Automaker Fiat Chrysler has issued a formal recall of 1.4 million cars and trucks that are open to a vulnerability in Chrysler’s proprietary Uconnect system, according to a report in the New York Times.
The Uconnect software comes preinstalled in the dashboards of Chrysler vehicles and is vulnerable to a remote hack over the internet, as revealed by two security researchers who were able to target a Chrysler vehicle and gain control of onboard features such as the air-conditioning and the radio. Crucially, they were also able to gain access and control critical functions of the car such as the steering, the brakes and the engine itself.
Total Recall? Not exactly
While the recall doesn’t require Chrysler vehicle owners to bring their trucks, cars and SUVs to a dealer, they will be sent a USB drive with the patch instead. The software update and patch can then be installed through a USB port on the vehicle’s dashboard.
The decision to issue a recall was made after frantic talks with officials at the National Highway Traffic Safety Administration (NHTSA).
“Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how N.H.T.S.A. and the industry will respond to cybersecurity vulnerabilities,” said Mark R. Rosekind, the administrator at the agency.
The advent of the hack
Chrysler had originally been notified by security researchers Charlie Miller and Chris Valasek of their hack of a Chrysler Jeep before they made their findings public. It was clear then that the vulnerability existed beyond just the Jeep line of vehicles and included trucks, cars and SUVs that used the Uconnect system.
Initially, officials at the safety agency had been approached by Chrysler and wanted to learn about the extent of the hack and all the features and functions that could be taken over by the security researchers (hackers). Only an “Unreasonable risk to safety” requires a recall, by the usual guidelines at NHTSA.
The two researchers had made their findings public by this time and it was after the widely reported stunt that the NHTSA decided that a recall was necessary, determining that the vulnerability was far too dangerous not to require a recall. Chrysler has also taken measures to block digital attacks through Sprint’s network, the network used by the automaker’s vehicles to connect to the internet. Incidentally, the same network used by hackers to gain access to the vehicle.
Miller, one of the two researchers who devised the hack said he was happy to see Chrysler’s response.
“I was surprised they hadn’t before and I’m glad they did,” he told Wired.
“Blocking the Sprint network is a huge thing,” Miller added. “The biggest problem before was that cars would never get fixed or fixed way down the road. Assuming that they did [the Sprint network fix] correctly…you don’t have to worry about that tail-end of cars that won’t get fixed.”
If you’re a Chrysler vehicle owner that contains the Uconnect system, start here for the software update and fix.