The first remote hacking of a new vehicle has lead to the first recall over hacking fears.
Fiat-Chrysler said today it was launching a voluntary recall of 1.4 million cars, trucks and SUVs out of “an abundance of caution,” following a demonstration earlier this week by Wired magazine from two hackers who took remote control of a Jeep Cherokee’s brakes and other systems. The hackers gained access through the Uconnect touchscreen entertainment system — a route they said could be available to any Fiat-Chrysler vehicle with the system installed.
The recall covers vehicles equipped with 8.4-inch touchscreens, including:
2013-2015 Dodge Vipers
2013-2015 Ram 1500, 2500 and 3500 pickups
2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
2014-2015 Jeep Grand Cherokees and Cherokees
2014-2015 Dodge Durangos
2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
2015 Dodge Challengers
When the Wired story first broke this week, Fiat Chrysler has said a lower number of vehicles were affected, and that it would offer a free software update that owners could download and install themselves via USB drive. Today’s move not only raised the number of vehicles affected; owners will get the USB directly from Chrysler, instead of going to a dealer as with a traditional recall.
Fiat Chrysler also said it had changed its controls over the network-level access to block the technique used by the hackers; they had found that every affected car was transmitting its IP address over the Sprint cellular network.
“The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” Fiat Chrysler said in a statement.
While this isn’t a traditional safety recall, the National Highway Traffic Safety Administration said it would open a separate probe to investigate Fiat Chrysler’s handling of the problem. The agency has been at loggerheads with the automaker for months, accusing it of foot-dragging safety recalls affecting more than 11 million vehicles, and threatening fines or other punishments for the delays. And Fiat Chrysler revealed in documents given to the agency that it first became aware of the software flaw in January 2014 — 18 months before the Wired article. (It also said no one had been able to gain remote access before the hackers.)
The researchers who found the flaw, Chris Valasek and Charlie Miller, say they did so to raise awareness about security questions surrounding connected cars. Most major automakers have moved to providing some kind of data link in their vehicles; a few, including Tesla and BMW, have even done over-the-air updates. With Congress now considering new laws on vehicle software safety, the Fiat Chrysler hacking recall may be a first, but it likely won’t be the last.