Jeep owners urged to update cars

Security boffins are urging owners of Fiat Chrysler Automobiles (FCA) cars to update their on-board software after hackers were able to take control of a Jeep and disable the engine and brakes before crashing it into a ditch.

A flaw in FCA’s security for its Uconnect internet-enabled software allows hackers to remotely access the car’s systems and then control it. Unlike other cyber attacks on cars where only the entertainment system is vulnerable, the Uconnect hack affects driving systems from the GPS and windscreen wipers to the steering, brakes and engine control.

The Uconnect system is installed in hundreds of thousands of cars made by the FCA group since late 2013 and allows owners to remotely start the car, unlock doors and flash the headlights using an app.

The hack was demonstrated by Charlie Miller and Chris Valasek, two security researchers who in the past have revealed vulnerabilities in the security of the Toyota Prius and a Ford Escape. By using only a laptop and a mobile, they were able to take control of a Jeep Cherokee while reporter Andy Greenberg was driving, demonstrating their ability to control it before making it crash into a ditch.

Security researchers notified Fiat Chrysler nine months ago, allowing the car manufacturer to release a security update to fix the problem, which it did on 16 July. However the update requires users to manually update their cars by visiting the manufacturer’s site, downloading a programme on to a flash drive and inserting it into the car’s USB socket. FCA dealers can update the car for owners, but the company is apparently unable to automatically update the cars over the internet.

Independent security expert Graham Cluley said, ‘Note that the researchers believe that, although they’ve only tested it out on Jeeps, the attacks could be tweaked to work on any Chrysler car with a vulnerable Uconnect head unit. You should consider installing a security update that Jeep has issued for cars fitted with a model RA3 or model RA4 radio/navigation system.’

It is unclear whether the vulnerability within the Uconnect system only affects cars in the US, or just certain models. A FCA spokesperson commented saying, ‘Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.’

They continued, ‘FCA released a software update that offers customers improved vehicle electronic security and communications system enhancements. The Company monitors and tests the information systems of all of its products to identify and eliminate vulnerabilities in the ordinary course of business. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.’