Just How Vulnerable is the UConnect System to Hacking?

Posted on
Scott McCracken
#interior #technology #infotainment
Ram console with uConnect loaded on the infotainment screen

On July 21, 2015 a report surfaced that hackers had remotely taken control of a Jeep Cherokee through its UConnect system. They turned on the A/C, cranked the volume of the radio, and even killed the transmission while the vehicle was on the highway.

The driver was freaked out, even though he had signed up for the whole harrowing ordeal.

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

Yes, it was all an experiment aimed at shining a light on how a connected car is a vulnerable one.

An Experiment to Bring Light to Security Issues

With the help of two white-hat hackers (i.e. the good guys), Wired.com wanted to show how an infotainment system could be remote accessed via the car’s cellular connection, essentially turning the car into a giant remote-controlled danger box.

That makes us crash-test dummies.

“The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I–64.”

It’s worth mentioning that the hackers did have direct contact with the vehicle before they hacked it remotely later on. So these vulnerabilities aren’t coming out of thin air … yet.

Fiat-Chrysler Upgrades the Software Following the Hack

Within a few days of the Wired.com article, Fiat-Chrysler (FCA) announced they’d be sending owners a software patch update on a USB drive as part of a recall for 1.4 million vehicles. Additionally, FCA closed remote ports to block-long range access via cell networks.

The recalled vehicles are all equipped with Uconnect 8.4A (RA3) and 8.4AN (RA4) radios, this includes 2013-2015 Ram trucks.

Fiat Chrysler says it has already applied security measures to block remote access to vehicle systems, all without an owner knowing about it because the changes occurred through the cellular network. Chrysler says everything was done on July 23, 2015.

Customers can also get a copy of the update by visiting http://www.driveuconnect.com/software-update.

An investigation into the recall’s effectiveness

A week after the recall was announced, the National Highway Traffic Safety Administration (NHTSA) opened an investigation into the recall’s effectiveness. They also opened an “equipment query” into the effected Harom Kardon radios, which meant it was not limited to just FCA vehicles.

Satisfied with their findings, the investigation was closed in January 2016.

Consumer Response

While safety regulators are satisfied, not all consumers feel the same way.

In August 2015, a lawsuit said FCA knew about vulnerabilities for at least 18 months, but only acted once the Wired.com article came out.

While there’s still a settlement chance for the plaintiffs in the suit. FCA was able to get most of the lawsuit’s claims thrown out of court and stop the suit from going nationwide.

Generations Where This Problem Has Been Reported

This problem has popped up in the following Ram generations.

Most years within a generation share the same parts and manufacturing process. You can also expect them to share the same problems. So while it may not be a problem in every year yet, it's worth looking out for.

Further Reading

A timeline of stories related to this problem. We try to boil these stories down to the most important bits so you can quickly see where things stand. Interested in getting these stories in an email? Signup for free email alerts for your vehicle over at CarComplaints.com.

  1. Fiat-Chrysler was able to get most of the claims of a 2015 lawsuit thrown out, however the case won't be completely dismissed.

    Attorneys for Chrysler told the judge there is no evidence hackers have affected the vehicles since those vehicles were remedied under the recall and none of the owners say they changed their driving habits due to the hacking incident ... The judge dismissed most of the claims, three of those dismissed with prejudice, but ruled the plaintiffs do have standing to pursue damages for loss in value and overpayments for the vehicles.

    It's possible those plaintiffs will receive some sort of settlement if they carry on with the case, but it's looking less likely for a nationwide compensation settlement.

    keep reading article "Uconnect Lawsuit is Still Alive. Barely."
  2. It doesn't appear the National Highway Traffic Safety Administration (NHTSA) is going to do anything about Fiat-Chrysler's radio hack recall.

    NHTSA concludes Chrysler vehicles that weren't part of the recalls don't have radios with built-in cellular access or short-range wireless features, which allegedly eliminate the hacking threat. In addition, third-party testing showed potential cellular vulnerabilities were fixed by wireless carrier Sprint or repaired through updates to the Uconnect software.

    keep reading article "Safety Regulators Close Their Investigation Into Uconnect Hacking Vulnerabilities"
  3. Consumers don't seem convinced that Fiat-Chrysler's (FCA) recall is doing enough to protect them against hacking.

    The hack was possible because of the Harmon Kardon uConnect infotainment systems installed in the affected Jeeps and other vehicles. The plaintiffs claim the uConnect 3G systems in the vehicles should be physically disconnected from the controller area network bus. The CAN bus links together the electronics of the vehicle, including vital functions such as the braking system and transmission.

    keep reading article "Consumers Aren't Thrilled with FCA's Response to Hacked Uconnect Radios"

OK, Now What?

Maybe you've experienced this problem. Maybe you're concerned you will soon. Whatever the reason, here's a handful of things you can do to make sure it gets the attention it deserves.

  1. File Your Complaint

    CarComplaints.com is a free site dedicated to uncovering problem trends and informing owners about potential issues with their cars. Major class action law firms use this data when researching cases.

    Add a Complaint
  2. Notify CAS

    The Center for Auto Safety (CAS) is a pro-consumer organization that researches auto safety issues & often compels the US government to do the right thing through lobbying & lawsuits.

    Notify The CAS
  3. Report a Safety Concern

    The National Highway Traffic Safety Administration (NHTSA) is the US agency with the authority to conduct vehicle defect investigations & force recalls. Their focus is on safety-related issues.

    Report to NHTSA