Jeep hacking prompts FCA software update to enhance security

By Larry P. Vellequette, Crain News Service

DETROIT (July 22, 2015) — With little fanfare last week, Fiat Chrysler Automobiles (FCA) released a software update that the auto maker says “offers customers improved vehicle electronic security and communications system enhancements.”

On its face, the announcement seemed innocuous.

It wasn't.

Two professional hackers — one of whom had worked for the National Security Agency — had shown they could wirelessly hack into hundreds of thousands of FCA vehicles and remotely take control of them.

As reported in Wired magazine on July 20, and complete with video evidence, hackers Charlie Miller and Chris Valasek were able to take command of an unmodified 2014 Jeep Cherokee while it was being driven on a St. Louis highway by Wired journalist Andy Greenberg.

The hackers did so by exploiting a vulnerability they had discovered in some versions of FCA's Uconnect infotainment system, which connects to the Internet via a cellular data connection through Sprint. The Uconnect system is installed in 2013-14 Chrysler, Dodge, Jeep and Ram vehicles, and the 2015 Chrysler 200, with an 8.4-inch touch screen and Wi-Fi hot spot.

Working via laptop computers from home, the hackers blasted the Cherokee's radio, turned on the wipers and a torrent of washer fluid and eventually shut off the Cherokee's engine while it was traveling on the highway.

Later, in a parking lot, the hackers demonstrated how they could take control of the Cherokee's steering wheel (but only while the transmission was in reverse) and even disable the brakes, sending a helpless Mr. Greenberg — keeping in contact with the hackers via cellphone — into a ditch.

The hackers told Wired that they plan to release a portion of their code at a Black Hat security conference next month in Las Vegas. The code being released will not allow other hackers to immediately exploit the Uconnect vulnerability, Messrs. Miller and Valasek claim, but is being done to convince auto makers that their products are vulnerable.

The hackers notified FCA of the vulnerability and worked with the auto maker on a solution, which was released five days before news of the hacking attack.

FCA argues that Messrs. Miller and Valasek's release of the partial code is dangerous. Right now, the company is sending consumers to a website where they can download a necessary security patch themselves, or take their vehicle to a dealer for the software to be upgraded for free.

Unlike other auto makers, FCA does not have the ability at this time to “push” important software upgrades over the Internet to its vehicles.

“Under no circumstances does FCA condone or believe it's appropriate to disclose ‘how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company said in a statement.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. The software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle.”

This report appeared on the website of Automotive News, a Detroit-based sister publication of Tire Business.