Washington — Under government pressure, Fiat Chrysler Automobiles NV agreed Friday to recall 1.4 million vehicles that can be cyber-hacked remotely — as Congress, automakers and regulators are raising increasing concerns about vehicle communications.
The first-of-its-kind callback came just days after a magazine report showed hackers could wirelessly take control of some functions of a Jeep Cherokee.
The National Highway Traffic Safety Administration said it will open an investigation into the recall to ensure all vehicles that could be affected are covered. “Opening this investigation will allow NHTSA to better assess the effectiveness of the remedy proposed by Fiat Chrysler,” NHTSA Administrator Mark Rosekind said in a statement, acknowledging the agency had urged the move.
Owners will get a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures that largely addresses the problem.
Sen. Ed Markey, D-Mass., called on NHTSA to ensure that the problem is not limited to Fiat Chrysler.
“There are no assurances that these vehicles are the only ones that are this unprotected from cyberattack. A safe and fully-equipped vehicle should be one that is equipped to protect drivers from hackers and thieves. Both automakers and NHTSA should be immediately taking steps to verify that other similar vulnerabilities do not exist in other models that are on the road,” Markey said.
House leaders, who have been reviewing auto hacking, called for further action.
“Innovation is occurring at lighting speed, and the intersection of automobiles and technology offers tremendous opportunity to keep families safe on the road and improve the American driving experience. But as the underlying technologies seemingly evolve by the day, so too must our manufacturers and regulators keep pace to protect drivers from these growing threats,” said Energy and Commerce Committee Chairman Fred Upton, R-St. Joseph and ranking member Frank Pallone, D-N.J. “We are working with leading automakers and NHTSA to ensure all stakeholders are prepared to meet these challenges of the 21st century. We have said that cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride.”
Researchers for Wired magazine remotely hacked into a 2014 Jeep Cherokee in a real-world test that included disabling the SUV’s engine functions and controlling interior features such as air conditioning, locks and the radio.
NHTSA encouraged the recall, Rosekind said, because it “meets the critical responsibility of manufacturers to assure the American public that vehicles are secure from such threats, and that when vulnerabilities are discovered, there will be a swift and strong response.”
R said the recall “sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities.”
The fix for the recall is a software update for certain radios that could be the subject of hacking. No vehicles outside the United States are impacted.
Of the 1.4 million recalled vehicles, Fiat Chrysler said it eliminated nearly all from hacking concerns earlier this week after its telecommunications provider closed an open port. But it acknowledged that 3 percent of the vehicles could be impacted by short-range wireless communications for owners who subscribe to mobile hotspots. A hacker would need to be within about 100 feet to potentially take control, the automaker said.
Fiat Chrysler told NHTSA that it first learned of a security vulnerability in January from a researcher. The vehicles were open to hacking because a communications port was inadvertently left open and the radio firewalls were open by default. Fiat Chrysler began working on a fix then but did not immediately disclose the issue to NHTSA or the public. Fiat Chrysler said this week its cellular provider remotely closed the communications port that “removes the known risk of long-range remote hacking.”
On July 14, Fiat Chrysler approved an extended warranty program for free software updates for all owners and agreed to send an email and letters describing the issue. The following day, Fiat Chrysler told NHTSA it was issuing a technical service bulletin to address the issue.
But Fiat Chrysler agreed to the recall Thursday at NHTSA’s request.
Most experts downplayed the seriousness of the Fiat Chrysler hack.
Ken Westin, senior security analyst for Tripwire, said, “The actual possibility of this vulnerability being used in a real attack is slim. However, as the researchers in this case worked closely with Chrysler to provide detailed information regarding the vulnerability, they were able to develop a patch to fix the security vulnerability in the vehicle systems. ... With increasingly connected and high tech components being added to these vehicles, they will need to add security to the mix in order to retain their brand integrity. You can develop the most advanced vehicle that has all of the latest safety features and high tech gadgets in it, but if it can be bricked by remote exploits, you are going to have wary consumers who may choose the next brand of vehicle because they put more emphasis on security.”
Edmunds.com editor Ron Montoya said, “There is no real safety threat to FCA owners. This week's hack was an isolated incident that was performed on one specific vehicle and it was not something that could be replicated on a mass scale. Nevertheless, automakers recognize this as a very important issue and they're proactively working to identify flaws in their own connected systems and address whatever issues they may find."
Fiat Chrysler said it is unaware of any injuries related to software exploitation, nor is it aware of any related complaints or accidents outside of the media demonstration.
The recall includes 1.4 million vehicles equipped with 8.4-inch touchscreens including:
■2013-15 Dodge Vipers
■2013-15 Ram 1500, 2500 and 3500 pickups
■2013-15 Ram 3500, 4500, 5500 chassis cabs
■2014-15 Jeep Grand Cherokees and Cherokees
■2014-15 Dodge Durangos
■2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
■2015 Dodge Challengers
Owners can visit www.driveuconnect.com/software-update/ to input their vehicle identification numbers (VINs) and determine if their vehicles are included in the recall.
They will receive a flash drive to upgrade software to provide additional security beyond the network-level measures already taken.
Fiat Chrysler said it has established a dedicated team focused on identifying best practices for software development. It said the software manipulation demonstrated by the hackers “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”
The recall announcement comes as NHTSA and Fiat Chrysler negotiate a likely settlement into NHTSA’s concerns about the automaker’s handling of nearly two dozen recall campaigns covering about 11 million vehicles. Foxx said a settlement may be announced soon. “We’re working very hard to get these issues closed out,” Foxx said in response to a Detroit News question.
Meanwhile on Friday, Transportation Secretary Anthony Foxx said the Obama administration will “push” hard to ensure the nation’s 250 million cars and trucks are not suspectible to cyber hacking. At a roundtable discussion with reporters, Foxx said the problem is an “issue.”
“We will push as hard as we can to ensure the security of vehicles is airtight,” he said at a breakfast meeting with reporters, noting that it may become a bigger issue as connected vehicles become more common on the nation’s roads.
Two senators this week introduced legislation requiring NHTSA to set new rules to guard against hacking. Foxx said it was critical that automakers and the government work closely together to address the issue.