NHTSA: Fiat Chrysler hacking ‘warning’ to industry
The head of the National Highway Traffic Safety Administration says last week’s first-ever recall of 1.4 million Fiat Chrysler vehicles for cyberhacking is a warning to the entire U.S. auto industry.
His announcement came the same day General Motors Co. issued a new security update for a smartphone app that allowed a hacker to take control of some functions of a Chevrolet Volt.
NHTSA Administrator Mark Rosekind told reporters Friday that automakers must move fast to address issues.
“It’s a shot across the bow. It’s a warning basically that whether it happens again tomorrow or a month from now or a year from now, it doesn’t matter — these are areas that we have to address,” Rosekind said. “Everybody’s been saying cybersecurity. Now you have to step up. We’ve been preparing for this.”
The Fiat Chrysler Automobiles recall came after Wired magazine reported hackers could remotely take control of some functions of 2014 Jeep Cherokee, including steering, transmission and brakes.
Fiat Chrysler didn’t plan to recall the vehicles until NHTSA demanded a “strong, urgent response.” Owners of affected Jeeps, Chryslers, Dodges and Rams are being sent flash drives to upgrade vehicle software.
The safety agency is investigating whether similar radios in other makers’ vehicles have the same security flaw.
Transportation Secretary Anthony Foxx said last week that automakers and government must work closely together on cyberhacking issues.
GM on Friday issued a security update for the OnStar RemoteLink app for iPhone and iPad users after a hacker said he was able to remotely control some functions of the Volt, such as starting the engine and unlocking the doors.
In a statement Friday, GM OnStar said: “GM product cyber-security representatives reviewed a vulnerability identified by an independent researcher this week and moved quickly to secure our back-office system and reduce risk. That step required no customer action. Continued testing identified further action necessary on the Apple iOS version of RemoteLink app itself. That step has now been taken and an update is now available via Apple’s App Store.”
The company said RemoteLink users with iPhones and iPads would be notified Friday by OnStar through an email. The email includes a link to download the new app.
The previous version of the app will be decommissioned. Android, Windows Phone and BlackBerry users do not need to download a security fix.
GM’s response came after security researcher Samy Kamkar posted a video to YouTube Thursday. On the video, he said he was able to hack into RemoteLink by using a battery-powered remote device he called “OwnStar.”
With that device, Kamkar said he was able to intercept communication between a mobile phone with the app and OnStar servers. He said he then was able to control some functions of the Volt. On Friday, he tweeted: “OwnStar update: I just confirmed @OnStar has resolved the vulnerability with the RemoteLink app update released today! Great turnaround!”
The RemoteLink app allows OnStar users to remotely start their cars, honk the horn, turn on lights, or lock and unlock doors. Users also can locate their car and get diagnostic data such as tire pressure and oil life.
Rosekind said NHTSA hasn’t opened a formal investigation into the GM hacking, but is gathering information about the issue.
The GM issue “just highlights the number of points of entry,” Rosekind said. “These cars are computers now — they have been for a while, and the points of entry are many.”
Automakers say they are taking it seriously.
Two major auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — say they will develop a voluntary group called the Information Sharing and Analysis Center. It will serve as a hub for sharing cyber-threat information and potential vulnerabilities in electronics and in-vehicle networks. The groups said they expect it to begin operations by the end of 2015.
“They’ve got their first (hacking incident). They’ve got to do it now,” Rosekind said.
Alliance vice president Robert Strassburger said he anticipated the industry group would expand to auto suppliers, and eventually could include telecommunications providers and technology companies.
On Tuesday, two U.S. senators urged NHTSA to take “immediate action” to investigate the potential widespread risk of vehicle hacking, as they introduced legislation that would force the safety agency to set new rules to guard against the threat.
Sens Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., had strong words for Rosekind.
“Modern vehicles are continuously expanding and advancing their connectivity — incorporating advanced systems for navigation, vehicle-to-vehicle communications and infotainment,” they wrote. “We expect that the number of potential attack surfaces in modern vehicles will only increase, and we are only just beginning to understand the nature of the emerging threat posed by car-hacking. Until we can identify all vulnerable systems and vehicles, car-hacking will continue to present a critical threat.”