NEWS ANALYSIS: The recall of 1.4 million Fiat Chrysler vehicles to update software to prevent a difficult-to-execute hack of onboard control systems highlights the rising fears about Internet of things security.
The hacking and remote takeover of a 2014 Jeep Cherokee by a pair of security researchers working with Wired Magazine
has resulted in a recall
of the affected vehicles.
As my colleague Sean Michael Kerner points out
, this vulnerability
has been known by Fiat Chrysler, the company that makes Jeep automobiles, for a while and a security update has been available at dealers and online.
The difference is that now, with the demonstration being shown on national television and appearing all over the Internet, it's been turned into a recall. Even so, owners of the affected Chrysler, Jeep, Dodge and RAM vehicles can still get an immediate update by downloading the new software
onto a USB memory stick and using that to update the vehicle's Uconnect infotainment system.
According to a statement on the company's Website, updates can take as long as 45 minutes, during which time the vehicle must remain parked.
"This update is providing customers with an additional level of security by protecting their FCA vehicle from potential unauthorized and unlawful access," a Fiat Chrysler spokesperson explained to eWEEK
in an email.
However, the spokesperson declined to provide any specifics regarding the updates to the Uconnect system, saying in a subsequent phone call that the company couldn't discuss exactly what steps were being taken to its software security.
What makes Chrysler's Uconnect infotainment system different from what's installed on most vehicles is the unit's level of integration. In addition to providing connections to features such as Bluetooth for phone calls and to your phone or tablet for music, the Uconnect system can link to the car's internal computers and it can gain control of the internal data network.
Hacking into the Uconnect system is possible because the network has a link to the outside world using a data connection, which the Fiat Chrysler spokesperson said uses the Sprint cellular network.
For hackers to get access, they needed to navigate the Sprint network and then gain access to the onboard network inside the car, which would then let them take control of the computers so they could command various functions.
As you might expect, the vulnerability that allows hacking into the Uconnect infotainment system isn't easy to exploit and it requires a very high level of skill and expert knowledge. As Fiat Chrysler Senior Vice President Gualberto Ranieri pointed out in a blog entry
on Chrysler's Website, there hasn't been a real-world attack on the company's vehicles so far.
Still, the vulnerability does exist, and Fiat Chrysler has known about it long enough to have already come up with a fix and to post it on the company's Website as an update owners can install themselves.