Feds say only Chryslers were vulnerable to hacks via radio, not Audi or Volkswagen
- 12 January, 2016 01:16
U.S. auto safety regulators have determined that only infotainment centers from Fiat-Chrysler Automobiles (FCA) had a security flaw that could allow hackers to take control of Jeeps and several other model cars and trucks.
Last summer, Fiat-Chrysler recalled 1.4 million Jeep, Chrysler, Dodge and Ram vehicles that had the security flaw.
After a five-month investigation into cyberhacking vulnerabilities, the National Highway Traffic Safety Administration (NHTSA) said only FCA vehicles, and no others, were vulnerable to the hack.
Affected were certain vehicles equipped with 8.4-in. Uconnect touchscreens:
- 2013-2015 Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
Audi Volkswagen and Bentley were also part of the NHTSA's investigation because they use the same infotainment center as Chrysler vehicles, which are made by Harman and used a similar Uconnect operating system.
"According to Harman, vulnerabilities identified by FCA are not present in the head units supplied to Audi and Bentley given the distinct hardware components and software architectures of these varying infotainment systems," the NHTSA stated in a report released Friday.
Additionally, Harman products supplied to Volkswagen contain software features and protocols unique to respective vehicle systems. Audi provided materials to the NHTSA explaining why its infotainment technology provided increased safety and security. According to Audi, mobile online services and Wi-Fi connectivity are located on a separate hardware module, and vehicle systems are designed to use communication domains that are separated by a gateway.
The FCA recall followed a video published by two security experts who collaborated with Wired magazine to demonstrate how they could remotely control a Jeep Cherokee using a laptop computer.
The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems. The head unit is commonly connected to various electronic control units (ECUs) located throughout a newer vehicle. There can be as many as 200 ECUs in a vehicle.
According to the NHTSA's Office of Defects Investigation, the security architecture implementations in the infotainment head units supplied to other manufacturers are distinct from the Uconnect Access units provided to FCA from Harman.
Audi and Bentley also installed infotainment devices with countermeasures, including multilayered security implementations and partitioned communication domains to reduce security vulnerability risks and mitigate or prevent cyberattacks, the NHTSA stated.
"Additionally, these other vehicles interacted with vehicle networks outside the infotainment system differently," the NHTSA's report stated.
The NHTSA also stated that FCA and its network provider, Sprint, conducted a nationwide campaign to block access to a radio communications port that was unintentionally left open. On July 27, 2015, short-range wireless vulnerabilities were also blocked. Finally, third-party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software.