Three days after white-hat hackers revealed that they had performed a remote hijack of a 2014 Jeep Cherokee as it was driven on an an elevated freeway in St. Louis, Fiat Chrysler Automobiles (FCA), apparently at the behest of federal regulators, issued a recall of approximately 1.4 million vehicles that could be similarly commandeered.
The recall is voluntary and would have owners bring their vehicles to dealerships to receive a software update that patches the vulnerability. FCA quietly made the update available to owners and dealers even before the hack was publicly revealed, but the company had not publicized the vulnerability or its patch.
In an FCA statement today (July 24) announcing the recall, the company stated that "remote manipulation, ... if unauthorized, constitutes criminal action," implying that Chris Miller and Charlie Valasek, the security researchers that made the dangerous vulnerability public, had broken the law in their test.
The company also state that it had taken "network-level security measures" -- possibly involving the Sprint cellular-data connection that made Miller and Valasek's hack possible -- to prevent further hacks.
Miller and Valasek conducted their road test with the cooperation of a Wired reporter who was driving the Jeep Cherokee, as well as his camera operator. The pair also informed FCA of the vulnerability in fall 2014, which is why the company had a security patch ready before the Wired story went live this past Tuesday (July 21).
Once they had control over the vehicle the reporter was driving, Miller and Valasek were able to turn its radio's volume up to full blast, trigger the windshield wipers and cut off the transmission as a truck approached. Later in the demonstration, they cut the brakes at low speed, sending the car into a ditch.
Federal regulators, who may have forced FCA into issuing the recall, were closely watching the company's actions. The U.S. National Highway Traffic Safety Administration (NHTSA) today announced a "recall query" to investigate the recall efforts.
NHTSA chief Mark Rosekind said the agency had encouraged FCA to make the recall, as it was needed to meet "the critical responsibility of manufacturers to assure the American public that vehicles are secure from such threats, and that when vulnerabilities are discovered, there will be a swift and strong response."
According to FCA, the vulnerable vehicles are those equipped with 8.4-inch touchscreens among the following models:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
If you think your vehicle might be among those affected, you can check its vehicle identification number (VIN) here. If so, the site will give instructions on how to download the software update onto a USB stick, which then can be plugged into the car -- but we've heard that it isn't easy and that it might be worth it to just go to a dealership.
- Self-Driving Car Accidents Will Make Us All Safer
- Meet the Hackers Making Your Connected Car Safer
- 7 Scariest Security Threats Headed Your Way