The UConnect radio head unit of a 2015 Jeep Cherokee, the same type that was hacked by two security experts. Credit: Chrysler
Fiat Chrysler Automobiles (FCA), the world's seventh largest automaker, today issued a recall notice for 1.4 million vehicles in order to fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.
Security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into -- and control -- the entertainment system and more vital functions of a 2015 Jeep Cherokee.
"We could have easily done the same thing on one of the hundreds of thousands of vulnerable vehicles on the road," Miller told Computerworld
The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems; the head unit is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.
Miller and Valasek shared their cyber security work with Chrysler, which this week issued a software patch to fix the hole. But drivers were left to their own devices to install the patch, which would typically be done by downloading the patch to a USB drive; the USB drive is then plugged into a vehicle port and uploaded.
In explaining the voluntary recall, FCA said it plans to update U.S. vehicles equipped with 2013-2015 UConnect head unit systems.
"Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report," the company said in a statement. "These measures - which required no customer or dealer actions - block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015."
Chrysler customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures. Vehicle owners can also visit the FCA's software update website to determine if their vehicle is included in the recall.
Owners will need to input their Vehicle Identification Number (VINs).
Affected are certain vehicles equipped with 8.4-in UConnect touchscreens:
- 2013-2015 Dodge Viper specialty vehicles;
- 2013-2015 Ram 1500, 2500 and 3500 pickups;
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs;
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs;
- 2014-2015 Dodge Durango SUVs;
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans;
- And 2015 Dodge Challenger sports coupes.
While Chrysler may fix this particular security flaw, others in its software could likely be exploited, Miller said.
Sign up for CIO Asia eNewsletters.