Jeep Hack Leads FCA to Offer Software Update

15
Jeep Hack Leads FCA to Offer Software Update

Fiat Chrysler Automobiles (FCA) has announced a software update for its models to improve safety.

FCA quietly made the safety update announcement on July 16, which at the time went mostly unnoticed. That is until news broke five days later on Wired that two hackers were able to access many functions on a 2014 Jeep Cherokee remotely.

Charlie Miller and Chris Valasek, two professional hackers, were able to remotely take control of the vehicle’s air conditioning, radio and windshield wipers, all from the comfort of their living room. They were also able to disable the brakes and shut off the vehicle’s engine.

They accessed the Cherokee through a vulnerability in FCA’s Uconnect infotainment system, which hooks up to the internet using a cellular data connection.

SEE ALSO: Jeep Cherokee, Uconnect Vulnerable to Wireless Hacking

The hackers notified FCA of the weakness and worked with the company to come up with a secure solution to protect the brand’s vehicles from hackers.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” said FCA in a statement.

The software update will be provided at no cost to customers and also includes other improvements to the system. “Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.”

The 8.4-inch touchscreen Uconnect system is available on all 2013-2014 Chrysler, Dodge, Jeep and Ram vehicles along with the 2015 Chrysler 200.

Miller and Valasek say that they plan on releasing part of the code at the Black Hat security conference, though they say it won’t be enough to allow other hackers to access Chrysler’s Uconnect system. Despite this, FCA is not in favor of the idea, saying “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.”

  • craigcole

    Another reason I love crank windows and manual transmissions … LOL!

  • Caddo65

    While I’m sure it’s a good idea for car makers to improve Internet security, from what I read these guys OWNED the Jeep Cherokee they used and had physical access to it. They changed the firmware from the USB port. They didn’t actually “hack it over the Internet”. It looks like they just found a way to use Uconnect to control more than what the app already does.

  • droog

    They actually accessed the Cherokee over the sprint 3g network. In fact that was the only condition, that you had to have access the uconnect systems from sprints IP range. All that would take is purchasing a cheap Sprint phone with data and you have full access to exploit any vulnerable uconnect system. You should read the wired article, it spells this out in detail.

  • Caddo65

    I’ve read a few articles on it. What I took away was, to borrow a smartphone term, they first “jailbroke” their own Cherokee via the USB port and then accessed it via the network. I didn’t see where they put it back to factory spec and then performed the task completely over the network. Or even better, did it to a Cherokee they had never touched. They list the concept of how they could theoretically do it if specific conditions were met, some requiring the Jeep owner to unwittingly participate. But news stories are pushing this story as if hackers could take control of every Cherokee they see within seconds. Which is not the case at all. At least from my read of the papers.

  • mccwho

    Another reason the JK has earned the name “Just Kidding”.

  • DevilDog58

    This is the depressing part about the wonderful world of technology. I, like most American men, love technology and the way it keeps advancing, giving us information, GPS capabilities, more power, etc. But whenever men build something there are always those who want to destroy it, if for no other reason than to prove they can. Maybe auto manufacturers should hire “hackers” to search for weaknesses in their hardware & software so as to be able to better protect it.

  • Idiot Hater

    Clearly stated by a moron that knows nothing about Jeep Wranglers.

  • L

    Can you F**king read? It was a Cherokee that was hacked and the wranglers are not ones with the problem only some cherokees & grand cherokees and it has to do with the 8.4″ uconnects

  • L

    Sorry I don’t trust bad programming or hackers to run things that has to be depended on unless it’s necessary

  • JJShark

    I remember when I bought my first car with power windows. My father said “Just another electrical gizmo that can go wrong”. Thought he was just being an old grump then. Sometimes now Im not so sure haha

  • KSDroid01

    Actually, droog is correct. According to the very detailed Wired article, the hack was accomplished on another person’s Jeep Cherokee, with their knowledge and consent, but without any physical access to the vehicle beforehand or during the hack. All access was via the Cherokee’s Sprint 3g radio connection, which is part of the vehicle’s UConnect system (similar to GM’s OnStar). They were operating from a laptop some distance away from the Jeep. They even talked about how they could “see” the location of other Jeep vehicles as they came into cell range.

    The story was disturbing enough to me that I went to Chrysler’s UConnect website, downloaded the radio software patch to a flash drive, and updated my Grand Cherokee myself via the radio’s USB port.

  • DevilDog58

    Unfortunately, you’re already trusting “bad programming” if you own one of the included vehicles. Law enforcement organizations worldwide already employ former criminals to help them create programs that would prevent said criminals from “breaking” or hacking some systems or committing types of crimes. Re: the movie, “Catch Me If You Can.”

  • KSDroid01

    Actually, droog is correct. They hacked into the Cherokee Uconnect radio system via a Sprint phone hooked up to a laptop 10 miles away. The Cherokee was not owned by the hackers, and they did not have physical access to it before or after the exploit. However, the hack took place with the full notice and cooperation of the owner of the Cherokee.
    And the Wired article mentioned that it wasn’t just this particular vehicle they had access to – they were able to “see” (including location) other Fiat-Chrysler America vehicles (a Ram, etc) at the same time.
    The story was disturbing enough to me that I went to the UConnect website, downloaded the radio firmware patch put out by Jeep, and updated the 8.4Uconnect radio in my Grand Cherokee via its USB port myself shortly after reading the article.

  • KSDroid01

    Fortunately, the hackers in this case were “white hats” and shared details of what they were doing with Chrysler well in advance of making the story public, early enough that Chrysler had a radio firmware patch available before the story hit the streets.
    I think what this really demonstrates that although car designers are incredibly capable of implementing connected technologies inside the “black box” boundary of a vehicle, they are woefully unprepared for the realities of security needs when connecting to systems outside that box – they can and should take lessons from manufacturers of phone systems, wifi systems, etc.

  • Caddo65

    Here’s the article from eweek where they described how they did the hack. Note that they used their own Jeep. http://www.eweek.com/security/researchers-demo-how-they-hacked-a-jeep-remotely-black-hat.html