Fiat Chrysler has released an urgent software update for a number of its Internet-connected vehicles after learning that two hackers were able to take control of a Jeep Cherokee from miles away and crash it into a ditch.
The news comes amid growing concern that hackers are beginning to target automobiles as they have computers and cellphones. But in this case, there’s more than just private information at stake. Experts fear that such cyberattacks could pose the actual risk of death or injury, as well as major chaos on the highways.
The possibility that hackers could gain access to hundreds of thousands of FCA vehicles was revealed in a story in Wired magazine. The potential was demonstrated by two professional hackers, including one who previously worked for the National Security Agency. They plan to reveal at least some of their tricks during a so-called Black Hat security conference in Las Vegas next month.
Fiat Chrysler has already tried to address the problem with a new software update, though observers question whether the company has made the potential problem clear enough to owners. The update, the company said, “offers customers improved vehicle electronic security and communications system enhancement.”
Cybersecurity experts have been warning that the auto industry may be inadvertently creating a variety of ways for hackers to tap into their vehicles. These include wired access points, such as the OBD port used by mechanics to check a vehicle’s operations, as well as a growing list of wireless entry points, everything from mandatory tire pressure monitoring systems to 4G LTE infotainment technology.
The latter path was used by hackers Charlie Miller and Chris Valasek to exploit a vulnerability in a 2014 Jeep Cherokee equipped with the FCA Uconnect system that accesses the Sprint network. Working from their laptops miles away, the pair were able to access critical vehicle control systems while a Wired reporter was sitting behind the wheel.
According to Wired reporter Andy Greenberg, they were able to turn on the Jeep’s windshield wipers and washer fluid pump, shut the engine down while it was being driven down the highway, take control of the steering wheel and then disable its brakes, sending it into a ditch.
The two hackers contacted Fiat Chrysler to alert the company of the vulnerability, which led to the release of the software update.
“This update might not sound particularly important, but trust me, if you can, you really should install this one,” said Miller in a post on Twitter.
The automaker said it is concerned about the fact that the pair plans to release some of the code they used during next month’s hacker conference, insisting it does not “condone” the move, nor consider it “appropriate,” even with the update available.
Part of the concern appears to be that many owners might either not know about the fix or simply skip installing the update. There’s reason for that worry. Even with the potentially deadliest safety defects, only 70 percent to 8 percent of owners ever bother to follow up on a recall notice and get their vehicles repaired.
That’s an issue the National Highway Traffic Safety Administration is discussing with the industry – and which may lead to new measures by Congress. But the potential for hackers to take control of a vehicle is equally worrying, NHTSA Administrator Mark Rosekind said during a visit to Detroit this week.
The potential risks are likely to expand in the years ahead as vehicle manufacturers continue to expand the range of digital technologies they use. Nissan already has a steer-by-wire system, with no direct mechanical link between driver and the vehicle’s wheels, on its Infiniti Q50 sedan. The automaker has promised to put its first fully self-driving vehicle into production by 2020.
But semi-autonomous technologies are expected to reach market well before then. Last week, Tesla Motors CEO Elon Musk said he plans to release a beta version of the new Pilot software, which will allow hands-free highway driving, within a matter of weeks. It will first go to a handful of owners willing to test the system, but distribution to all Model S sedans could follow within months.
Tesla plans to send that update to those vehicles wirelessly, and that process could prove a very tempting target for hackers.
More from The Detroit Bureau