US auto giant Chrysler is recalling 1.4 million cars after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.
The company has already issued a patch on its website for drivers, and has pushed an over-the-air update to some vehicles to block unauthorized remote access.
“As best as I can recall, this is the first mass vehicle recall to patch a network security vulnerability, but sadly, I doubt it will be the last,” said Stephen Cobb, senior security researcher with ESET, in an emailed comment. “Like many other manufacturing sectors, the automotive industry appears to have fulfilled the predictions of many security experts and underestimated the challenges of deploying secure systems in today’s challenging operating environment.”
Security researchers Charlie Miller and Chris Valasek recently demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering – obviously they didn’t demo that.
The vehicles covered by the recall include the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs.
Cameron Camp, security researcher at ESET, noted that recalls are very rarely effective, and that a patching mechanism would be vastly preferable as a remedy. So, the OTA update is a step in the right direction.
“I have a Jeep Grand Cherokee with a faulty fuel tank, for which there’s a recall, and I've ignored it for years,” he explained. “Even if Fiat Chrysler issues a recall, that’s much less effective than a patch that gets pushed. Think if you had to bring your computer in to have Microsoft install a patch. Sure, they’d pay for it, but the patch rate will be abysmal. The problem is that many automobiles aren’t set up to have an effective patch cycle, so they’ll have some catching up to do, and that’s just on newly sold automobiles.”
However, he acknowledges that we’re in unknown territory in terms of how to execute good patch habits.
“People keep computers for a few years, but cars for decades,” Camp said. “So when would an automobile company declare ‘end of life’ for supporting legacy cars that are found to have hackable defects, for which we’ve seen proof-of-concepts that would have millions of potential targets for things like opening the doors and starting them up and driving off?”