Chrysler announced July 24 that it would be recalling 1.4 million vehicles that might be affected by a security exploit discovered by two researchers.
Charlie Miller and Chris Valasek demonstrated the exploit to WIRED earlier this month by taking over a Jeep’s steering, brakes, transmission, and dashboard functions through the vehicle’s Chrysler Uconnect computers.
Fiat Chrysler Automobiles have now issued the world’s first car cybersecurity recall for makes branded Chrysler, Jeep and Dodge. Fortunately, this recall doesn’t require owners to bring their cars to a shop; instead, they’ll receive a USB stick in the mail with a software update they can upload themselves.
Andy Greenberg, a writer for WIRED, drove over 100 kilometres an hour down a St. Louis freeway while the two hackers sat at home and connected to his Jeep remotely. They then proceeded to turn on his fan at full blast, blare his radio at full volume, change the picture on the navigation screen, soak his windshield with wiper fluid, and then slow his car down to a crawling pace.
Furthermore, Chrysler has also introduced “network-level security measures” that stop the attack by detecting it on the Sprint network (which Uconnect utilizes).
Miller told WIRED that he was surprised Chrysler hadn’t responded earlier but he’s now glad that they did.
“Blocking the Sprint network is a huge thing,” Miller said. “The biggest problem before was that cars would never get fixed or fixed way down the road. Assuming that they did [the Sprint network fix] correctly…you don’t have to worry about that tail-end of cars that won’t get fixed.”
However, “due to market access to cellular connectivity in the Canadian marketplace, FCA Canada vehicles are not affected by this condition and therefore do not require a system upgrade,” reads a press release on the FCA website.
Chrysler said however that the hacking technique used by the two researchers was extremely complicated and had never been used by anyone else besides Miller and Valasek.
“The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended period of time to write code,” reads a Chrysler release.
However, Chrysler also states that no defect was found and that they’re doing the recall out of an abundance of caution, to which Valasek responded sarcastically on Twitter: “No defect was found (other than the remote vulnerability that can result in full physical control).”