Incident Response, Network Security, Patch/Configuration Management, TDR, Threat Management, Vulnerability Management

Zero-day in Fiat Chrysler feature allows remote control of vehicles

Fiat Chrysler owners should update their vehicles' software after a pair of security researchers were able to exploit a zero-day vulnerability to remotely control the vehicle's the engine, transmission, wheels and brakes among other systems.

Chris Valasek, director of vehicle security at IOActive, and security researcher Charlie Miller, a member of the company's advisory board, said the vulnerability was found in late 2013 to 2015 models that have the Uconnect feature, according to Wired.  

Anyone who knows who knows the car's IP address may gain access to a vulnerable vehicle through its cellular connection. Attackers can then target a chip in the vehicle's entertainment hardware unit to rewrite its firmware to send commands to internal computer networks controlling physical components.

Miller and Valasek only tested their complete set of hacks on a Jeep Cherokee but are confident they can replicate most of them on other vulnerable vehicles, the Wired report said. The update must be implemented via a USB or by a dealership mechanic. The duo notified Fiat Chrysler who released a notice last week but didn't specify the vulnerability.  

Reports of the zero-day exploit comes as legislators introduced the The Security and Privacy In Your Car or SPY Car Act to establish cybersecurity standards as vehicles become more integrated with technology.  

"Today's cars are increasingly being delivered to market with driver-assist technology such as auto-braking and parking assist," Carl Herberger, a former cybersecurity officer in the U.S. Air Force and currently vice president of security solutions at Radware), said in comments emailed to "Couple this ability to coach and assist with vehicle control with the advanced wi-fi connections and today's drivers are open to remote malicious hacking attempts, allowing hackers to remotely take control of a vehicle."

Referring to what he called "a new frontier for cyber threats," Herberger said consumers must understand the risks. "As the senate prepares to debate these regulations and standards against the auto industry, one thing becomes clear: Your networked vehicle is potentially at risk and it's time something is done about it," he added.

UPDATE: Fiat Chrysler issued a voluntary recall Friday to update the software on nearly 1.4 million Dodge, Chrysler and Jeep vehicles in the U.S. that are vulnerable to remote manipulation. The updates will "block remote access to certain vehicle systems and were fully tested and implemented within the cellular network," according to the release

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.