Chrysler officially recalled approximately 1.4 million vehicles Friday over a software vulnerability.
The vulnerabilities were exposed by two professional hackers, who remotely hijacked and disabled a car while someone else was driving.
Armed only with laptops and an Internet connection, they broke into the internal system of a 2014 Jeep Cherokee and took control of the vehicle’s locks, steering, and speedometer. They even disabled the brakes.
Hackers tap into the car’s entertainment system through its cellular connection. From there, they rewrite the car’s code, giving them near complete control of the vehicle, anything from windshield wipers and radio to the engine and brakes.
“We don’t have to be in the car. We don’t have to be connected. We don’t even have to be in the same state,” said hacker Chris Valasek.
Earlier this month, Chrysler quietly offered a software upgrade that customers should install “at their earliest convenience.”
In a news release dated July 16, Fiat Chrysler Automobiles said:
“Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers. Customers with questions may call Vehicle Care at 1-877-855-8400.”
You can also look up your own Uconnect software update by entering your VIN online here.
Then on Friday, an official recall was issued which said “exploitation of the software vulnerability may result in unauthorized remote modification and control of certain vehicle systems, increasing the risk of a crash.”
The recall affects the following vehicles (Makes/Models/Model Years):
- JEEP/GRAND CHEROKEE/2014-2015
Chrysler will notify and mail affected owners a USB drive that includes a software update that eliminates the vulnerability, free of charge.
Optionally, owners may download the update to their own USB drive (see the above Uconnect link) or take their vehicle to a Chrysler dealer for immediate installation.
In an effort to mitigate the effects of this security vulnerability, Chrysler has had the wireless service provider close the open cellular connection to the vehicle that provided unauthorized access to the vehicle network. This measure may not have been implemented on all vehicles and does not address access by other means that will be remedied by the software update.
The manufacturer has not yet provided a notification schedule. Owners may contact Chrysler customer service at 1-800-853-1403. Chrysler’s number for this recall is R40.
It’s all the work of two researchers who wanted to alert automakers that today’s high-tech, interconnected vehicles need better protection.
Wired.com senior reporter Andy Greenberg volunteered to be behind the wheel of the commandeered Jeep.
“It’s an incredibly unnerving feeling to realize that this two-ton machine, that you are used to being an extension of your body almost, is completely out of your control,” he said.
Last year, researchers looked at 11 makes of cars. All of them had some level of vulnerability, but the 2014 Jeep Cherokee and the 2014 Infiniti Q50 were rated the most susceptible.
“We’re not the bad guys. We’re trying to point out flaws so you can get them fixed as opposed to keeping them to ourselves,” said Valasek.
An estimated 471,000 Chryslers are vulnerable to attack, but Chrysler, the maker of Jeeps, likely isn’t the only automaker with the potential problem.
Lawmakers on Capitol Hill just introduced legislation that would protect drivers of all vehicles and their personal information.
“Drivers generate data as they visit a Starbucks or visit supermarket or go to a clothing store. People are opening up their lives just by driving their cars,” said Sen. Richard Blumenthal, D, Conn.