Car firm posts USB stick with patch for wireless hack flaw and recalls another 8,000 cars
Fiat Chrysler has ordered another major recall of some of its vehicles in the United States after more were found to be affected by a serious software vulnerability which could lead to them being attacked by cybercriminals.
The car giant has announced that 7,810 Jeeps are being recalled to apply a software radios to vehicles containing certain radios.
The recall affects the variants of the 2015 model of the FCA’s Jeep Renegade sports utility vehicle with a 6.5-inch touchscreen, more than half of which FCA says are still in dealer hands.
“The company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration,” the company said in a statement.
But Fiat Chrysler has been criticised after sending out the fix for the issue on a USB stick through the post.
“This is not a good idea,” Pete Bassill, chief executive of UK firm Hedgehog Security, told the BBC. “Now they’re out there, letters like this will be easy to imitate. Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.”
“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in,” said Bassill.
He also warned that if hackers were able to get their hands on the USB stick, they could reverse-engineer it and gain insight Fiat Chrysler’s update process and discover new exploits.
The problem for Fiat Chrysler began in July, after security researchers Charlie Miller and Chris Valasek revealed that it was possible to wirelessly hack and seize control of a Jeep Cherokee.
The researchers carried out the attack remotely, and used the car’s entertainment system which is connected to the mobile network. According to the Guardian newspaper, the researchers took control of a Jeep and disabled the engine and brakes, and then crashed it into a ditch.
The flaw with the vehicle was serious, because the in-car software allowed the researchers to hack critical systems such as the steering, brakes, and engine control. Other car hacks for example have only penetrated the car’s entertainment systems.
Following that discovery, the car giant recalled 1.4 million vehicles in the United States for a software update.
Last month, American car firm Telsa rushed out a patch after researchers discovered a potentially serious flaw that allowed them to assume control of the vehicle. That hack however was only possible because the researchers had access to the inside of the car.
Last year a group of hackers and security researchers known as “I Am The Cavalry”, urged attendees of the Def Con security conference in Las Vegas to sign an open letter encouraging carmakers to improve the security systems of their latest cars.
And in February, BMW confirmed it had patched a serious security flaw that could have allowed hackers to seize control of some of its cars’ systems. That flaw could have allowed hackers to the open doors of 2.2 million Rolls-Royce, Mini and BMW vehicles. The flaw could also have allowed the hackers to access the onboard vehicle computer system, which manages everything from engines and brakes to air conditioning.
Prior to that in September last year, General Motors ramped up its protection from hackers when it hired a watchdog to maintain mobile system security and guide the company into the future.
And in April 2014, security researcher Nitesh Dhanjani warned that weaknesses in the way Tesla lets drivers control their cars could allow someone to easily open the doors.
In the driving seat about connected cars? Take our quiz!