Car hacking: more product recalls in the future, says security expert

Time 1:25 pm, July 27, 2015

fiat chryslerFIAT Chrysler is to recall 1.4 million vehicles in America after a researcher hacked into a Jeep Cherokee and took control away from the driver.

Last week, it was widely reported that tech magazine Wired had hacked into the Cherokee’s internet-connected entertainment system, and then drove the car into a ditch. 

Chrysler is now recalling the affected models to update the software. The company criticised the magazine, saying hacking its vehicles was a ‘criminal action’.

But today Tim Erlin, director of security and product management at Tripwire, said this wouldn’t be the last manufacturer recall for a software update.

He said: ‘Software patches for vehicles aren’t new, but the demonstration of this vulnerability was clearly attention grabbing.

‘The risks of the connected car lie in the ability to affect the operations of the vehicle from the outside world. The good news is that secure software development isn’t a novel concept. There are known best practices that can be applied to automotive software. Fiat Chrysler has an opportunity to use this incident to pioneer software security for the automotive industry.

‘A recall has very real, material costs for a manufacturer. Experiencing an urgent recall for a security patch to the vehicle’s software is likely to drive changes around how software is updated for all manufacturers. While new update methods can be built into new vehicles, there are millions of cars already on the road to consider as well.

‘The security of vehicle software is now a safety issue, and manufacturers will need to adapt to treat it as such. This won’t be the last patch we see for a car near you.’

Magazine security researchers Charlie Miller and Chris Valasek have spent years investigating car control systems and developing ways to subvert them. Shortly after the recall was announced, Mr Miller tweeted: ‘I wonder what is cheaper, designing secure cars or doing recalls?’

Fiat Chrysler said exploiting the flaw ‘required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code’.

The affected vehicles are:

  • 2013-2015 MY Dodge Viper specialty vehicles
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

A spokesman for Fiat Chrysler confirmed no vehicles sold in the UK were affected.

It was also reported in the UK this week that it was potentially possible to hack a car’s control systems through its digital radio.

MORE: Calling all specialist used car retailers – now there’s a new award just for you…

MORE: Nissan announces new retail insurance partnership

MORE: Caterham expands its UK dealer network

MORE: JCT600 launches new website after six-figure investment

On It looked easier in Blues Brothers – driver jumps drawbridge, fails

Colin Channon's avatar

Colin is a former editor of Car Dealer. He left the magazine in August 2015.

More stories...

Motors Advert
Server 108