Welcome to the age of hackable automobiles, when two security researchers can cause a 1.4 million product recall.
On Friday, Chrysler announced that it's issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler's Uconnect dashboard computers. The vulnerability was first demonstrated to WIRED by security researchers Charlie Miller and Chris Valasek earlier this month when they wirelessly hacked a Jeep I was driving, taking over dashboard functions, steering, transmission and brakes. The recall doesn't actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they'll be sent a USB drive with a software update they can install through the port on their vehicle's dashboard.
Chrysler says it's also taken steps to block the digital attack Miller and Valasek demonstrated with "network-level security measures"—presumably security tools that detect and block the attack on Sprint's network, the cellular carrier that connect Chrysler's vehicles to the Internet.
Miller, one of the two researchers who developed the Uconnect-hacking technique, said he was happy to see the company respond. "I was surpassed they hadn't before and I'm glad they did," he told WIRED in a phone call. He particularly praised the move to work with Sprint to prevent attacks through its network.
"Blocking the Sprint network is a huge thing," Miller adds. "The biggest problem before was that cars would never get fixed or fixed way down the road. Assuming that they did this correctly…you don't have to worry about that tail-end of cars that won't get fixed."
Chrysler had already issued a patch in a software update for its vehicles last week, but announced it with a vague press release on its website only. A recall, by contrast, means all affected customers will be notified about the security vulnerability and urged to patch their software. "The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action," writes a Chrysler spokesperson in an email.
In its press statement about the recall, Chrysler offered the following list of vehicles that may be affected:
- 2013-2015 MY Dodge Viper specialty vehicles
- 2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
That list of potentially vulnerable cars is slights longer than the one Chrysler gave WIRED on Monday, which excluded the the Chrysler 200 and 300, and the Dodge Charger and Challenger. The 1.4 million number it's targeting with the recall is also far larger than the 471,000 vehicles Miller and Valasek had estimated to possess the vulnerable Uconnect computers.
In its statement, Chrysler also said that to its knowledge the hacking technique Miller and Valasek had developed had never been used outside of the WIRED demonstration. It also pointed out that hacking its vehicles wasn't easy. That's true: Miller and Valasek had worked on their Jeep hacking exploit for over a year. "The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code," reads Chrysler's statement.
In one less credible part of the statement, however, Chrysler also claims that "no defect has been found," and that "[Fiat Chrysler Automobiles] is conducting this campaign out of an abundance of caution."
Given that Miller and Valasek were able to hack the Jeep I was driving on a highway from a laptop 10 miles away, that "no defect" claim doesn't hold up. "No defect was found (other than the remote vulnerability that can result in full physical control)," wrote Valasek on his twitter feed.
But Valasek added that he'd tested the attack again and found that Sprint's network does now appear to be blocking the Jeep attack:
Looks like I can't get to @0xcharlie's Jeep from my house via my phone. Good job FCA/Sprint!
— Chris Valasek (@nudehaberdasher) July 24, 2015
Careful Chrysler owners don't need to depend on that network protection or wait for a USB drive to be mailed to them to patch their Uconnect computers. They can download the patch to a compute right now, put it on a USB drive, and install it on the dashboard. Start here to get that software fix.
One recall won't change the fact that cars, SUVs and trucks are increasingly connected to the internet and vulnerable to hacker attacks like the one Valasek and Miller have demonstrated. Congress has taken note of the rising threat of car hacking, too, with two senators introducing a bill earlier this week to set minimum cybersecurity standards for automobiles.
That bill would require cars to be designed with certain security principles, such as isolating physical components from internet connections and including features that detect and block attacks. But for now, Miller says that a recall is a strong first step for Chrysler. "What I really want is for them to design secure cars and include detection mechanisms," Miller says. "They can't do that in three days. This is the most we could hope for."