A 2014 Jeep Cherokee. Credit: FCA US LLC
Fiat Chrysler last week quietly issued a software patch for critical security vulnerabilities related to its Uconnect vehicle-connectivity system. The vulnerablities were dramatically detailed in a Wired story that was posted earlier today (July 21).
In the Wired piece, two “white hat” hackers remotely connected to a Jeep Cherokee as a reporter drove it down a Missouri freeway. They made the radio blast at full volume and turned on the windshield wipers, but also cut off the transmission as a truck approached and, later, disconnected the brakes, sending the Cherokee into a ditch.
Owners of 2013, 2014 and 2015 models of Chrysler vehicles can download the new software update onto a USB stick, which then can be plugged into the car. Chrysler dealers will also install the update for free.
It took hackers Charlie Miller and Chris Valasek nearly a year to discover and exploit the Uconnect flaw, of which they plan to provide more details at next month’s Black Hat security conference in Las Vegas. The flaw let them remotely install a malicious firmware update that gave them control of the vehicle.
Perhaps even more frighteningly, the pair found that any phone on the Sprint cellular network could be used to find and track any vehicle using Uconnect, anywhere in the country. Wired reporter Andy Greenberg watched Miller track a Dodge Ram in Texas, a Jeep Cherokee in California and a Dodge Durango in Michigan.
“When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek told Wired. “That’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”
In a tweet this morning, Miller said he and Valasek had notified Chrysler of the flaw in October. Wired has posted a video of them hijacking the Cherokee as Greenberg drives.
Owners of recent-year Chrysler vehicles should go to http://www.driveuconnect.com/software-update/ to type in their vehicle identification number (VIN) and see whether their vehicle needs the update. From there, the site will provide instructions on how to download and install the software patch.