By on July 24, 2015

GooglePlus

Fiat Chrysler Automobiles announced that it would voluntary recall 1.4 million vehicles to patch a security exploit that could allow hackers to infiltrate a car’s vital systems.

The recall would apply to cars fitted with the Uconnect 8.4-inch touchscreen. A story released by Wired magazine this week detailed two hackers’ system that could take over a Jeep Cherokee and control the car’s systems, including throttle, braking and steering.

Jeep released the update last week, saying the patch was for “nothing in particular” and that they “continuously test vehicles systems to identify vulnerabilities and develop solutions.”

The release required owners to download the update onto a USB drive and install it themselves, or go to a dealership. FCA will mail affected owners a USB drive with the update now.

According to FCA, the company is unaware of any injuries related to the hack.

In a statement by the company, FCA says they’ve also implemented network-level security measures to prevent further hacks.

“Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”

The affected models, according to FCA are:

  • 2013-2015 Dodge Viper
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger

Owners can check an FCA site to see if their VIN is included in the recall.

FCA said the hack required extensive work and was not a defect:

The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.

No defect has been found. FCA US is conducting this campaign out of an abundance of caution.

Get the latest TTAC e-Newsletter!

Recommended

23 Comments on “FCA Recalls 1.4 Million Cars After Jeep Uconnect Hack...”


  • avatar
    johnhowington

    never underestimate the determination of a 12 year old. good job FCA.

    • 0 avatar
      Signal11

      Ah, the old preteen genius hacker chestnut.

      In this case, our 12 year old is the (in)famous Charlie Miller, math PhD, former NSA employee and balding guy in his 40s. The singular exception of recent decades would be 17 year old George Hotz, who was the first to publicly unlock the iPhone.

      Also, since we’re busting myths, Charlie Miller uses Macs. =P

  • avatar
    turf3

    Why all this touchscreen, wireless remote, etc., nonsense is a BAD IDEA. For vehicle driving controls, give me copper wires, hydraulic lines, cables, steel shafts, etc.

    An 8.4″ touchscreen? Can we know which models have this distract-o-matic accessory, so we can steer far clear of them on the road? Can you imagine! Bending over, pushing “buttons” and scrolling through menus on the dashboard while traveling 70 mph on the highway!

    • 0 avatar
      bball40dtw

      I’m typically driving at 85 MPH when changing the radio station on my touchscreen equipped car.

    • 0 avatar
      ajla

      I was fairly skeptical, but I have to say I actually prefer the uConnect in my Charger to the old school setups in my ’89 Buick and ’94 Cadillac. The “buttons” are huge so it isn’t any more distracting comparatively.

      Shame about the hacking though.

      • 0 avatar
        bball40dtw

        The touchscreen systems are so much cleaner looking. Also, a good system has you touching the screen very little. Steering wheel buttons, voice commands, and physical HVAC knobs/buttons are your friend. The screen is just a better way to graphically display what is important and hide what isn’t.

        • 0 avatar
          formula m

          I would never buy a vehicle with only a touch screen for things like climate control. If the screen blacks out during the winter here in Canada you are …. The new ford system for 2016 is much, much better than before. The plain white icons are almost too bright at night but I’m sure there is a setting. I have used it in the ’16 Edge and ’16 Escape and it’s seriously so much more straight forward.

  • avatar
    sirwired

    “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.

    No defect has been found. FCA US is conducting this campaign out of an abundance of caution.”

    Oh, since it required “extended periods of time to write code”, then that’s just hunky-dory! Clearly this cannot be replicated! *sarcasm*

    “No defect has been found?” Seriously? It is not the least bit comforting to know that they do not consider the ability to maliciously control vital vehicle systems from miles away to be a “defect”. I’d say that this press-release is going to backfire quite badly.

    If I was FCA, I’d be all over TV telling owners how important it is they update their cars when they get the stick in the mail, and how they have their best minds working on it never happening again, how they are going to sever any links between the infotainment system and the ECU, etc.

    • 0 avatar
      jpolicke

      As written, the law empowering NHTSA to enforce safety recalls addresses defects in the design and manufacture of traditional ‘hard’ components and systems. It was written before touch screens and ‘connected’ cars were a gleam in a designer’s eye. Indeed, the law predates the internet itself. So, if the wiring controlling your Hummer’s fan overheats the law clearly covers it; a vulnerability in software that exposes you to theoretical hacking – not so much.

      It’s important to keep a little perspective here. As dramatic as the Wired video is, bear in mind that the only occurrence of such hacking was in this demonstration. Not a single vehicle has been attacked by this method that the owner didn’t know about in advance. FCA should be commended for being proactive about this issue and developing countermeasures so quickly.

      • 0 avatar
        Denx57

        Its not theoretical hacking. Its been demonstrated that a hacker can remotely access a connected car and hijack vital controls.
        This is now a deadly race with time.
        People will die because of this flaw.

  • avatar
    Volt 230

    Do you suppose after all these problems,we’ll ever go back to basic mechanical controls w/o the over-electrification of the automobile? I seriously doubt it. Well, there is the used car market after all.

    • 0 avatar
      ClutchCarGo

      I also doubt that a return to mechanical controls will happen. There are just too many advantages to the electronics. I would love to see a feature that allows an owner to completely disable wireless communications, but I suspect that the downstream revenue opportunities are just too great for mfrs to ever have such a feature present.

  • avatar
    APaGttH

    Well thank goodness impacted rental cars can still be on the road.

  • avatar
    modemjunki

    “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.

    No defect has been found. FCA US is conducting this campaign out of an abundance of caution.”

    This statement makes me worry.

    The fact that this was possible at all shows that the designers did not address “security first” in their design.

    I’m sitting at my console looking at a couple of thousand lines of code (for a work project, nothing to do with cars) and wondering how I might be able to interface with my own car. A simple OBDII adapter to gain access to the CAN bus ($10) is a start, some free tools to query the bus, some free tips from web forums, and I’m off to a running start. The access that most anyone has now to a world of hacking knowledge is simply amazing.

    The knowledge that is required may not be trivial but this is no longer a world in which a select few have it. We all see on a regular basis that where there is any possibility to criminalize an exploit it will be done.

    A brave new world indeed.

    • 0 avatar
      sirwired

      Well, I wouldn’t consider doing things via the OBDII plug to be “hacking”, since it requires the installation of a device in the car. (Nor is the ability to do all sorts of things through the OBDII plug new; that capability has been in place about as long as that plug has existed… nobody is going to call a mechanic’s scan/diag tool a “hacking device”)

      This exploit, according to the WIRED article, requires nothing more than the car’s IP address, and I can think of multiple ways to get that, if not for a specific vehicle.

      EDIT: Okay, it’s worse. The vulnerability can be scanned for. Randomly. As in, the article talks about the author pulling up GPS data for random FCA cars all over the country.

      • 0 avatar

        It’s the very definition of hacking. There is technical hacking and social hacking, and they have the same end result. All it takes is someone to become an inspection mechanics and start just popping the device on a few cars and withing a week how many vehicles could they cause problems with? It’s also not very hard to break into a car without leaving evidence. I personally don’t check my OBDII connection on a daily basis.

    • 0 avatar
      APaGttH

      I’d like to point out that TTACs own Jack B. predicted this would happen in a piece he wrote roughly two years ago.

  • avatar
    schmitt trigger

    I’m pretty confident that FCA autos are not the only ones at risk.

    We’ll be seeing a deluge of recalls across the board in the next few months, for a “Software Upgrade to enhance the user’s experience” as Adobe Flash security updates are euphemistically called.

    Note to Norton, McAfee, AVG and other anti-malware vendors: business opportunity alert!!

  • avatar
    DenverMike

    It’d be funny if it wasn’t so sad. As a kid I’d look up to professionals with the utmost respect. So disappointing. You can be a halfwit, and still be a successful engineer. You’ve just got to be good at memorizing a bunch of junk, then put on a decent show for other halfwits that memorized a bunch of other stuff. I’ve fired more “Pros”, everything from electricians to lawyers, from knowing more than they do about the task at hand. Ridiculous.

  • avatar
    Denx57

    From the article in Wired magazine:

    “…A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.”

    Hackers could pick a vehicle at random and kill the occupants.
    Automakers need to fix this NOW!

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Whatnext: Pug ugly.
  • dal20402: Not so much a matter of style as a matter of using what was on hand. My Highlander is the only car in the...
  • ToddAtlasF1: Ford and Tesla are the only domestic automakers at the moment.
  • gtem: I’ve always run naked steelies, if I’m not able to find a decent set of cast off OEM alloys. Guess...
  • 28-Cars-Later: “kind of casts doubt on the profitability of those wonderful sedans” Doubtful as Honda...

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States