Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Watchdog sparks mass recall, sheds light on ridiculous flaw


Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago.

Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems built into Fiat Chrysler cars: the flaw can be exploited by an attacker to wirelessly take control of the engine, brakes and entertainment system.

The cars connect to the internet via Fiat Chrysler's uConnect cellular network, and thus can be accessed and tampered with from miles away by anyone who knows the vehicle's public IP address. No authentication is required. The US network has been attempting to block incoming connections, we're told.

The NHTSA has also been probing whether or not Fiat Chrysler's efforts to patch the vuln were fully effective. The motor giant has produced a software fix for the root cause of the vulnerability – unfortunately, the update has to be manually installed via a USB stick plugged into the car.

"In an effort to mitigate the effects of this security vulnerability, Chrysler has had the wireless service provider close the open cellular connection to the vehicle that provided unauthorized access to the vehicle network," said the NHTSA recall notice.

"This measure may not have been implemented on all vehicles and does not address access by other means that will be remedied by the software update. The manufacturer has not yet provided a notification schedule."

The recall affects five models of Fiat Chrysler's 2013-2015 Ram range, 2014-2015 Jeep Grand Cherokee, Cherokee and Dodge Durango models, this year's Dodge Charger and Dodge Challenger vehicles and any Dodge Viper sold in the past two years.


Other stories you might like

  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading

Biting the hand that feeds IT © 1998–2021