The U.S. National Highway Traffic Safety Administration on Friday launched a “recall query” to probe Fiat Chrysler’s proposed fixes for the security vulnerabilities, which involve software patches and network-level measures that don’t require actions from customers.
The agency’s chief, Mark Rosekind, said NHTSA cybersecurity experts would scrutinize the recall, allowing the government to “further assess” the company’s response. Mr. Rosekind said in a statement that the agency “encouraged” Fiat Chrysler to conduct the recall, “which meets the critical responsibility of manufacturers to assure the American public that vehicles are secure from such threats, and that when vulnerabilities are discovered, there will be a swift and strong response.”
The flaw Fiat Chrysler identified in January 2014 involved a hack of a Jeep that didn’t affect its critical controls or safety systems, said a person familiar with the matter. The company didn’t become aware of hackers’ ability to commandeer the Jeep’s brakes, transmission or other critical systems until this month, the person said.
A Fiat Chrysler spokesman said the company is cooperating with the investigation and that all the auto maker’s vehicles meet or exceed federal safety standards.
Fiat Chrysler on Friday recalled 1.4 million vehicles equipped with certain touch-screen radios to update software for protection against possible cyberattacks. The recall affects an array of vehicles, ranging from Ram pickup trucks to Jeep Grand Cherokees and Cherokees and Chrysler sedans. Customers affected by the recall will receive a USB device that upgrades their software. The company said it isn’t aware of any injuries, complaints, warranty claims or accidents linked to the software issue.
Separately, Fiat Chrysler said it had launched network-level security measures to prevent the kind of attack demonstrated by hackers on a Jeep Cherokee earlier this week. The hackers, in an article published in technology magazine Wired, displayed an ability to manipulate the Jeep’s air conditioning, stereo controls, brakes and transmission from a laptop many miles away. The new security measures from Italian-U. S. auto maker don’t require any actions from customers and block remote access to certain vehicle systems.
In a document filed with regulators, Fiat Chrysler said it identified a potential security vulnerability through testing by an unidentified third party in certain vehicles with certain radios. The flaw involved a communications port unintentionally left open, allowing it to “accept commands from unauthenticated sources,” the filing said.
The company’s supplier, which it didn’t identify, immediately started working on improvements, which were introduced starting in July 2014 on model-year 2015 vehicles, the filing said. More improvements were put into production in January and again in July, the filing said. Fiat Chrysler on July 14 approved an extended warranty program and free software updates for vehicles, the filing said.
The recall and earlier Jeep hack spotlight burgeoning concerns over how susceptible U.S. automobiles are to hackers aiming to take over a vehicle’s control or tap into motorists’ private information, such as through navigation systems. Two U.S. senators earlier in the week introduced legislation, with support from the hackers who commandeered the Jeep, that would require regulators to develop standards for securing vehicles and protecting consumers’ privacy, including through a “cyber dashboard” system to inform consumers how vulnerable vehicles are to a cyberattack.
One of those lawmakers, Sen. Edward Markey (D., Mass.), on Friday expressed concern about how long Fiat Chrysler was aware of the security gap. He said in a statement that Fiat Chrysler and regulators “should be immediately taking steps to verify that other similar vulnerabilities do not exist in other models that are on the road.”
The regulatory probe, meanwhile, adds to mushrooming scrutiny of Fiat Chrysler’s safety practices. The auto maker already faces likely regulatory penalties for lapses handling more than 11 million recalled vehicles, including older Jeeps with rear gas tanks linked to dozens of fatal fires. Those Jeeps aren’t involved in Friday’s recall. On the other recalls, Fiat Chrysler could face hundreds of millions of dollars in fines and be forced to repurchase vehicles depending on discussions with regulators.
Sprint Corp., the cellular provider linked to the recalled vehicles, on Thursday closed long-range wireless access to dramatically reduce the ability of hackers to infiltrate the cars and trucks, according to a person familiar with the matter and Fiat Chrysler filing with regulators. Fiat Chrysler started a software patch update for the vehicles on July 16. A Sprint spokeswoman said the company is aware of the issue and working with the auto maker to help make vehicles more secure.
The vehicles affected by Friday’s recall include 2013-2015 Dodge Viper specialty vehicles; a variety of 2013-2015 Ram pickup trucks and chassis cabs; 2014-2015 Jeep Grand Cherokee and Cherokee SUVs; 2014-2015 Dodge Durango SUVs; 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans; and 2015 Dodge Challenger sports coupes, the company said.
Fiat Chrysler said no safety defect has been found in the affected vehicles and described the recall as a precaution. The auto maker on Friday sought to further allay concerns raised by the earlier Jeep hack in statements about the new recall, noting extensive hurdles to anyone remotely commandeering vehicles.
“The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” Fiat Chrysler said in a statement.
The company on Friday said it has established a specific team focused on tackling software development and integration in an effort to ensure vehicle security.
Source: The Wall Street Journal