On July 21, 2015 a report surfaced that hackers had remotely taken control of a Jeep Cherokee through its UConnect system. They turned on the A/C, cranked the volume of the radio, and even killed the transmission while the vehicle was on the highway.
The driver was freaked out, even though he had signed up for the whole harrowing ordeal.
“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
Yes, it was all an experiment aimed at shining a light on how a connected car is a vulnerable one.
An Experiment to Bring Light to Security Issues
With the help of two white-hat hackers (i.e. the good guys), Wired.com wanted to show how an infotainment system could be remote accessed via the car’s cellular connection, essentially turning the car into a giant remote-controlled danger box.
That makes us crash-test dummies.
“The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I–64.”
It’s worth mentioning that the hackers did have direct contact with the vehicle before they hacked it remotely later on. So these vulnerabilities aren’t coming out of thin air … yet.
Fiat-Chrysler Upgrades the Software Following the Hack
Within a few days of the Wired.com article, Fiat-Chrysler (FCA) announced they’d be sending owners a software patch update on a USB drive as part of a recall for 1.4 million vehicles. Additionally, FCA closed remote ports to block-long range access via cell networks.
The recalled vehicles are all equipped with Uconnect 8.4A (RA3) and 8.4AN (RA4) radios, this includes 2013-2015 Ram trucks.
Fiat Chrysler says it has already applied security measures to block remote access to vehicle systems, all without an owner knowing about it because the changes occurred through the cellular network. Chrysler says everything was done on July 23, 2015.
Customers can also get a copy of the update by visiting http://www.driveuconnect.com/software-update.
An investigation into the recall’s effectiveness
A week after the recall was announced, the National Highway Traffic Safety Administration (NHTSA) opened an investigation into the recall’s effectiveness. They also opened an “equipment query” into the effected Harom Kardon radios, which meant it was not limited to just FCA vehicles.
Satisfied with their findings, the investigation was closed in January 2016.
While safety regulators are satisfied, not all consumers feel the same way.
In August 2015, a lawsuit said FCA knew about vulnerabilities for at least 18 months, but only acted once the Wired.com article came out.
While there’s still a settlement chance for the plaintiffs in the suit. FCA was able to get most of the lawsuit’s claims thrown out of court and stop the suit from going nationwide.