FCA "Uconnect" System Vulnerable to Hackers

Vulnerability Discovered in FCA Uconnect System

Published July 24th, 2015

Independent researchers have identified and exploited a vulnerability in FCA’s Uconnect system, featured in hundreds of thousands of 2013 to 2015 model year Dodge, Ram, Jeep, and Chrysler vehicles. Once the vehicle was hacked, the researchers were able to obtain nearly limitless control, essentially allowing them to overwrite the driver’s commands. The vulnerability stems from Uconnect’s use of Sprint’s cellular network, thereby allowing someone to remotely take control of an Uconnect equipped vehicle from potentially anywhere in the world with only the vehicle’s IP address.

Hackers were able to control vehicle acceleration, disable the brakes, and even steer a hacked vehicle from the privacy of their own home. This is not the first example of vehicle hacking – researchers have proven that many modern vehicles from various manufacturers can be exploited and controlled from a computer. However, this is the first example of a vehicle being exploited from a distant, remote location.

Fiat Chrysler Automobiles’ (FCA) initial response was the release of a technical service bulletin (TSB) announced July 16th, 2015. The TSB introduced a software update designed to offer customers “improved vehicle electronic security and communications system enhancements”.

It didn’t take long for the severity of the situation to escalate, as FCA later announced on July 24th, 2015 that they would conduct a voluntary safety recall regarding the manner. The recall allows customers to obtain a software update by either visiting a FCA dealership or requesting a USB device loaded with the updates. The updated software is said to patch the vulnerability of the Uconnect system and provide additional security features.

In total, FCA approximates that 1.4 million vehicles equipped with the Uconnect system are affected. This includes Ram pickups for the 2013 - 2015 model years (Ram 1500/2500/3500/4500/5500) and Jeep Cherokee/Grand Cherokee SUV’s from 2014 and 2015 model years. Owners of affected vehicles are urged to contact their local FCA dealership with any concerns.

The independent researchers who hacked the Uconnect system appear to have done so without malicious intent, although they have expressed plans to publicly reveal the technical details of the exploit.

 

Source: Fiat Chrysler Automobiles