Fiat Chrysler recalls 1.4 million vehicles to install anti-hacking software

FCA US said it “has applied network-level security measures” to block hackers from the ability to remotely access its vehicles via their Internet-ready Uconnect radios.

The recall involves a software patch that also stops the type of hack attack demonstrated by professional hackers Charlie Miller and Chris Valasek. The patch can either be installed at the dealer, or downloaded by a consumer and installed into the radio via a USB flash drive.

Previously, the automaker had only advised owners to download the software patch or take their vehicle to a dealer to have it installed. The campaign was stepped up to a formal recall and broadened today by FCA to include more vehicles, all equipped with 8.4-inch touchscreen Uconnect radios:

• 2013-15 Dodge Viper specialty vehicles
• 2013-15 Ram 1500, 2500 and 3500 pickups
• 2013-15 Ram 3500, 4500, 5500 Chassis Cabs
• 2014-15 Jeep Grand Cherokee and Cherokee SUVs
• 2014-15 Dodge Durango SUVs
• 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
• 2015 Dodge Challenger sports coupes

The Dodge Dart and Journey, which also have 8.4-inch touchscreen Uconnect radios, are not affected, a spokesman confirmed.

To install the software patch, FCA said customers should visit a dedicated website and update and input their vehicle identification number and determine whether their vehicles are included in the recall.

The automaker said that to perform their remote takeover of the 2014 Cherokee, the hackers “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.”

On Monday, Wired magazine detailed how Miller and Valasek were able to take command of an unmodified 2014 Jeep Cherokee while it was being driven on a St. Louis highway by journalist Andy Greenberg.

They did so via the SUV’s Internet-connected Uconnect radio, which receives data through the Sprint cellular network.

Working via laptop computers from home, the hackers blasted the Cherokee’s radio, turned on the wipers and a torrent of washer fluid and eventually shut off the Cherokee’s engine while it was traveling on the highway.

Later, in a parking lot, they demonstrated how they could take control of the Cherokee’s steering wheel, but only while the transmission was in reverse, and even disable the brakes, sending the SUV into a ditch.

NHTSA scrutiny

FCA has come under fire from federal regulators and could face possible fines or other penalties for its handling of recent recalls.

National Highway Traffic Safety Administration chief Mark Rosekind said in a statement Friday that the agency “encouraged” FCA to elevate the voluntary software update to a full recall. The move was needed to demonstrate the “swift and strong response” that should follow the discovery of vehicle cyber vulnerabilities, Rosekind said.

Rosekind’s comments signaled that automakers should take similar steps in the future when facing cybersecurity threats.

“NHTSA appreciates that FCA has already taken action to partially address this vulnerability by working with its cellular provider,” Rosekind said. “Launching a recall is the right step to protect Fiat Chrysler’s customers and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities.”

At the same time, the agency today opened an investigation to assess the effectiveness of FCA’s software patch as part of the recall, Rosekind said.

“Electronics and cybersecurity experts from NHTSA’s Office of Defects Investigation and the Electronic Systems Safety Research Division of the Office of Vehicle Safety Research will continue to address this and other cybersecurity threats and take action when necessary to protect public safety,” he said.

Earlier this week, Rosekind outlined the challenges as vehicle connectivity grows and the agency's latest research and priorities on the threat posed by cybersecurity.

Congress weighs in

U.S. Reps. Fred Upton, R-Mich., and Frank Pallone, Jr., D-N.J., said in a joint statement Friday that NHTSA and automakers must keep pace with the rapid evolution of vehicle connectivity to “protect drivers from these growing threats.”

In May, the House Energy and Commerce Committee launched a review of how automakers and NHTSA were handling vehicle cybersecurity, sending the top executives of 17 automakers a list of questions on their approach to the issue. Upton chairs the Energy and Commerce Committee; Pallone is its ranking member.

“We are working with leading automakers and NHTSA to ensure all stakeholders are prepared to meet these challenges of the 21st century,” the lawmakers said in a joint statement. “We have said that cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride.”

U.S. Sen. Ed Markey, D-Mass., issued a statement calling on congress to pass auto cybersecurity laws and for automakers and NHTSA to root out possible vulnerabilities in other vehicles with connected systems.

On the same day Wired published its story on the Jeep hack, Markey and Sen. Richard Blumenthal, D-Conn., introduced a bill that would direct NHTSA and the Federal Trade Commission to set federal standards for automotive cybersecurity to prevent intrusion from hackers and protect consumer data.

In his statement, Markey said FCA launched the recall months after learning of the vulnerability in its UConnect system, adding “there are no assurances that these vehicles are the only ones that are this unprotected from cyberattack.”

Ryan Beene and David Phillips contributed to this report.