Fiat Chrysler recalls thousands Jeep Renegade SUVs due to hacking risks

Fiat Chrysler has recalled nearly 8,000 Jeep Renegade SUVs in the US to update the software that could be exploited by attackers to hack the vehicles.

No peace for Fiat Chrysler Automobiles after the disclosure of the attack against its Jeep Cherokee model made by the popular hackers Charlie Miller and Chris Valasek. The duo of experts demonstrated how to hack the Fiat Chrysler connected car remotely by exploiting a flaw in the Uconnect automobile system.

A few days later the US National Highway Traffic Safety Administration recalled 1.4 million vehicles to update the flawed software hacked by the security experts. Fiat Chrysler was providing firmware updates available for download on its website and by mail a Flash USB containing the update to its customers. Just yesterday I was writing about this disconcerting decision of the company for providing a software update via Mailed USB explaining the possible risks for the car owners.

News of the day is that Fiat Chrysler has recalled nearly 8,000 SUVs  to fix the flaws that could allow remote attackers to hack the connected car.

Fiat Chrysler explained it needed to apply software updates to 7,810 Jeep Renegades that were sold in the US market, it also added that some models of the SUV sold in 2015, which comes loaded with certain radios, were vulnerable to the attack.

Resuming this campaign involves SUV equipped with radios different from the one hacked by the experts, anyway Fiat Chrysler states that it is unaware of any injuries related to software exploitation.

“The campaign – which involves radios that differ from those implicated in another, similar recall – is designed to protect connected vehicles from remote manipulation. If unauthorised, such interference constitutes a criminal act.

FCA US has already applied measures to prevent the type of vehicle manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems.

The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.” states the statement issued by Fiat Chrysler on the software update.

The automaker added that more that 50 percent of the SUVs needing the software update remained at dealerships across the US, this circumstance allows the company to update the vehicle before being sold to customers.

Fiat Chrysler added that owners of 2015 Jeep Renegade SUVs, equipped with 6.5-inch touchscreens, will be sent a USB device containing the update for the flawed software, alternately customers can download it from the official website. The good news for customers is that there is no charge for the software or, in the case of dealer visit, installation as reported in the statement:

“Affected are certain 2015 Jeep Renegade SUVs equipped with 6.5-inch touchscreens. Customers will receive a USB device which they may use to upgrade vehicle software. This provides additional security features.

Alternately, customers may visit http://www.driveuconnect.com/software-update/ as early as today to input their Vehicle Identification Numbers (VINs) and determine if their vehicles are included in the recall. If so, they may download the software themselves or, as early as Sept. 5, visit their dealers where technicians will perform the installation.

There is no charge for the software or, in the case of dealer visit, installation.”

The automaker explained it was recalling the cars “out of an abundance of caution,” but car hacking is a scaring reality, and let me add that the measure adopted by Fiat Chrysler are a must for the safety and the security of its customers.

About the Authors Elsio Pinto

and Pierluigi Paganini

(Security Affairs – Fiat Chrysler, Patch Management)