Only Fiat Chrysler cars were vulnerable to hackers, says NHTSA

The federal agency says last summer's recall of 1.4 million Jeep, Chrysler, Dodge and Ram vehicles closed the gap that allowed hackers to remotely take over a Jeep Cherokee.

(AP Photo/Alan Diaz)
Salesperson Jerry Camero, right, delivers a 2016 Jeep Cherokee Limited to a customer at a Fiat Chrysler dealer in Doral, Fla. in November 2015.

Federal safety regulators have determined that only Fiat Chrysler radios have a security flaw that allowed friendly hackers to take control of a Jeep last year.

The National Highway Traffic Safety Administration said in documents posted online Saturday that it's ending a five-month investigation into the vulnerabilities of automotive radios.

The agency also said last summer's recall of 1.4 million Jeep, Chrysler, Dodge and Ram vehicles closed the opening that allowed hackers to remotely take over a Jeep Cherokee.

The hack by security experts Charlie Miller and Chris Valasek touched off the NHTSA investigation in July and raised fears that millions of cars and trucks could be vulnerable. They were able to change the Cherokee's speed and control the brakes, radio, windshield wipers and transmission through the Uconnect infotainment system.

The hackers informed Fiat Chrysler of their findings and detailed them at a cyber conference, triggering the investigation.

But the fear of widespread vulnerability to hackers appears to be unfounded. NHTSA investigators said in documents that similar radios made by Harman International went to Volkswagen, Audi and Bentley, but that those vehicles have safety systems that would stop hackers.

"Based on a thorough review of technical information supplied during the course of this investigation, there does not appear to be a reason to suspect that the infotainment head units Harman supplied to other vehicle manufacturers contain the vulnerabilities identified by FCA," NHTSA said in the documents.

In addition, the agency said Sprint, Fiat Chrysler's wireless provider, blocked access to a radio communications port that was unintentionally left open. The FCA recall also included software changes that thwarted hackers, the agency said.

"Third party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software," the agency said.

NHTSA also checked 30 consumer complaints to the company and the agency but could not confirm that hackers caused any of the reported problems.

In February 2015, Sen. Edward Markey (D) of Massachusetts said that as automakers load up cars with electronics and wireless technology, they have failed to adequately protect those features against the possibility that hackers could take control of vehicles or steal personal data. He sent a series of questions about the technology to manufacturers, reported The Associated Press.

The responses from 16 manufacturers "reveal there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information," a report by Markey's staff concludes.

Most new cars are also capable of collecting large amounts of data on a vehicle's driving history through an array of pre-installed technologies, including navigation systems, telematics, infotainment, emergency assistance systems and remote disabling devices that allow car dealers to track and disable vehicles whose drivers don't keep up with their payments or that are reported stolen, the report said.

Half the manufacturers said they wirelessly transfer information on driving history from vehicles to another location, often using third-party companies, and most don't describe "an effective means to secure the data," the report said.

Today's cars and light trucks typically contain more than 50 electronic control units — effectively small computers — that are part of a network in the car. At the same time, nearly all new cars on the market today include at least some wireless entry points to these computers, such as tire pressure monitoring systems, Bluetooth, Internet access, keyless entry, remote start, navigation systems, WiFi, anti-theft systems and cellular-telematics, the report said. Only three automakers said they still have some models without wireless entry, but those models are a small and declining share of their fleets.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.