiat Chrysler spokesman Eric Mayne.

“Prior to this month, the precise means of the demonstrated manipulation was not known,” Mayne said.

Representatives Fred Upton and Frank Pallone, leaders of the House Energy and Commerce Committee, sent letters to 17 manufacturers and NHTSA in May to gather information about how the industry is addressing cybersecurity.

“As the underlying technologies seemingly evolve by the day, so too must our manufacturers and regulators keep pace to protect drivers from these growing threats,” the Michigan Republican and New Jersey Democrat said in a statement Friday. 

(By Bloomberg Reporters Mark Clothier and Jeff Plungis; with assistance from Patrick Ralph in New York, David Welch in Southfield, Michigan, and Jordan Robertson in Washington.)

Copyright 2015 Bloomberg.

 

Hackers Remotely Kill a Jeep on the Highway—With Me in It

I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”¹

 

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.
At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

For the rest of this article, please visit: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/