As a Jeep Cherokee rolled down a highway near St. Louis, a pair of professional computer hackers sat on a couch 10 miles away, slowly taking over some of the SUV's basic functions from a suddenly panicked driver.
They set the air conditioning to cold, and the fan to high. They obscured the windshield with a torrent of washer fluid. They set the radio to play ear-splitting hip-hop. Then, in a move that petrified the driver -- a Wired magazine reporter who had agreed to play guinea pig for the demonstration, captured on video -- they abruptly cut power to the engine, letting the vehicle coast to a crawl in traffic on a narrow portion of interstate.
The hackers' demonstration did one other thing: It flipped the high beams on an industry still unprepared for its headlong rush toward Internet connectivity.
By the time the hackers' exploits were publicized last week, Fiat Chrysler had posted an urgent security patch on its website and was scrambling to further lock down the system. On Friday, July 24, the company issued a formal recall for 1.4 million 2013-15 vehicles to install the protective software. Consumers seeking to protect their vehicles can download the patch on a computer and install it themselves or have a dealer do it.
The recall and software patch addressed the security hole, but they didnot allay fears about the prospect of malicious hackers exploiting connectivity technology to gain access to sensitive components and systems.
Those fears have been percolating for some time. In Washington, lawmakers have been pressing automakers to spell out their strategies for counteracting cyberattacks, and two senators introduced a bill on the issue last week.
But the industry's response is only now ramping up, as automakers come to terms with the implications of building devices that increasingly function as networked computers on wheels.
Since last year, the auto industry's two main trade associations have been working to establish an information sharing and analysis center for the industry, a clearinghouse for information about digital threats and vulnerabilities. Such centers are in place in other sensitive industries, such as oil and gas and financial services.
Robert Strassburger, vice president of vehicle safety at the Alliance of Automobile Manufacturers, said July 14 that the automotive information sharing and analysis center was on track to begin operations by year end.
IHS Automotive forecasts that more than 82.5 million vehicles worldwide will be connected to the Internet by 2022, more than triple the current number.
Automakers have heavily marketed these connections as a consumer benefit that allows for more entertaining or productive rides, as well as remote improvements. But as last week's report makes clear, there's more to connectivity than streaming movies.
"As cars get more connected than ever, they become more exploitable to technology vulnerabilities," said Akshay Anand, an analyst with Kelley Blue Book.
Automakers have traditionally sought to keep tight control over the way their vehicles interface with technology, such as cell phones and related applications -- and with good reason, given the safety concerns involved.
In practice, that has meant long delays to test products and search for vulnerabilities internally before new technology is released to the public. In that model, hackers are largely viewed as outside nuisances or ne'er-do-wells.
Technology companies, by contrast, keep their enemies closer. For example, Google now advertises bounties ranging from $100 to $20,000 for hackers who identify vulnerabilities in the company's many websites and businesses.
The auto industry may have to learn to work that way.
"We see the value of software and software content in the average car rising to around 60 percent over the next 15 years from less than 10 percent today," said Morgan Stanley auto analyst Adam Jonas. "Who has greater expertise and experience in protecting connected assets and systems from the perils of hacking? Detroit or Silicon Valley?"
Fortunately for FCA, the recent attack came from Charlie Miller and Chris Valasek, a pair of so-called benign hackers who use such demonstrations to try to help companies understand their vulnerabilities rather than to make mischief. They're known for a similar hack into a Toyota Prius, but that time, they were in the back seat.
The open doorway they used on the Jeep was Uconnect, the infotainment system that's used widely across FCA brands and includes an optional Internet connection through Sprint's cellular data network called Uconnect Access.
Uconnect, in turn, offered the hackers a gateway into the vehicle's network that coordinates various electronic functions.
Yet, unlike some other automakers, FCA cannot use that connection to "push" important software updates to its vehicles automatically. A source within the company indicated that may soon change.
Security experts say that ability to push patches "over the air" is a crucial complement to any system with an open Internet gateway, because it allows automakers to better keep pace with potential hackers.
According to a Twitter message from Miller, the patch FCA posted on July 16 blocks the vulnerability he and Valasek exploited. But FCA and Sprint were still scrambling to block the broader network door through which the hackers had gained access to the vehicle.
A spokesman for FCA wrote in an email to Automotive News that the companies were working to block remote access to hundreds of thousands of potentially vulnerable 2013-15 Chrysler,
Dodge, Ram and Jeep vehicles equipped with the newer 8.4-inch
Uconnect system. Fiat and Alfa Romeo vehicles are unaffected.
A source within FCA said the automaker tried to work with the hackers to close the vulnerabilities before they went public, but was rebuffed.
Ryan Beene contributed to this report.