By Bernie Woodall & Joseph Menn
DETROIT/SAN FRANCISCO (Reuters) – Fiat Chrysler will recall 1.4 million vehicles in the United States to install software to prevent hackers from gaining remote control of the engine, steering & other systems in what federal officials said was the first such action of its kind.
The announcement on Friday by FCA US LLC, formerly Chrysler Group LLC, was made days after reports that cybersecurity researchers used a wireless connection to turn off a Jeep Cherokee's engine as it drove, increasing concerns approximately the safety of Internet-enabled vehicles.
p> The researchers used Fiat Chrysler's telematics system to break into a volunteer's Cherokee being driven on the highway & issue commands to the engine, steering & brakes.
The National Highway Traffic Safety Administration (NHTSA) said on Friday it would investigate whether FCA's solution to upgrade software was enough to protect consumers from hackers, although FCA said in its recall announcement that it was unaware of any injuries.
A spokesman for NHTSA said that it was the first recall of vehicles because of concerns approximately cybersecurity, & experts said they hoped it would send a shock through the auto industry & beyond it.
RISKS OF CONNECTIVITY
The risks of increasing connectivity to physical devices extend far beyond cars & into hospitals & chemical plants & factories, they said.
"It's a huge problem, & it's an architectural problem with this Internet-of-Things concept," said Nicholas Weaver, a security researcher at the nonprofit International Computer Science Institute in Berkeley, California.
He said that at present there is a divide in terms of design, in that cars & other products could be accessible from a variety of sources, such as smartphones, as with the Cherokee, or else can be designed to communicate only with a single authenticated server.
Fiat Chrysler Chief Executive Sergio Marchionne gives opening remarks during the FCA Investors Day a …
Products designed to be accessible by a range of means including smartphones leave a large "attack surface" that is easier to penetrate. But products that communicate only with a single authenticated server allow the company that owns the server to compile a raft of information approximately the user, increasing privacy concerns, Weaver said.
Ed Skoudis, an expert in securing connected devices, said the fact that the recall came so shortly after publication of the FCA cybersecurity issue "is a shot across the bow of other IoT manufacturers that this could cost them a lot of money."
Skoudis said he hoped companies would reconsider what they spend on security earlier in the design process in order to avoid similar recalls, lawsuits & the threat of increased regulation.
COMPUTERS ON WHEELS
Automakers have until now sought to play down the threat that hackers could gain control of a vehicle using a wireless connection. While hackers had previously demonstrated the ability to tamper with onboard systems using a physical connection to the car's diagnostic system, the researchers were able to control the Jeep Cherokee remotely.
U.S.-traded shares of Fiat Chrysler closed 2.5 percent lower at $15.15 on Friday.
The NHTSA & members of Congress have expressed concern approximately the security of Internet-connected vehicle control systems.
Two Democratic Senators introduced a bill on Tuesday that would direct the NHTSA to develop standards for isolating critical software & detect hacking as it occurs.
"We have said that cars today are essentially computers on wheels, & the last thing drivers should have to worry approximately is some hacker along for the ride," Fred Upton, the Republican chairman of the House Energy & Commerce Committee & the committee's ranking Democrat, Frank Pallone Jr of New Jersey, said in a statement on Friday.
Some carmarkers, including BMW & Tesla Motors Inc , can update car software over the air, as Apple Inc does with its phones. But others do not, & the Senate bill would not require that.
The recalled vehicles include some of the top-selling FCA products including the Jeep Grand Cherokee & Cherokee SUVs from model years 2014 & 2015 & 2015 Dodge Challenger sports coupes, among others. (http://bit.ly/1IrgUR1)
FCA said it would mail a memory stick to affected customers to upgrade vehicle software & add security. A spokeswoman for FCA said the USB sticks would be mailed to customers "as shortly as possible."
The company moreover said it had already deployed a fix with its telecommunications provider to block remote access of the kind the researchers used.
FCA declined to comment beyond the statement it issued on the recall. The company did not respond to queries on whether the USB devices to be mailed to customers are on hand or have to be manufactured.
An NHTSA official said the investigation would moreover look at "how quickly they (FCA) are able to complete the recall."
In broad terms, "this is another example of a problem with an embedded system, some computer that is something that is not really a computer from a user perspective yet is built to make something else work," said Steven Bellovin, a professor of computer science at Columbia University. "I suspect we're going to need some kind of regulatory frameworks."
(Reporting by Joseph Menn in San Francisco, Bernie Woodall & Joe White in Detroit, David Morgan in Washington, & Abinaya Vijayaraghavan & Sweta Singh in Bengaluru; Editing by Grant McCool & Matthew Lewis)
Fiat ChryslerFCA US LLC