Fiat Chrysler Automobiles is recalling 1.4 million cars and trucks to help mitigate the risk of a remote hack that could enable an attacker to take control of a vehicle. The recall follows days of intense scrutiny after a media video report showed a pair of security researchers taking remote control of a 2014 Jeep on the highway, exposing the driver and all those on the road around him to mortal danger.
Chris Valasek, director of vehicle security research at IOactive, and Charlie Miller, security researcher at Twitter, are the two researchers who were able to hack the Jeep remotely. They are scheduled to provide full details of their exploit at a Black Hat USA session on Aug. 5.
Valasek and Miller had provided the research to FCA in advance, which enabled the auto manufacturer to make a patch available for vehicle owners impacted by the software vulnerability. The flaw exists in Chrysler’s Uconnect infotainment system, which is found in multiple FCA cars and trucks. Prior to today, Fiat Chrysler had simply been pointing car and truck owners to its Uconnect Website to manually download the fix or to voluntarily take an impacted vehicle to a Chrysler dealer to get the fix.
With the official recall notice issued today, FCA stated that it is doing the recall “out of an abundance of caution.”
Affected vehicles include:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
“Customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures,” FCA stated.
The car hacking research by Valasek and Miller demonstrates how it is possible to take control of a vehicle remotely, which is now something that FCA is taking steps to prevent.
“FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report,” FCA stated. “These measures—which required no customer or dealer actions—block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”
FCA also emphasizes that it is now aware of any injuries or accidents related to the software exploitation. In addition, FCA stated that any sort of unauthorized remote manipulation of a vehicle is a criminal action.
In response to the recall, Miller tweeted, “I wonder what is cheaper, designing secure cars or doing recalls?”
Miller and Valasek have been advocating for improved vehicle security since 2013, when the two researchers first discussed potential vulnerabilities at the DEFCON security conference that year.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.