Jeep hacking triggers recall of 1.4m vehicles

The console of a Jeep Cherokee, through which a pair of hackers were able to remotely control the engine, brakes and steering.
The console of a Jeep Cherokee, through which a pair of hackers were able to remotely control the engine, brakes and steering.PHOTO: NEW YORK TIMES

Calls for more safeguards after researchers show they can control and crash the Jeep

WASHINGTON • When the call came to officials at the United States National Highway Traffic Safety Administration (NHTSA), they knew they had a problem they had never faced but had long feared.

On the line was Fiat Chrysler Automobiles, with news that two technology researchers had hacked wirelessly into a Jeep Cherokee through its dashboard connectivity system. They had managed to gain control of not just features like the radio and air-conditioning, but the actual functions of the vehicle: the engine, the brakes and the steering.

That revelation set in motion a nine-day flurry of activity by the automaker and the safety agency that culminated on Friday in a recall of 1.4 million vehicles equipped with 8.4-inch touchscreens from the 2013 model year onward.

"Launching a recall is the right step to protect Fiat Chrysler's customers, and it sets an important precedent for how NHTSA and the industry will respond to cyber-security vulnerabilities," said Mr Mark Rosekind, the agency's administrator.

In an age when the cars on the nation's highways are increasingly Web-connected, it was the first safety recall issued for a hacking threat. And it brought immediate demands in Congress for action to root out and guard against flaws in other cars that could pose a similar danger.

SETTING A PRECEDENT
 

Launching a recall is the right step to protect Fiat Chrysler's customers, and it sets an important precedent for how NHTSA and the industry will respond to cyber-security vulnerabilities.

MR MARK ROSEKIND, the NHTSA's administrator

The initial call from Fiat Chrysler to Washington on July 15 led to a long set of discussions between the automaker and regulators, according to a person briefed on the activities. Staff specialists at the safety agency aimed to grasp the full scope of the breach, and were particularly alarmed that the hacking allowed someone to essentially crash a vehicle.

Researchers Charlie Miller and Chris Valasek had given the automaker a heads-up: They planned to make their findings public.

The vulnerability existed far beyond just the Jeep, they said. Other vehicles across Chrysler's line-up of cars and trucks used the same system, called Uconnect, that had let them in. Hundreds of thousands of vehicles could be affected.

Fiat Chrysler software specialists scrambled to make a patch available to plug the hole, and released one on the automaker's website on July 16.

The company also planned to issue a technical service bulletin - a notice mainly used by dealers, but not considered a recall.

Officials at the safety agency, however, wanted to know more about the exact functions that could be taken over by hackers.

In NHTSA parlance, if the result presented an "unreasonable risk to safety", a recall would be required. And if drivers were vulnerable to an attack where they could lose control of their cars, that would certainly seem to qualify, even though a recall for a Web security threat had never before taken place.

In the meantime, the researchers made their findings known last Tuesday in an article published by the news technology site Wired, telling how they had taken control of a cooperating driver's car from 16km away as it sped down a St Louis highway.

Fiat Chrysler subsequently issued a statement saying it would send affected owners a USB drive that they could plug into their vehicles to install an update to block the hacking vulnerability. Owners could also download the update directly onto their own portable drive.

It also said it had "applied network-level security measures" on the Sprint cellular network that communicates with its vehicles as another step to block the vulnerability.

Last Friday, Mr Valasek posted on social media that when he tried connecting again to his test Jeep, the pathway through Sprint's network had been blocked.

NEW YORK TIMES

A version of this article appeared in the print edition of The Sunday Times on July 26, 2015, with the headline 'Jeep hacking triggers recall of 1.4m vehicles'. Print Edition | Subscribe