Fiat Chrysler recalls 1.4 mn vehicles to prevent hacking

25 Jul 2015 | Author: | No comments yet »

1.4mn vehicles recalled over remote hack vulnerability.

Fiat Chrysler announced the recall of about 1.4m cars and trucks in the US on Friday after two hackers were able to take control of a Jeep over the internet. Just days after hackers demonstrated that they could remotely access Jeep Cherokee’s electronic entertainment system, control cars while engines are running, or even crash one, Fiat Chrysler Automobiles has recalled some 1.4mn vehicles for a software update.WASHINGTON — When the call came to officials at the National Highway Traffic Safety Administration, they knew they had a problem they had never faced but had long feared.WASHINGTON — Fiat Chrysler said Friday it is voluntarily recalling 1.4 million U.S. cars to fix a software defect that could allow the vehicles to be hacked remotely.

It followed an investigation by computer programmers and Wired magazine, where they managed to manipulate a Jeep Cherokee being driven on a Missouri motorway. The automaker said the hack appeared to be an isolated incident that could not be easily repeated, because it required extensive technical knowledge of the vehicle.

This week, security researchers Chris Valasek and Charlie Miller remotely disabled a Jeep Cherokee’s brakes and steering — while the car was on the highway. The company also disclosed in government documents that the hackers got into the Jeep through an electronic opening in the radio and said it would update software to close it.

However, car manufacturers in the UK have been under increased pressure to improve the security features on vehicles that can be accessed by computer hackers. That revelation set in motion a nine-day flurry of activity by the automaker and the safety agency that culminated Friday in a sweeping recall of 1.4 million vehicles. “Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how N.H.T.S.A. and the industry will respond to cybersecurity vulnerabilities,” said Mark R. All this actually happened to the Wired journalist Andy Greenberg recently when he agreed to let two hackers go to work on an Internet-connected Jeep he was driving.

The online magazine Wired reported Tuesday that two well-known cybersecurity researchers this month took control of the Jeep Cherokee through the car’s UConnect radio. It came as the industry is rapidly adding internet-connected features such as Wi-Fi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks. Many of these products — which are commonly called the “Internet of Things” — carry the same software flaws that have been continually exploited by hackers operating on the Web. Vehicles today talk to the outside world through remote key systems, satellite radios, Bluetooth connections, dashboard Internet links and even wireless tire-pressure monitors. Fiat Chrysler, which faces penalties from the NHTSA for recall delays over several years, said in documents that it agreed to the recall even though there were no problems in the field other than the Jeep attack, and it had no complaints or warranty claims.

Interestingly, a Fiat blog entry by Gualberto Ranieri stated the company was aware the hackers were doing ongoing research intentionally hacking Miller’s vehicle over the past year, and that they had communicated with the company about aspects of their work. “To [the] FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” said Ranieri. Accordingly, FCA US has established a dedicated [engineering] team focused on identifying and implementing best practices for software development and integration.” The company said it was unaware of any injuries related to what it called “software exploitation”. The researchers, Charlie Miller and Chris Valasek, had given the automaker a heads up: The two men planned to make their findings public early this week. In January, BMW also had to issue a software patch after the German Automobile Assn. found a potential security issue in the vehicles’ cellular network.

In 2010 and 2011, a team of researchers from UC San Diego and the University of Washington showed that hackers could infiltrate a car’s electronic control network to disable brakes or even the engine. Infotainment systems are particularly good attack surfaces because modern versions often use a driver’s smartphone to connect directly to the Internet — or such systems connect to the Internet directly through cellular signals.

But many of the manufacturers involved have little experience with digital security, and few customers know how to properly protect their cars (or toothbrushes) from malicious hacking. The problems for FCA come just a day after rival General Motors revealed second-quarter profits were four times higher than in 2014, hitting $1.1bn (£710m) as bosses put last year’s troubles behind them – $1.28bn in recalls and compensation for a potentially fatal ignition switch fault in millions of compact cars. Researchers Miller and Valasek have shared their findings with Chrysler for nearly nine months, which allowed the automaker to release a patch, according to Wired. Miller said Friday that he didn’t think the company statement about criminal activity was directed at them because they hacked into a vehicle they own. “I don’t think they are saying anything bad against us in that statement, just reminding people that if someone were to hack their car, it’d be against the law,” he said. The hacking issues may not have hit the UK, but last year 6,000 cars were stolen in London by thieves using computers to trick cars into starting without keys.

Fiat Chrysler software specialists scrambled to make a patch available to plug the hole, and released one on the automaker’s website on July 16, the day after the call to Washington. Figures revealed that one in three car thefts in the capital were carried out this way, and the pressure is on carmakers, particularly Land Rover and BMW, to improve their security. Edward Markey, D-Mass., found that nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” But while wireless technology is frequently cited as a potential source of problems — it’s also thought of by some experts as a way to help fix them. Also covered are 2014 and 2015 Dodge Durango and Jeep Grand Cherokee and Cherokee SUVs, as well as the 2015 Chrysler 200 and 300, and the Dodge Charger and Challenger.

Experts have warned that thieves may even be using computer malware to take over vehicle systems via satellite, issuing remote commands for them to unlock and start up. Secure over-the-air updates could help ease the process of fixing security flaws once they are discovered, said Josh Corman, the founder of I Am The Cavalry. The group has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety. And if drivers were vulnerable to an attack where they could lose control of their cars, that would certainly seem to qualify, even though a recall for a web security threat had never before taken place. The upgrade will provide additional security features to the network-level measures the company has already rolled out in response to the demonstration.

While Fiat Chrysler’s recall is notable because it appears to be a result of the publicly demonstrated exploit, software problems have increasingly become the source of recalls as computer systems have taken over more vehicles. For starters, they should boost investment in technology that can detect digital intrusions, and start automatically issuing security updates to their software. Rosekind was visiting Michigan for a speech in which he addressed the need for improved web security in vehicles.) N.H.T.S.A. officials decided that the vulnerability was simply too dangerous not to require a formal recall.

They should also make wider use of outside security researchers — for example, by offering “bug bounties” to hackers who can identify vulnerabilities. A rating system that evaluates their progress, as a pending bill in Congress proposes, could help consumers determine which companies are taking cybersecurity seriously. Valasek, one of the two researchers, posted on social media that when he tried connecting again to his test Jeep, the pathway through Sprint’s network had been blocked. Markey, along with Senator Richard Blumenthal, Democrat of Connecticut, recently drafted legislation to set federal standards for web security protection in vehicles.

The chairman of the House Energy and Commerce Committee, Fred Upton, Republican of Michigan, and the panel’s top Democrat, Frank Pallone Jr. of New Jersey, also issued a statement, saying that “cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride.”

Here you can write a commentary on the recording "Fiat Chrysler recalls 1.4 mn vehicles to prevent hacking".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site