Just days after issuing a patch and reassuring car owners that the hacking attack that shut down the transmission, brakes, steering and other systems on a Jeep was not a risk, Fiat Chrysler has decided to recall some 1.4 million cars exposed to the terrifying vulnerability.
Chrysler’s recall is a direct result of research done by Charlie Miller and Chris Valasek, the duo known for their expert car hacking skills. The two have spent the better part of a year working on their latest project, which resulted in them successfully identifying a vulnerability in the cars Uconnect computer, a “connected car” system included in a number of Chrysler cars sold across the United States.
When exploiting the vulnerability, Miller and Valasek were able to issue remote commands to the Jeep, such as cutting the brakes, steering, gas, lock the doors among numerous other horrifying tasks.
Amid the news, Chrysler went ahead and issued a software update patching the glaring Uconnect vulnerability just a few days prior to the research disclosure. However, days after the report, Chrysler has begun recalling affected vehicle models, including Jeep Cherokees, Grand Cherokees, Dodge Vipers, Dodge Challengers, among several other car models.
“The security of FCA US customers is a top priority, as is retaining their confidence in the Company’s products,” Chrysler said in a press release. “Accordingly, FCA US has established a dedicated System Quality Engineering team focused on identifying and implementing best practices for software development and integration.”
Just a week earlier, a company spokesperson downplayed the risk of the vulnerability that both Miller and Valasek uncovered.
“To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle,” said Gualberto Ranieri, the senior vice president of communications.
Even after Chrysler patched the flaw and Valasek confirmed so on twitter, the timeline between the vulnerability and patches provided by Fiat Chrysler to the National Highway Traffic Administrator, nowhere does it mention any research done by Miller or Valasek, data in which they shared to the company prior to the disclosure. However the timeline does confirm that the communication port Valasek used to remotely hijack the car has been patched by Sprint.
“Additionally and more importantly, the cellular provider has remotely closed access to the open port on the radio. Successful single market testing was completed on July 22, 2015 with a nationwide rollout conducted on July 23, 2015. For this activity, no customer action is required and no services are interrupted. This action removes the known risk of long-range, remote hacking,” the timeline concluded.