Jeep hack a red flag for industry

Fiat Chrysler Automobiles NV is vehemently opposed to hackers’ plans to reveal how they were able to wirelessly hijack a Jeep Cherokee — and potentially hundreds of thousands of other Fiat Chrysler vehicles.

The apparent breakthrough is a major security issue not only for Fiat Chrysler, but all automakers.

Car hacking has been demonstrated in controlled simulations in recent years — mostly when hackers are physically plugged into the vehicle’s hardware. But security researchers Chris Valasek and Charlie Miller recently remotely hacked into a 2014 Jeep Cherokee in a real-world test that included disabling the SUV’s engine functions and controlling interior features such as air conditioning, locks and the radio.

The hack was detailed in an article published Tuesday by Wired magazine. It was written by Andy Greenberg, who volunteered as a “digital crash-test dummy” to drive the hacked Cherokee on a Missouri highway.

“Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission, all from a laptop that may be across the country,” Greenberg wrote.

He reported that Miller, a former National Security Agency hacker, and Valasek, director of vehicle security research at the IOActive consultancy, have been sharing their research with Fiat Chrysler for nearly nine months, enabling the company to quietly release a fix ahead of the Black Hat security conference next month in Las Vegas. They plan to release redacted, yet detailed, information at that event.

Neither Miller nor Valasek could be reached by The Detroit News for comment.

Fiat Chrysler confirmed it “has been in communications” with the hackers for several months, but declined to go into detail about the conversations. The company, which said it has fixed the security flaw, is adamantly against the hackers sharing their information with others.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” Fiat Chrysler said in a statement to The News on Tuesday.

Valasek, in an online video, said they want to release the information “because more people like us need to be focused on this problem.”

Fiat Chrysler said it is unaware of “a single real world incident of an unlawful or unauthorized remote hack into any of its vehicles.”

The men reportedly manipulated the vehicle through a vulnerability in a chip that provides a wireless and a cellular network connection. That opened the door to another component for the vehicle’s Uconnect 8.4-inch infotainment system that allowed them to rewrite the car’s firmware and send commands through the car’s internal computer network.

They only tested their full set of physical hacks on a Jeep Cherokee, but “they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit,” according to the article.

“Of course we didn’t actually attack any vehicles except our own, cause we’re good guys,” Miller tweeted Tuesday.

Miller estimated as many as 471,000 vehicles with vulnerable Uconnect systems are on the road, according to Wired. Fiat Chrysler would not confirm this number.

Lawmakers poised to act

Concerns about vehicle cybersecurity and use of data collected by cars has caught the attention of lawmakers. Democrat Sens. Richard Blumenthal, D-Connecticut, and Ed Markey, D-Massachusetts, on Tuesday unveiled legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers’ privacy.

The legislation was first sparked when Markey took note of Miller and Valasek’s work in 2013, according to Wired.

Last week, many major automakers announced an Auto Information Sharing and Analysis Center that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threats and potential vulnerabilities in motor vehicle electronics or in-vehicle networks.

NHTSA Administrator Mark Rosekind said Tuesday in Ypsilanti that the agency doesn’t want to hinder new technologies, but emphasized the importance of security and privacy.

“We must reassure vehicle owners that their data is secure, that their vehicle is secure and that we are looking out for threats from hackers, thieves and anyone else that might seek to tamper with safety critical technology,” he said in a speech at Automated Vehicles Symposium 2015. “Cybersecurity and privacy must be high-priority items for the industry and for NHTSA.”

NHTSA on Tuesday also released a document outlining the agency’s privacy and cybersecurity efforts. “We’re not just aware of these threats, we’re working to defeat them,” Rosekind said. “We want Americans to know that we’re on it.”

Security breach fix

Fiat Chrysler earlier this month released a software update that it says fixes the security breach.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said.

Customers can either download and install this particular update themselves, or their dealer can complete the one-time update at no cost to customers. They can check if their vehicle needs an update and download the patch at http://www.driveuconnect.com/software-update/. Those with questions may call (877) 855-8400.

The update, if installed by an owner, will take 30-45 minutes. The vehicle needs to be parked throughout the software update/installation process.

While Uconnect was singled out in the article, experts argue practically any modern vehicle could be vulnerable — a major concern, as automakers produce millions of connected cars with Internet capabilities.

“It is something that automakers have to worry about as they open up their vehicle to being connected to the Internet and cellular networks,” said Ron Montoya, Edmunds.com senior consumer advice editor and tech expert. “It does introduce a vulnerability to the vehicle. It’s something consumers should be aware of, but I don’t think it’s something most people should worry about.”

Montoya said Miller and Valasek, who aren’t the first to crack into a car’s systems over the Internet, are two experienced, renowned hackers and the “chances are very thin” that a mass takeover by hackers could occur.

CBS News’ “60 Minutes” earlier this year aired a segment showing how vehicles can be subjects of remote hacking. In January, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have their doors remotely opened by hackers.

List of vehicles equipped with an 8.4-inch touchscreen infotainment system that need the software update:

- 2013-2014 Ram 1500 Pickup

- 2013-2014 Ram 3500 Cab Chassis

- 2013-2014 Ram 2500 Pickup

- 2013-2014 Ram 4500/5500 Cab Chassis

- 2013-2014 Ram 3500 Pickup

- 2014 Grand Cherokee

- 2014 Durango

- 2013-2014 Viper

- 2014 Cherokee

- Some 2015 Chrysler 200s

Consumers can check if their vehicle needs an update and download the patch at http://www.driveuconnect.com/software-update/.

mwayland@detroitnews.com

(313) 222-2504