A few days after issuing a patch and reassuring owners that the attack that shut down the transmission and other systems remotely on a Jeep was not a huge risk, Fiat Chrysler has decided to recall nearly 1.5 million vehicles as a result of the bug exposed in the research.
The recall is the result of research done by Charlie Miller and Chris Valasek that was released this week. The pair spent close to a year working on their project, which resulted in them identifying a vulnerability in the Uconnect computer included in some Fiat Chrysler cars sold in theUnited States. By exploiting the vulnerability, Miller and Valasek were able to move laterally to a separate chip and eventually issue remote commands to the vehicle to take over many of the Jeep’s systems. They were working on a Jeep that Miller owned.
Fiat Chrysler issued a software update to fix the Uconnect issue a few days before the research was disclosed, but it is now recalling the affected vehicles, which include Jeep Cherokees, Grand Cherokees, Dodge Vipers, Dodge Challengers, and several other models.
“The security of FCA US customers is a top priority, as is retaining their confidence in the Company’s products,” Fiat Chrysler said in a press release, according to CNBC. “Accordingly, FCA US has established a dedicated System Quality Engineering team focused on identifying and implementing best practices for software development and integration.”
Earlier in the week, a company spokesman downplayed the risks of what Miller and Valasek disclosed.
“To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” Gualberto Ranieri, senior vice president of communications, said in a blog post.
Valasek said on Twitter Friday that Fiat Chrysler seems to have closed off the attack avenue that he and Miller used to reach the Jeep remotely: the Sprint cellular network connection in the vehicles.
“Looks like I can’t get to [Charlie’s] Jeep from my house via my phone. Good job FCA/Sprint!” Valasek said.
Oddly, the timeline of the vulnerability and fixes provided by Fiat Chrysler to the National Highway Traffic Safety Administration makes no mention of the research by Miller and Valasek, which they shared with the automaker throughout the research process. The timeline confirms that the communication port they used to connect to the remote vehicle has been closed by Sprint.
“Additionally and more importantly, the cellular provider has remotely closed access to the open port on the radio. Successful single market testing was completed on July 22, 2015 with a nationwide rollout conducted on July 23, 2015. For this activity, no customer action is required and no services are interrupted. This action removes the known risk of long-range, remote hacking,” the timeline says.