Feds say only Chryslers were vulnerable to hacks via radio, not Audi or Volkswagen

Audi Volkswagen and Bentley installed countermeasures against remote hacks

U.S. auto safety regulators have determined that only infotainment centers from Fiat-Chrysler Automobiles (FCA) had a security flaw that could allow hackers to take control of Jeeps and several other model cars and trucks.

Last summer, Fiat-Chrysler recalled 1.4 million Jeep, Chrysler, Dodge and Ram vehicles that had the security flaw.

After a five-month investigation into cyberhacking vulnerabilities, the National Highway Traffic Safety Administration (NHTSA) said only FCA vehicles, and no others, were vulnerable to the hack.

Affected were certain vehicles equipped with 8.4-in. Uconnect touchscreens:

  • 2013-2015 Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

Audi Volkswagen and Bentley were also part of the NHTSA's investigation because they use the same infotainment center as Chrysler vehicles, which are made by Harman and used a similar Uconnect operating system.

"According to Harman, vulnerabilities identified by FCA are not present in the head units supplied to Audi and Bentley given the distinct hardware components and software architectures of these varying infotainment systems," the NHTSA stated in a report released Friday.

Additionally, Harman products supplied to Volkswagen contain software features and protocols unique to respective vehicle systems. Audi provided materials to the NHTSA explaining why its infotainment technology provided increased safety and security. According to Audi, mobile online services and Wi-Fi connectivity are located on a separate hardware module, and vehicle systems are designed to use communication domains that are separated by a gateway.

The FCA recall followed a video published by two security experts who collaborated with Wired magazine to demonstrate how they could remotely control a Jeep Cherokee using a laptop computer.

The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems. The head unit is commonly connected to various electronic control units (ECUs) located throughout a newer  vehicle. There can be as many as 200 ECUs in a vehicle.

According to the NHTSA's Office of Defects Investigation, the security architecture implementations in the infotainment head units supplied to other manufacturers are distinct from the Uconnect Access units provided to FCA from Harman.

Audi and Bentley also installed infotainment devices with countermeasures, including multilayered security implementations and partitioned communication domains to reduce security vulnerability risks and mitigate or prevent cyberattacks, the NHTSA stated.

"Additionally, these other vehicles interacted with vehicle networks outside the infotainment system differently," the NHTSA's report stated.

The NHTSA also stated that FCA and its network provider, Sprint, conducted a nationwide campaign to block access to a radio communications port that was unintentionally left open. On July 27, 2015, short-range wireless vulnerabilities were also blocked. Finally, third-party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software.

Join the CSO newsletter!

Error: Please check your email address.

More about CherokeeSprint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place