Fiat Chrysler will recall 1.4 million vehicles in the United States to install software to prevent hackers from gaining remote control of the engine, steering and other systems in what federal officials said was the first such action of its kind.
The announcement on
Friday by FCA US LLC, formerly Chrysler Group LLC, was made days after reports
that cybersecurity researchers used a wireless connection to turn off a Jeep
Cherokee's engine as it drove, increasing concerns about the safety of
Internet-enabled vehicles.
The researchers used Fiat
Chrysler's (FCAU.N) (FCHA.MI) telematics system to break into
a volunteer's Cherokee being driven on the highway and issue commands to the
engine, steering and brakes.
The National Highway Traffic
Safety Administration (NHTSA) said on Friday it would investigate whether FCA's
solution to upgrade software was enough to protect consumers from hackers,
although FCA said in its recall announcement that it was unaware of any
injuries.
A spokesman for NHTSA said that
it was the first recall of vehicles because of concerns about cybersecurity,
and experts said they hoped it would send a shock through the auto industry and
beyond it.
RISKS OF CONNECTIVITY
The risks of increasing connectivity to physical devices
extend far beyond cars and into hospitals and chemical plants and factories,
they said.
"It's a huge problem, and it's an architectural problem
with this Internet-of-Things concept," said Nicholas Weaver, a security
researcher at the nonprofit International Computer Science Institute in
Berkeley, California.
He said that at present there is a divide in terms of design,
in that cars and other products could be accessible from a variety of sources,
such as smartphones, as with the Cherokee, or else can be designed to
communicate only with a single authenticated server.
Products designed to be accessible by a range of means
including smartphones leave a large "attack surface" that is easier
to penetrate. But products that communicate only with a single authenticated
server allow the company that owns the server to compile a raft of information
about the user, increasing privacy concerns, Weaver said.
Ed Skoudis, an expert in securing connected devices, said
the fact that the recall came so soon after publication of the FCA
cybersecurity issue "is a shot across the bow of other IoT manufacturers
that this could cost them a lot of money."
Skoudis said he hoped companies would reconsider what they
spend on security earlier in the design process in order to avoid similar
recalls, lawsuits and the threat of increased regulation.
COMPUTERS
ON WHEELS
Automakers have until now sought to play down the threat
that hackers could gain control of a vehicle using a wireless connection. While
hackers had previously demonstrated the ability to tamper with onboard systems
using a physical connection to the car's diagnostic system, the researchers
were able to control the Jeep Cherokee remotely.
U.S.-traded shares of Fiat Chrysler closed 2.5 percent lower
at $15.15 on Friday.
The NHTSA and members of Congress have expressed concern
about the security of Internet-connected vehicle control systems.
Two Democratic Senators introduced a bill on Tuesday that
would direct the NHTSA to develop standards for isolating critical software and
detect hacking as it occurs.
"We have said that cars today are essentially computers
on wheels, and the last thing drivers should have to worry about is some hacker
along for the ride," Fred Upton, the Republican chairman of the House
Energy and Commerce Committee and the committee's ranking Democrat, Frank
Pallone Jr of New Jersey, said in a statement on Friday.
Some carmarkers, including BMW (BMWG.DE) and Tesla Motors Inc (TSLA.O), can update car software over
the air, as Apple Inc (AAPL.O) does with its phones. But others
do not, and the Senate bill would not require that.
The recalled vehicles include some of the top-selling FCA
products including the Jeep Grand Cherokee and Cherokee SUVs from model years
2014 and 2015 and 2015 Dodge Challenger sports coupes, among others. (bit.ly/1IrgUR1)
FCA said it would mail a memory stick to affected customers
to upgrade vehicle software and add security. A spokeswoman for FCA said the
USB sticks would be mailed to customers "as soon as possible."
The company also said it had already deployed a fix with its
telecommunications provider to block remote access of the kind the researchers
used.
FCA declined to comment beyond the statement it issued on the
recall. The company did not respond to queries on whether the USB devices to be
mailed to customers are on hand or have to be manufactured.
An NHTSA official said the investigation would also look at
"how quickly they (FCA) are able to complete the recall."
In broad terms, "this is another example of a problem
with an embedded system, some computer that is something that is not really a
computer from a user perspective but is built to make something else
work," said Steven Bellovin, a professor of computer science at Columbia
University. "I suspect we're going to need some kind of regulatory
frameworks."
No comments:
Post a Comment