When cars are the hackable mobile device: Fiat issues recall on 1.4 million Dodge, Jeep, and Chrysler vehicles

When cars are the hackable mobile device: Fiat issues recall on 1.4 million Dodge, Jeep, and Chrysler vehicles
More and more new vehicles are connected to the gills. From offering basic navigation connectivity to full-blown phone calling and Wi-Fi hotspot capability, cars themselves are mobile devices.

As with anything connected to the internet, there is an IP address, and that means it can be accessed remotely. Two hackers, Charlie Miller and Chris Valasek, took Wired author Andy Greenberg for a ride, literally, and remotely.

Many modern vehicles have followed the model of passenger jets, with fly-by-wire type systems replacing mechanical or hydraulic mechanisms that affect everything from acceleration, braking, radio controls, and even steering.

Miller and Valasek have discovered what amounts to a zero-day hack on Fiat’s Chrysler division vehicles that are equipped with the U-Connect option. By exploiting a vulnerability in the entertainment system, the two hackers were able to rewrite the firmware, allowing the system to send commands to the vehicle’s CAN bus (the car’s internal network). Once that is accomplished, anything connected to the CAN bus can be manipulated depending on the vehicle configuration, from HVAC, engine operations, accelerators, steering, and braking.

The two hackers plan on publishing their findings and sharing the most of the methodology at the Black Hat conference next month. They have also shared their findings with Fiat so the company could issue a security patch recall to Chrysler vehicles equipped with U-Connect. While Fiat is not a fan of the idea of Miller and Valasek sharing this knowledge with the hacker community, the two defend the action as necessary for peer review, proof of concept, and to bring the issue into the limelight.

The recall affects up to 1.4 million vehicles, and the fix involves updating the U-Connect firmware through a USB dongle that customers can download and install themselves, or visit a dealer to have the patch installed for them. Vehicles on the list include the 2013-2015 Dodge Viper, 2013-2015 Ram Pick-ups, 2014-2015 Jeep Cherokee and Grand Cherokee, 2014-2015 Dodge Durango, 2015 Chrysler 200 and 300, and 2015 Dodge Challenger and Charger.

“If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone,” according to Miller. Based on the video below from Wired, this is definitely going to be an issue of concern for today’s vehicles to tomorrow’s autonomous systems under development.



sources: TFLCar and Wired

FEATURED VIDEO

11 Comments

1. Johnnokia

Posts: 1158; Member since: May 27, 2012

This BS is so dangerous on a high way filled with thousands of cars, and those drivers are not aware about this experiment. If you don't give a sh*t about your life, there are many good innocent people deserve a good life.

6. vincelongman

Posts: 5695; Member since: Feb 10, 2013

To be fair, millions of good innocent people still die from incompetent drivers Hopefully soon they figure out how to stop hacks and make driverless cars affordable Then driverless cars will save millions of good innocent people a year But I'm definitely going to wait for this tech to mature Wouldn't want to be a genie pig for this tech

2. carlemillward unregistered

The company really cannot say they did not think this would happen.

3. Fuego84

Posts: 357; Member since: May 13, 2012

This is nuts since when do updates actually fix stuff... Lol they might fix something but introduce a lot of other bugs and in an automobile that's just dangerous.

4. strudelz100

Posts: 646; Member since: Aug 20, 2014

I will never allow a sensor made by the lowest bidder to be in full control of my life while inside a car. Connected cars are a terrible idea, sacrificing all privacy, and possibly all control at times while also increasing the cost of cars. Soon these technologies will be mandatory for "your safety". You foot the cost of course. And they will send the analytics to the police on demand and sell the rest to the highest bidder.

8. boosook

Posts: 1442; Member since: Nov 19, 2012

They're not a terrible idea, you just have to do it the right way. And it's plain simple: just keep the parts that handle multimedia content, navigation etc physically separated from the computer that manages the engine, brakes and so on. Like in an airplane. It's not so difficult.

9. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

So you've never been in a car made after the mid 80s?

11. o0Exia0o

Posts: 903; Member since: Feb 01, 2013

Most cars produced these days use RF control modules on the throttle and breaking systems... This is a fear that I have had for many years now, rapid uncontrolled acceleration! Back about 5 years ago when Toyota was having issues with claims that their vehicles were accelerating uncontrollably without user input I thought that the implementation of the RF throttle control modules were the culprit, but Toyota passed along the story that floor-mats, YES FLOOR-MATS, were the jamming the accelerator pedal to the floor. I didn't and still don't buy the floor-mat story, but with almost manufacturer equipping their vehicles with the RF control modules what is to stopping someone with the right equipment from sending a false signal do the module and causing a vehicle to rapidly accelerate or full application of the breaks resulting in an accident?

5. vincelongman

Posts: 5695; Member since: Feb 10, 2013

I guess this is why Apple/Google are using BlackBerry's QNX, instead of iOS/Android for Car Play/Android Auto

7. boosook

Posts: 1442; Member since: Nov 19, 2012

I think that the main reason is that QNX is a realtime os, though.

10. jroc74

Posts: 6023; Member since: Dec 30, 2010

I keep saying we are getting too dependandt on computers, technology. Even tho when I heard Google was working on driver less cars its sounds nice. But for safety it sounds too dangerous.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.