There's a new way to patch your car, and it doesn't involve sanding or painting. Owners — and automakers — are waking up to the new reality that they have to protect themselves from harm by updating the software in their sedans, trucks and SUVs.
The issue was highlighted July 21, when security researchers Charlie Miller and Chris Valasek revealed that, after months of work, they had found a way to remotely hijack a 2014 Jeep Cherokee using the built-in cellular connection of Fiat Chrysler Automobile's Uconnect connected-car system.
The pair demonstrated to a reporter how they could remotely disable the Jeep's brakes, steering and transmission. Using a cellular Internet connection, they were also able to locate other vehicles with similar systems around the country. Miller and Valasek plan to supply further details of their research at a hacker conference in Las Vegas Aug. 5.
I contacted Fiat Chrysler Automobiles (FCA) about this issue, and a spokesperson referred me to a company blog post identifying vehicles from the 2013 and 2014 model years with 8.4-inch touch screens as potentially vulnerable. The affected models include the Dodge Durango, Ram and Viper, the Jeep Cherokee, the Jeep Grand Cherokee and some 2015 Chrysler 200s.
On July 24, apparently under pressure from federal regulators, FCA issued a voluntary recall and revised its list of affected vehicles to add 2015 editions of all the above models, plus 2015 Chrysler 300s, Dodge Chargers and Dodge Challengers. In all, 1.4 million vehicles in the United States are affected by the recall — far more than the rough estimate of 470,000 vehicles that Miller and Valasek had come up with.
Before the recall, FCA had not informed owners of affected vehicles about the vulnerability and the patch. Rather, the company quietly posted a software patch online; an Associated Press report indicated the company would eventually have notified owners by mail.
Finding and the Patch
I tested the process for securing a vehicle against the new hacking threat, and found that the FCA issue may be a bellwether for just how unprepared automakers are for this brave new world of continual updates and patches.
To begin with, owners have to act as their own safety officers. Until FCA issued the recall, you had to find out about the new updates and patches by checking the company website. You can still do so by visiting the Uconnect software update site and typing in your car's VIN (vehicle identification number) to see if it's affected.
If so, you can then call your local dealer to make an appointment to have the software fixed for free. Or, you can choose to do it immediately, on your own. The site will direct those with affected vehicles to a download page that includes installation instructions, but you won't find it to be as easy as patching Adobe Acrobat or updating Windows.
I ran into trouble with the self-update process from the start. The site would not work with some Web browsers, and after fruitless efforts that involved changing different security and privacy settings, I gave up and used a new laptop with a clean installation of Windows 8.1 to initiate the download.
Then, I discovered that the FCA site was overwhelmed. The 374MB file download — about half the amount of data found on a music CD — took more than an hour to complete on a high-speed broadband connection. Once the file was downloaded, it then had to be extracted to an empty 8GB USB drive, even though the decompressed files actually take up only about 600MB of storage space.
Installing the Patch
To update your Dodge, Jeep or Chrysler vehicle, the car has to be put into "Run" mode. Two depressions of the Start button — without your foot on the brake — initializes this setting. Unplug anything connected to the car's USB jacks, and then plug in the USB drive containing the software fix.
The Uconnect system may take a minute or two to fully load on the entertainment system's touchscreen. It should then recognize the software on the USB stick and confirm that the software is indeed a valid new version of its own firmware.
The Uconnect system will then ask you whether you want to install the update. Press "Yes" or "Accept" on the touch screen, and the system will upload the software from the USB stick and proceed with the update.
The in-car portion of the update process took me about 30 minutes, during which time I noticed patches for control modules (including the likely culprit behind the security patch), Sirius XM, the HD radio and other cosmetics being installed.
Most of the progress reports will be inscrutable to owners as they fly by, and people should be wary not to touch any controls in the vehicle or interrupt the process, lest they disable the Uconnect system entirely.
Once the software has loaded, additional hocus-pocus is required. The Uconnect system doesn't simply reboot. You have to turn off the "Run" mode, open and close the driver's door, and then wait 60 seconds. Then, you have to turn the car on again, turn it off again, open and close the driver's door again, and wait another 60 seconds.
After you've completed these tasks, the vehicle should start up normally and return the Uconnect system to its original settings. I found it took a couple of tries before the clock registered the correct time, and the FM radio station I had tuned in previously was gone, but otherwise, the update worked, even if the Uconnect system asked me if I wanted to install the same patch again.
However, the whole process, including the accompanying instructions, is something only an engineer could love. Considerably more work needs to be done by FCA to make such software updates seamless. Most consumers will be dissuaded from correcting the problem on their own, and will have to go to the dealership instead.
Patch Tuesday for Cars?
Is this the thin end of the wedge that leads to a future full of car hacks and auto security patches? Security and privacy are definitely serious issues facing every automaker going forward, but it's not entirely clear that the car companies realize what they're in for.
Even though Miller and Valasek's hack requires specific knowledge of a vehicle's control codes, the pair showed that it is possible to access a car's CAN (controller area network) bus over the Internet, something that automakers for years denied could ever be possible.
FCA is certainly not alone in struggling with the new era of automotive-software security. Range Rover, Ford and BMW all recently had to issue patches relating to doors unlocking at speed, doors unlocking while parked and engines running after being switched off.
In response to these new problems, several automakers plan to do automatic, over-the-air software updates in the near future. That day may not come soon enough as owners struggle with software patches or book more appointments with mechanics to get critical flaws patched on their vehicles.
- Meet the Hackers Making Your Connected Car Safer
- 12 Things You Didn't Know Could Be Hacked
- How the Internet of Things Could Kill You