We were waiting for the other shoe to drop, and here it is: Fiat Chrysler Automobiles (FCA) has announced it is voluntarily recalling 1.4 million vehicles across its various brands and model lines, in the wake of the discovery of a zero-day exploit that lets hackers remotely force late-model Jeep Cherokees off the road. All someone needs is the IP address of a car armed with Chrysler’s UConnect infotainment system, and they can infiltrate the car’s network via its Wi-Fi hotspot feature, rewrite the OS firmware, and then control all of the major systems of the car: accelerator, brakes, steering, air conditioning, and more.
Here’s the main text of the FCA recall press release:
“The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action… Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”
The hack also lets someone remotely monitor the car’s location via GPS tracking, and could very well extend to the in-car microphones that capture voice commands. In the publicized hack, the researchers even managed to “taunt” the victim by displaying a picture of themselves on the display, as well as controlling secondary systems like the turn signals and windshield wipers — all that before disconnecting the engine from the drivetrain and taking control of the steering.
Fiat-Chrysler says it’s unaware of any actual customer injuries or even complaints related to the vulnerabilities aside from what’s been demonstrated in media outlets — an assumed direct reference to Wired’s original story. The number of cars on the list is roughly three times the initial estimate of 471,000 vehicles, and extends to the Dodge Ram pickup, the Grand Cherokee, the Dodge Durango, three of Chrysler’s most popular sedans, and the Dodge Challenger two-door coupe.
The following vehicles with 8.4-inch UConnect system touchscreens are affected by the recall:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
If you’ve got one of these vehicles, visit http://www.driveuconnect.com/software-update/ to input your VIN number and see if it’s on the recall list. If so, Chrysler will mail you a USB drive that lets you update your car’s software and that provides “additional security features,” although the company hasn’t elaborated on what those are exactly. We’d like to think those features had something to do with preventing people from hacking into the car remotely and doing all of the above things without the driver being able to stop them.
Source: Extreme Tech