The hacking and remote takeover of a 2014 Jeep Cherokee by a pair of security researchers working with Wired Magazine has resulted in a recall of the affected vehicles.
As my colleague Sean Michael Kerner points out, this vulnerability has been known by Fiat Chrysler, the company that makes Jeep automobiles, for a while and a security update has been available at dealers and online.
The difference is that now, with the demonstration being shown on national television and appearing all over the Internet, it’s been turned into a recall. Even so, owners of the affected Chrysler, Jeep, Dodge and RAM vehicles can still get an immediate update by downloading the new software onto a USB memory stick and using that to update the vehicle’s Uconnect infotainment system.
According to a statement on the company’s Website, updates can take as long as 45 minutes, during which time the vehicle must remain parked.
“This update is providing customers with an additional level of security by protecting their FCA vehicle from potential unauthorized and unlawful access,” a Fiat Chrysler spokesperson explained to eWEEK in an email.
However, the spokesperson declined to provide any specifics regarding the updates to the Uconnect system, saying in a subsequent phone call that the company couldn’t discuss exactly what steps were being taken to its software security.
What makes Chrysler’s Uconnect infotainment system different from what’s installed on most vehicles is the unit’s level of integration. In addition to providing connections to features such as Bluetooth for phone calls and to your phone or tablet for music, the Uconnect system can link to the car’s internal computers and it can gain control of the internal data network.
Hacking into the Uconnect system is possible because the network has a link to the outside world using a data connection, which the Fiat Chrysler spokesperson said uses the Sprint cellular network.
For hackers to get access, they needed to navigate the Sprint network and then gain access to the onboard network inside the car, which would then let them take control of the computers so they could command various functions.
As you might expect, the vulnerability that allows hacking into the Uconnect infotainment system isn’t easy to exploit and it requires a very high level of skill and expert knowledge. As Fiat Chrysler Senior Vice President Gualberto Ranieri pointed out in a blog entry on Chrysler’s Website, there hasn’t been a real-world attack on the company’s vehicles so far.
Still, the vulnerability does exist, and Fiat Chrysler has known about it long enough to have already come up with a fix and to post it on the company’s Website as an update owners can install themselves.
Fiat Chrysler Auto Recall Highlights Rising Fears About IoT Hacking
It’s fair to ask Fiat Chrysler why the company waited as long as it did to decide to make the software update the subject of a recall, especially since the flaw was apparently known to the company’s engineers as early as January 2014.
The National Highway Traffic Safety Administration has announced that the agency has launched what’s called a “recall inquiry” to determine if Fiat Chrysler is performing an adequate fix. In addition, it appears that the recall only happened at the NHTSA’s urging. 2015 model year vehicles already have the new software and don’t need to be updated, according to information provided by Fiat Chrysler.
It’s worth noting that Chrysler isn’t alone in its exposure to potential risk. The NHTSA has already launched a study into exactly this problem. In fact, the agency is well along into developing requirements for vehicle cyber-security, including specifications for how future vehicle-to-vehicle communications would be secured and for the level of encryption and authentication that should be required.
Fiat Chrysler also isn’t alone in finding vulnerabilities in its vehicle data systems. Earlier this year, General Motors’ OnStar system was hacked by researchers at the Defense Advanced Research Projects Agency. And earlier, a German auto club discovered a vulnerability in BMW‘s ConnectedDrive system that allowed remote operators to open and close windows and lock and unlock doors.
The reason that you’re hearing about vulnerabilities in cars suddenly is mainly because they’re the most visible implementation of the Internet of things (IoT), but they’re by no means the only IoT devices that are vulnerable. In fact, cars have an advantage in terms of solving security problems because they have capable onboard computers and robust networks.
The same can’t be said for the vast majority of IoT devices that exist on the periphery of networking. These ubiquitous devices, which may be in anything from building HVAC systems to climate monitoring or vehicle toll systems and traffic lights, exist in an area where security is fairly rare. While you may hope that the seemingly facile control over traffic lights that you see on television is only fiction, the reality is that it may not be.
So far, much of the security in the IoT has been due to obscurity. But obscurity is not really a long-term security solution. At some point real security is necessary, or our “things” will become unmanageable. And then we really will be in trouble.