Fiat Chrysler Automobiles NV is offering a software patch to close a loophole that let two hackers take control of a moving Jeep sport utility vehicle in an incident spotlighting the vulnerability of connected autos.
The company responded a day after Wired magazine published a story about the software programmers who were able to take over a Jeep Cherokee being driven on a Missouri highway. Fiat Chrysler said in a statement that it’s not aware of any real-world unauthorized remote hack into any of its vehicles.
As autos become rolling smartphones, loaded with streaming music and apps, they open themselves to the viral and criminal threats that target PCs and credit card databases. A since-closed flaw disclosed in January would let hackers open doors on 2.2 million BMW AG vehicles. The programmers who took over the Jeep listed vulnerabilities last year in 19 other models.
“This is a very big wake-up call for the industry that shows they have a weakness,” said Egil Juliussen, director of research for consultant IHS’s automotive technology group. “They are worried about it and thinking about what they need to do. But it will be awhile before cars are safe from a hacking attack.”
On the same day as the Jeep hack article, Senators Edward Markey, a Massachusetts Democrat, and Richard Blumenthal, a Connecticut Democrat, introduced legislation to direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish rules that would secure cars against hackers and protect consumer privacy.
“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”
The bill would create a rating system to tell consumers how secure their vehicles are beyond any minimum federal requirements. Markey released a report last year on gaps in car security systems, concluding that only two of 16 auto companies had the ability to detect and respond to a hacking attack.
Fiat Chrysler Fix
Fiat Chrysler said Wednesday that “after becoming aware of the vulnerabilities in some 2013 and 2014 vehicles equipped with the 8.4-inch touchscreen systems, FCA and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles.”
The software update patches the hole in the vehicles’ entertainment system. Owners can download the fix to a thumb drive from a Fiat Chrysler website and install it in 30 minutes to 45 minutes or have the update done at a dealership, the company said. The automaker plans to contact customers who may be affected and has distributed the update to dealers.
The models affected include 2013 and 2014 Ram pickups and 2014 Jeep Cherokee and Grand Cherokee SUVs, as well as some 2015 Chrysler 200 cars.
By 2022, 82.5 million autos worldwide will be connected to the Internet, more than three times the 26.5 million connected cars this year, according to IHS. In seven years, 78 percent of the cars sold globally will be connected, up from 30 percent now, the consulting firm said.
The auto industry’s two biggest trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, said on July 14 that they would form an information-sharing and analysis center by the end of the year to collaborate against emerging hacking threats.
Automakers are starting to deploy anti-hacking software, but the defenses are not strong yet, said Juliussen, the IHS research director.
“Four or five years ago, there was nothing” protecting cars from hackers, he said. “Today, the automakers are starting to put things in place, but there’s still a long way to go.”
Cars are not as rich a target as banks and retailers, which have credit card information and Social Security data hackers can use to make money. Because the vehicles lack such personal data, the auto industry probably won’t face a concerted threat yet from hackers, Juliussen said.
“There aren’t many ways to earn money from hacking a car,” he said. “You could wreak havoc with traffic flow or cyber warfare, but that’s not the sort of thing an average hacker would do.”
Automakers for starters need to establish a firewall between a vehicle’s entertainment system and mechanical functions such as the engine and brakes, said Thilo Koslowski, vice president of the auto practice at Gartner Inc. The Jeep hackers got in through the SUV’s Uconnect infotainment system.
The Jeep hack shouldn’t cause consumers or automakers to pull back from connected cars, which will pave the way for safety advancements and self-driving vehicles that will reduce highway deaths, Koslowski said.
“This is not time to take our tinfoil hats out and say we shouldn’t have connected vehicles,” he said. “This an area that needs attention and investment from the auto industry.”