Chrysler recalls 1.4M vehicles after Jeep hack

After revelations that some vehicles with UConnect radio systems could be hacked and controlled remotely, Fiat Chrysler Automobiles today issued a recall notice for 1.4 million vehicles to fix the security hole.

Fiat Chrysler Automobiles (FCA), the world's seventh largest automaker, today issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.

Security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into -- and control -- the entertainment system and more vital functions of a 2015 Jeep Cherokee.

"We could have easily done the same thing on one of the hundreds of thousands of vulnerable vehicles on the road," Miller told Computerworld

The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems; the head unit is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.

Miller and Valasek shared their cyber security work with Chrysler, which this week issued a software patch to fix the hole. But drivers were left to their own devices to install the patch, which would typically be done by downloading the patch to a USB drive; the USB drive is then plugged into a vehicle port and uploaded.

In explaining the voluntary recall, FCA said it plans to update U.S. vehicles equipped with 2013-2015 UConnect head unit systems.

"Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report," the company said in a  statement. "These measures - which required no customer or dealer actions - block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.

Chrysler customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures. Vehicle owners can also visit the FCA's software update website to determine if their vehicle is included in the recall.

Owners will need to input their Vehicle Identification Number (VINs).

Affected are certain vehicles equipped with 8.4-in UConnect touchscreens:

  • 2013-2015 Dodge Viper specialty vehicles;
  • 2013-2015 Ram 1500, 2500 and 3500 pickups;
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs;
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs;
  • 2014-2015 Dodge Durango SUVs;
  • 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans;
  • And 2015 Dodge Challenger sports coupes.

While Chrysler may fix this particular security flaw, others in its software could likely be exploited, Miller said.

Miller and industry analysts have said that patching security holes and building firewalls to stop cyber attacks is the wrong strategy and is ultimately futile.

"I don't think there's a way to you can make a really secure way for computers to communicate," Miller said. Hacking a network firewall simply takes time and perseverance.

Instead, Miller said automakers must build computer systems that recognize when a security breach has occurred in order to stop any damage.

The CAN bus is very simple and the messages on it are very predictable, Miller said. "When I start sending messages to cause attacks and physical issues, those messages stand out very plainly. It would be very easy for car companies to build a device or build something into existing software that can detect CAN messages we sent and not listen to them or take some sort of action," he said.

Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) filed legislation this week that would require the federal government to establish standards to ensure that automakers secure a driver against vehicle cyber attacks.

Among other things, the Security and Privacy in Your Car (SPY Car) Act calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycomputerworldmobile securityJeep

More about Cherokee

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts