Dodge Nitro Forum banner

1 - 6 of 6 Posts

Super Moderator
23,434 Posts
Discussion Starter #1
Jeep hack a red flag for industry


Fiat Chrysler Automobiles NV is vehemently opposed to hackers’ plans to reveal how they were able to wirelessly hijack a Jeep Cherokee — and potentially hundreds of thousands of other Fiat Chrysler vehicles.

The apparent breakthrough is a major security issue not only for Fiat Chrysler, but all automakers.

Car hacking has been demonstrated in controlled simulations in recent years -- mostly when hackers are physically plugged into the vehicle’s hardware. But security researchers Chris Valasek and Charlie Miller recently remotely hacked into a 2014 Jeep Cherokee in a real-world test that included disabling the SUV’s engine functions and controlling interior features such as air conditioning, locks and the radio.

The hack was detailed in an article published Tuesday by Wired magazine. It was written by Andy Greenberg, who volunteered as a “digital crash-test dummy” to drive the hacked Cherokee on a Missouri highway.

“Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes and transmission, all from a laptop that may be across the country,” Greenberg wrote.

He reported that Miller, a former National Security Agency hacker, and Valasek, director of vehicle security research at the IOActive consultancy, have been sharing their research with Fiat Chrysler for nearly nine months, enabling the company to quietly release a fix ahead of the Black Hat security conference next month in Las Vegas. They plan to release redacted, yet detailed, information at that event.

Neither Miller nor Valasek could be reached by The Detroit News for comment.

Fiat Chrysler confirmed the company “has been in communications” with the hackers for the past several months, but declined to go into detail about the conversations. The company, which said it has fixed the security flaw, is adamantly against the hackers sharing their information with others.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” Fiat Chrysler said in a statement to The News on Tuesday.

Valasek, in an online video, said they want to release the information “because more people like us need to be focused on this problem.”

The men reportedly manipulated the vehicle through a vulnerability in a chip that provides a wireless and a cellular network connection. That opened the door to another component for the vehicle’s Uconnect infotainment system that allowed them to rewrite the car’s firmware and send commands through the car’s internal computer network.

They only tested their full set of physical hacks on a Jeep Cherokee, but “they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit,” according to the article.

“Of course we didn’t actually attack any vehicles except our own, cause we’re good guys,” Miller tweeted Tuesday.

Miller estimated as many as 471,000 vehicles with vulnerable Uconnect systems are on the road, according to Wired. Fiat Chrysler would not confirm this number.

Lawmakers poised to act

Concerns about vehicle cybersecurity and use of data collected by cars has caught the attention of lawmakers. Democrat Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., on Tuesday unveiled legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure cars and protect drivers’ privacy.

The legislation was first sparked when Markey took note of Miller and Valasek’s work in 2013, according to Wired.

Last week, many major automakers announced an Auto Information Sharing and Analysis Center that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threats and potential vulnerabilities in motor vehicle electronics or in-vehicle networks.

NHTSA Administrator Mark Rosekind said Tuesday in Ypsilanti that the agency doesn’t want to hinder new technologies, but emphasized the importance of security and privacy.

“We must reassure vehicle owners that their data is secure, that their vehicle is secure and that we are looking out for threats from hackers, thieves and anyone else that might seek to tamper with safety critical technology,” he said in a speech at Automated Vehicles Symposium 2015. “Cybersecurity and privacy must be high-priority items for the industry and for NHTSA.”

NHTSA on Tuesday also released a document outlining the agency’s privacy and cybersecurity efforts. “We’re not just aware of these threats, we’re working to defeat them,” Rosekind said. “We want Americans to know that we’re on it.”

Security breach fix

Fiat Chrysler earlier this month released a software update that it says fixes the security breach.

“Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems,” the company said.

Customers can either download and install this particular update themselves, or their dealer can complete the one-time update at no cost to customers. They can check if their vehicle needs an update and download the patch at Uconnect® Software Update - Update your Uconnect® System. Those with questions can call (877) 855-8400.

While Uconnect was singled out in the article, experts argue practically any modern vehicle could be vulnerable — a major concern, as automakers produce millions of connected cars with Internet capabilities.

“It is something that automakers have to worry about as they open up their vehicle to being connected to the Internet and cellular networks,” said Senior Consumer Advice Editor and tech expert Ron Montoya. “It does introduce a vulnerability to the vehicle. It’s something consumers should be aware of, but I don’t think it’s something most people should worry about.”

Montoya said Miller and Valasek, who aren’t the first to crack into a car’s systems over the Internet, are two experienced, renowned hackers and the “chances are very thin” that a mass takeover by hackers could occur.

CBS News’ “60 Minutes” earlier this year aired a segment showing how vehicles can be subjects of remote hacking. In January, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have their doors remotely opened by hackers.


Super Moderator
23,434 Posts
Discussion Starter #2
Chrysler's UConnect Can Be Hacked, Disabling Vehicles

Chrysler vehicles with Uconnect systems built in late 2013, all of 2014, and early 2015 are at risk of this attack.
Hackers Remotely Kill a Jeep on the Highway—With Me in It

Published on Jul 21, 2015

Two hackers have developed a tool that can hijack a Jeep over the internet. WIRED senior writer Andy Greenberg takes the SUV for a spin on the highway while the hackers attack it from miles away.

Super Moderator
23,434 Posts
Discussion Starter #3
2015 Technical Service Bulletin

2015 Technical Service Bulletin
FCA US LLC Releases Software Update to Improve Vehicle Electronic Security and Communications System Enhancements

July 16, 2015 , Auburn Hills, Mich. -

The security and confidence of our customers is important. As part of its ongoing software security and quality efforts, FCA has an Embedded System Quality Engineering team dedicated to identifying and implementing software best practices across FCA globally. The team’s responsibilities include development and implementation of cybersecurity standards for all vehicle content, including on-board and remote services. A number of best practices, procedures, standards, and policies govern FCA’s cybersecurity program. Generally, there are many tools and techniques that are utilized throughout the vehicle lifecycle.

Today, this group at FCA released a Technical Service Bulletin (TSB) for a software update that offers customers improved vehicle electronic security and communications system enhancements.

Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems. Today’s software security update, provided at no cost to customers, also includes Uconnect improvements introduced in the 2015 model year designed to enhance customer convenience and enjoyment of their vehicle. Customers can either download and install this particular update themselves or, if preferred, their dealer can complete this one-time update at no cost to customers.

Customers with questions may call Vehicle Care at 1-877-855-8400.

Super Moderator
23,434 Posts
Discussion Starter #4

Uconnect | July 22 2015
Unhacking the Hacked Jeep

We read about “hacks” every day. All industries are potential targets of a hacker and the automotive industry has been no exception.

Well-known hackers Charlie Miller and Chris Valasek recently teamed-up with a WIRED reporter to publish a story that you may have read about or seen on the news. The story highlights how Miller and Valasek hacked into Miller’s 2014 Jeep Cherokee and remotely controlled some functions. Miller and Valasek have been working on intentionally hacking into Miller’s vehicle over the past year as part of their on-going research in the area of automotive cybersecurity and have communicated with FCA about some aspects of their work.

To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle.

After becoming aware of the vulnerabilities in some 2013 and 2014 vehicles equipped with the 8.4 inch touchscreen systems, FCA and several suppliers worked to fix the vulnerabilities in model year 2015 vehicles. FCA also created a software update that eliminates the vulnerabilities uncovered by Miller and Valasek in their laboratory tests. This software update is available to customers right now and can be downloaded to a USB drive from Uconnect® Software Update - Update your Uconnect® System and installed in a vehicle.

FCA will be contacting potentially affected customers with these details and has provided the software update to the FCA US dealer network for immediate customer installation.

Customers can enter a vehicle identification number (VIN) and find out if their vehicle needs the software update. If your vehicle needs the update, you can download the software update to a USB drive and install it yourself. Another option is to make an appointment with your FCA US dealership and have them install it for you at no charge. The update, if installed DIY, will take 30-45 minutes, and your vehicle needs to be parked throughout the software update/installation process.

In addition, FCA US has been working with its suppliers to implement additional protocols to block remote access. These changes will not require any action by our customers.

The vehicles listed below that have a 8.4 inch touchscreen radio system need this software update:

2013-2014 Ram 1500 Pickup
2013-2014 Ram 3500 Cab Chassis
2013-2014 Ram 2500 Pickup
2013-2014 Ram 4500/5500 Cab Chassis
2013-2014 Ram 3500 Pickup
2014 Grand Cherokee
2014 Durango
2013-2014 Viper
2014 Cherokee
Some 2015 Chrysler 200s

For any questions regarding how to complete the software update please call our Customer Care Center at 1-877-855-8400.

Super Moderator
23,434 Posts
Discussion Starter #5
Recall Alert: 1,400,000 U.S. vehicles

Statement: Software Update

July 24, 2015 , Auburn Hills, Mich. -

FCA US LLC is conducting a voluntary safety recall to update software in approximately 1,400,000 U.S. vehicles equipped with certain radios.

The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action.

Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015.

The Company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.

Affected are certain vehicles equipped with 8.4-inch touchscreens among the following populations:

2013-2015 MY Dodge Viper specialty vehicles
2013-2015 Ram 1500, 2500 and 3500 pickups
2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
2014-2015 Jeep Grand Cherokee and Cherokee SUVs
2014-2015 Dodge Durango SUVs
2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
2015 Dodge Challenger sports coupes

Customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which provides additional security features independent of the network-level measures. Alternately, customers may visit to input their Vehicle Identification Numbers (VINs) and determine if their vehicles are included in the recall.

The security of FCA US customers is a top priority, as is retaining their confidence in the Company’s products. Accordingly, FCA US has established a dedicated System Quality Engineering team focused on identifying and implementing best practices for software development and integration.

The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.

No defect has been found. FCA US is conducting this campaign out of an abundance of caution.

Customers are urged to acquire the software update. Those with questions or concerns may call the FCA US Customer Care Center at 1-800-853-1403.

Super Moderator
23,434 Posts
Discussion Starter #6
FBI Issues Public Warning on Car Hacking

FBI Issues Public Warning on Car Hacking

Mar 21, 2016

The Federal Bureau of Investigation (FBI) has issued a public service announcement about the dangers of cyber security threats in our vehicles.

The organization is trying to bring awareness to vehicle hacking to help consumers and manufacturers avoid it in the future. Thanks to the connectivity of new vehicles, the FBI says that the risk of a hacker stealing data from or remotely manipulating vehicle functionality is more of a likelihood.

Connections to a vehicle can be made through Bluetooth, WiFi or a USB port cautions the FBI.

The service announcement points to the case of the 2014 Jeep Cherokee that was hacked into last year by a team of researchers. Using the radio module’s wireless communication connection, the hackers were able to shutdown the engine, disable the brakes and control the steering at low speeds between five and 10 mph. At any speed, they could control the door locks, turn signals, tachometer, radio and HVAC controls.

Attacks made on the vehicle using WiFi had to be done within 100 feet, but the hackers were also able to access the vehicle using a cellular connection which can be done from anywhere within the cellular carriers network.

The FBI breaks down four different ways that consumers can help to minimize cyber security risks: ensuring your software is up to date, using caution when modifying vehicle software, maintaining awareness when third party devices are hooked to your vehicle and awareness over who has physical access to your vehicle.

The FBI says that the National Highway Traffic Safety Administration is working towards improving cyber security of vehicles in the U.S., while automakers have established an information control center to provide a trustworthy way to exchange cyber security information.
1 - 6 of 6 Posts