A pair of security researchers spent a year writing code that allowed them to hack the software in a Jeep Cherokee and take control of its systems. It was done wirelessly to an unaltered vehicle being driven on the highway by Andy Greenberg, an editor at Wired Magazine. Greenberg was in on the stunt; he knew the vehicle would be hacked but not when or how.
The hackers—who were miles away in a basement—got in through the Sprint cellular internet connection to the Uconnect dashboard computer. They then took partial control of the Cherokee, turning the AC on to blast, turning the radio on and setting the volume to high, activating the windshield washer and wipers, and then shifting the transmission to neutral—causing the vehicle to coast down the road with traffic piling up behind it. Greenberg attempted to regain control of the Jeep’s systems but was unable to do so.
The story Greenberg wrote after the hacking event caused a furor at Fiat Chrysler and the National Highway Traffic Safety Administration (NHTSA), and a recall was issued for 1.4 million vehicles. Except for the Jeep that was driven by Greenberg, there have been no other reported incidents of this kind of hacking of Chrysler vehicles.
Models affected by the recall include 2013-2015 Ram trucks (1500/2500/3500/4500/5500), 2015 Chrysler 200, Chrysler 300, Dodge Charger, and Dodge Challenger, 2014-2015 Jeep Grand Cherokee, Cherokee, and Dodge Durango, and 2013-2015 Dodge Viper vehicles. Chrysler will notify the owners of affected vehicles and has a web page where you can check for recalls by entering the VIN number for your vehicle.
The problem with the Uconnect system can be fixed by updating the software, The work can be performed at the dealer or by vehicle owners willing to download a security patch onto a USB drive and install it themselves—an operation that is said to take 30-45 minutes.
Chrysler’s description of the problem can be found in a chronology posted on the NHTSA website. Among the more interesting tidbits are:
In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.
A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.
Per VRC direction and as a product improvement action, on July 16, 2015, FCA US released updated software to the field via TSB and direct customer download for all affected vehicles. Once installed, the radio will no longer default to listening and accepting commands from external sources. Additionally, the software update improves firewall rules to deny access by default to the radio.
Additionally and more importantly, the cellular provider has remotely closed access to the open port on the radio. Successful single market testing was completed on July 22, 2015 with a nationwide rollout conducted on July 23, 2015. For this activity, no customer action is required and no services are interrupted. This action removes the known risk of long-range, remote hacking.