Chrysler has announced a voluntary recall of 1.4 million vehicles just days after Wired reported a frightening vulnerability that allows hackers to remotely seize control of cars equipped with the auto maker's UConnect system. Chrysler has integrated UConnect in its vehicles since late 2013, and security experts initially believed all of those cars could susceptible to hijacking. A video published alongside the report demonstrated that someone with the right knowledge could cut a car's brakes, turn off the engine, or potentially overtake the steering wheel.
Affected are certain vehicles equipped with 8.4-inch touchscreens among the following populations:
- 2013-2015 MY Dodge Viper specialty vehicles2013-2015 Ram 1500, 2500 and 3500 pickups
- 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
- 2014-2015 Dodge Durango SUVs
- 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
Chrysler owners can visit this website and enter their car's VIN to see if it's included in the recall. If so, you don't have to take your car into the dealership — or anywhere, for that matter. Instead, you'll receive the previously released patch on a USB flash drive. Unlike other connected cars like the Tesla Model S, these impacted Chrysler vehicles apparently lack the capability to receive over-the-air security updates. But that doesn't mean the company is helpless. Today Chrysler also revealed that it's taken "network-level security measures to prevent the type of remote manipulation" that was demonstrated by Wired. We don't exactly know what those steps are, but early reports suggest that they're working.
Looks like I can't get to @0xcharlie's Jeep from my house via my phone. Good job FCA/Sprint!— Chris Valasek (@nudehaberdasher) July 24, 2015
"The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents — independent of the media demonstration." So Chrysler's message is that yes, while the video highlighting the vulnerability was incredibly alarming, no one has actually been hurt as a result of this. Security researchers plan to dive deeper into the issue at next month's Defcon, but have pledged to withhold the details someone would need to target Chrysler owners at scale.
They were able to take over Chrysler vehicles because the auto maker — at least initially — didn't put a firewall between UConnect and vital systems that control the car's transmission, steering, and brakes. UConnect operates over Sprint's cellular network, and that made it easy for researchers to identify vulnerable drivers. But Chrysler insists it's only taking this step out of "an abundance of caution." In a statement announcing the recall, Chrysler said, "The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code."