Senators want NHTSA to get tough on vehicle hacking

David Shepardson
Detroit News Washington Bureau

Washington — Two senators want the National Highway Traffic Safety Administration to take “immediate action” to investigate to potential widespread risk to consumers of vehicle hacking in the wake of Fiat Chrysler’s recall of 1.4 million vehicles for cyberintrusion risks.

U.S. Sens Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn. urged NHTSA Administrator Mark Rosekind on Tuesday to take speedy action.

“To restore consumer confidence in our nation’s auto safety system it is imperative that NHTSA act quickly to develop a fuller understanding of the breadth and depth of the safety threat now confronting motorists,” the letter to Rosekind said. “NHTSA must rapidly determine whether other vehicle models are affected by this particular vulnerability, and how remedial actions can be deployed by manufacturers and regulators to secure all vehicles on our roads.”

NHTSA on Friday it was opening an investigation into Fiat Chrysler’s recall to determine if all vehicles impacted are covered by the recall and whether the vehicles face other security risks.

“We’ve opened an investigation to determine whether FCA’s recall includes all affected vehicles and that the remedy is appropriate, and we’re working to determine whether this equipment has been supplied to other automakers to determine if they have similar vulnerabilities,” NHTSA spokesman Gordon Trowbridge said Tuesday.

The callback — the first related to cyber security — was announced Friday, just days after a magazine report showed hackers could wirelessly take control of some functions of a 2014 Jeep Cherokee through the radio. Researchers for Wired magazine remotely hacked into the Cherokee in a real-world test that included taking over steering, transmission and brakes, and controlling features such as air conditioning, locks and the radio. They published the results this week, but first notified Fiat Chrysler of their research in October.

In a document posted Tuesday, NHTSA said it will contact the manufacturer of the radio to determine whether similar units have been supplied for other vehicles.

The senators introduced cybersecurity legislation that would force NHTSA to set new rules to guard against cyberhacking.

“Modern vehicles are continuously expanding and advancing their connectivity — incorporating advanced systems for navigation, vehicle-to-vehicle communications, and infotainment. We expect that the number of potential attack surfaces in modern vehicles will only increase, and we are only just beginning to understand the nature of the emerging threat posed by car-hacking. Until we can identify all vulnerable systems and vehicles, car-hacking will continue to present a critical threat,” the senators wrote.

Fiat Chrysler said it learned of a possible problem from a third party in January 2014 and began to work on and quietly implement security improvements. But it didn’t alert owners or federal regulators, or issue a recall for nearly 18 months.

The automaker said it didn’t know until this month that critical vehicle systems such as steering and braking could be manipulated remotely.

Owners will be sent a flash drive to upgrade vehicle software. If they don’t want to wait, they can download the patch at Dealers also can make the fix.

The entertainment systems in the Jeeps, Chryslers, Dodges and Rams had two problems: The radios default to accepting commands from external sources; and a communications port was unintentionally left open in the cellular communications network that connects Fiat Chrysler’s vehicles to the Internet.

The software patch will fix the first problem. And Sprint, which is Fiat Chrysler’s cellular communications provider, closed the door through which the hackers entered.

Of the 1.4 million recalled vehicles, Fiat Chrysler said it eliminated nearly all from hacking concerns earlier this week after the port was closed. But it acknowledged 3 percent of vehicles could be infiltrated by short-range wireless communications for owners who use mobile hotspots. A hacker would need to be within about 100 feet to potentially take control, the automaker said.