The announcement on Friday by FCA US LLC, formerly Chrysler Group
LLC, was made days after reports that cybersecurity researchers used
a wireless connection to turn off a Jeep Cherokee's engine as it
drove, increasing concerns about the safety of Internet-enabled
vehicles.
The researchers used Fiat Chrysler's <FCAU.N> <FCHA.MI> telematics
system to break into a volunteer's Cherokee being driven on the
highway and issue commands to the engine, steering and brakes.
The National Highway Traffic Safety Administration (NHTSA) said on
Friday it would investigate whether FCA's solution to upgrade
software was enough to protect consumers from hackers, although FCA
said in its recall announcement that it was unaware of any injuries.
A spokesman for NHTSA said that it was the first recall of vehicles
because of concerns about cybersecurity, and experts said they hoped
it would send a shock through the auto industry and beyond it.
RISKS OF CONNECTIVITY
The risks of increasing connectivity to physical devices extend far
beyond cars and into hospitals and chemical plants and factories,
they said.
"It's a huge problem, and it's an architectural problem with this
Internet-of-Things concept," said Nicholas Weaver, a security
researcher at the nonprofit International Computer Science Institute
in Berkeley, California.
He said that at present there is a divide in terms of design, in
that cars and other products could be accessible from a variety of
sources, such as smartphones, as with the Cherokee, or else can be
designed to communicate only with a single authenticated server.
Products designed to be accessible by a range of means including
smartphones leave a large "attack surface" that is easier to
penetrate. But products that communicate only with a single
authenticated server allow the company that owns the server to
compile a raft of information about the user, increasing privacy
concerns, Weaver said.
Ed Skoudis, an expert in securing connected devices, said the fact
that the recall came so soon after publication of the FCA
cybersecurity issue "is a shot across the bow of other IoT
manufacturers that this could cost them a lot of money."
Skoudis said he hoped companies would reconsider what they spend on
security earlier in the design process in order to avoid similar
recalls, lawsuits and the threat of increased regulation.
COMPUTERS ON WHEELS
Automakers have until now sought to play down the threat that
hackers could gain control of a vehicle using a wireless connection.
While hackers had previously demonstrated the ability to tamper with
onboard systems using a physical connection to the car's diagnostic
system, the researchers were able to control the Jeep Cherokee
remotely.
U.S.-traded shares of Fiat Chrysler closed 2.5 percent lower at
$15.15 on Friday.
The NHTSA and members of Congress have expressed concern about the
security of Internet-connected vehicle control systems.
Two Democratic Senators introduced a bill on Tuesday that would
direct the NHTSA to develop standards for isolating critical
software and detect hacking as it occurs.
[to top of second column] |
"We have said that cars today are essentially computers on wheels,
and the last thing drivers should have to worry about is some hacker
along for the ride," Fred Upton, the Republican chairman of the
House Energy and Commerce Committee and the committee's ranking
Democrat, Frank Pallone Jr of New Jersey, said in a statement on
Friday.
Some carmarkers, including BMW <BMWG.DE> and Tesla Motors Inc
<TSLA.O>, can update car software over the air, as Apple Inc
<AAPL.O> does with its phones. But others do not, and the Senate
bill would not require that.
The recalled vehicles include some of the top-selling FCA products
including the Jeep Grand Cherokee and Cherokee SUVs from model years
2014 and 2015 and 2015 Dodge Challenger sports coupes, among others.
(http://bit.ly/1IrgUR1)
FCA said it would mail a memory stick to affected customers to
upgrade vehicle software and add security. A spokeswoman for FCA
said the USB sticks would be mailed to customers "as soon as
possible."
The company also said it had already deployed a fix with its
telecommunications provider to block remote access of the kind the
researchers used.
FCA declined to comment beyond the statement it issued on the
recall. The company did not respond to queries on whether the USB
devices to be mailed to customers are on hand or have to be
manufactured.
An NHTSA official said the investigation would also look at "how
quickly they (FCA) are able to complete the recall."
In broad terms, "this is another example of a problem with an
embedded system, some computer that is something that is not really
a computer from a user perspective but is built to make something
else work," said Steven Bellovin, a professor of computer science at
Columbia University. "I suspect we're going to need some kind of
regulatory frameworks."
(Reporting by Joseph Menn in San Francisco, Bernie Woodall and Joe
White in Detroit, David Morgan in Washington, and Abinaya
Vijayaraghavan and Sweta Singh in Bengaluru; Editing by Grant McCool
and Matthew Lewis)
[© 2015 Thomson Reuters. All rights
reserved.]
Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |