Chrysler Recalls 1.4 Million Vehicles After Jeep Cherokee PoC Hack

Fiat Chrysler has recalled 1.4 million vehicles following security researchers hacked a Jeep Cherokee remotely by exploiting a vulnerability in its systems.

One of the arguments most debated in the hacking and security community this week is the recent hack of a Fiat Chrysler Jeep.

The security experts Chris Valasek and Charlie Miller have demonstrated that car hacking could be a scaring reality, they provided a proof of concept of an attack scenario involving the popular journalist Andy Greenberg. The two hackers took control of a 2014 Jeep Cherokee driven by Greenberg arresting the car while Greenberg was driving.

The experts were able to control various components of the a 2014 Jeep Cherokee, including the steering, braking, the engine, the car signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer and the control of the transmission.

A few days later the Fiat Chrysler recalled 1.4 million vehicles in the US possibly open to cyber attacks due to the presence of a vulnerability in the UConnect infotainment system. The researchers Valasek and Miller explained that an attacker could gain the control of the vehicle from everywhere by exploiting this vulnerability.

The National Highway Traffic Safety Administration (NHTSA) is also investigating the case to determine the effectiveness of Fiat Chrysler’s recall of the 2014 Jeep Cherokee vehicles.

The first anomaly noticed by the media is related to the number of the Jeep Cherokee recalled by the company. Although Miller and Valasek estimated that only up to 400,000 vehicles were affected by the vulnerability, Fiat Chrysler recalled 1.4 million vehicles, including:

• 2013-2015 MY Dodge Viper specialty vehicles
• 2013-2015 Ram 1500, 2500 and 3500 pickups
• 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
• 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
• 2014-2015 Dodge Durango SUVs
• 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
• 2015 Dodge Challenger sports coupes

“You can develop that most advanced vehicle that has all of the latest safety features and high tech gadgets in it, but if it can be bricked by remote exploits, you are going to have wary consumers who may choose the next brand of vehicle because they put more emphasis on security,” says Ken Westin, senior security analyst for Tripwire. “The automotive industry understands the importance of security and they are not only working with researchers, but also each other to help develop standards and best practices for more secure vehicles and the work that researchers are doing like Miller and Valasek is actually helping to make our vehicles more secure in the future.”

Once again, let me highlight the worrying aspect of the story, the patch issued by the company must be manually installed by using a USB drive. The company initially invited customers to download and install the update themselves from a USB drive or take the car to a dealership.

Not sure that this is an operation that any customer is able to do autonomously.

Fortunately, FCA announced on Friday that it’s conducting a voluntary safety recall to update software in roughly 1.4 million vehicles in the United States.

“The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action,” FCA said. “Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.”

Let me close with a comment on the event released by Valasek in an interview with CNBC’s “Power Lunch” on Wednesday. Valasek explained that remote attacks on cars are not easy to run, they have spent on vehicle hacking at least three years.

“I’m more afraid of someone texting and driving and running into me than I am of someone hacking my car,” Valasek said.

Pierluigi Paganini

(Security Affairs – Jeep Cherokee, Uconnect system)