Fiat Chrysler recalls 1.4 million cars vulnerable to being hacked

WASHINGTON — Fiat Chrysler said Friday it was voluntarily recalling 1.4 million U.S. cars to fix a software defect that could allow the vehicles to be hacked remotely.

This week, security researchers Chris Valasek and Charlie Miller remotely disabled a Jeep Cherokee’s brakes and steering — while the car was on the highway. They took control of the car through Uconnect, the car’s information and entertainment dashboard.

The recall affects Jeep Grand Cherokees, Chrysler sedans, Ram pickup trucks and others. The company stressed that it has not received reports of any injuries or accidents related to what it labeled “the software exploitation.”

Fiat Chrysler also sought to allay fears about the demonstration by Valasek and Miller. “The software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code,” Fiat Chrysler said in a statement.

But security experts say that widespread hacks on cars and other connected devices are destined to come. Many of these products — which are commonly called the “Internet of Things” — carry the same software flaws that have been continually exploited by hackers operating on the World Wide Web.

Cars are vulnerable because of their many computers. Vehicles today talk to the outside world through remote key systems, satellite radios, Bluetooth connections, dashboard Internet links and even wireless tire-pressure monitors. Security experts call these systems “attack surfaces,” meaning places where intrusions can start.

Infotainment systems are particularly good attack surfaces because modern versions often use a driver’s smartphone to connect directly to the Internet — or such systems connect to the Internet directly through cellular signals. What is meant to provide drivers convenient access to apps and services also opens the door to hackers.

Researchers and some members of Congress have long warned that connectivity could create new risks for consumers. In a report released in February, Sen. Edward Markey, D-Mass., found that nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”

But while wireless technology is frequently cited as a potential source of problems — it’s also thought of by some experts as a way to help fix them. Secure over-the-air updates could help ease the process of fixing security flaws once they are discovered, said Josh Corman, the founder of I Am The Cavalry — a group that has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.

“Once a disclosure happens there is essentially a footrace between hackers and when the defenders can fix things,” he said. Fiat’s recall will require that customers manually update their vehicles using a USB stick that they can install through a port in the vehicle’s dashboard, rather than actually having to take their vehicles to a dealer. The upgrade will provide additional security features to the network level-measures the company has already rolled out in response to the demonstration.

While Fiat Chrysler’s recall is notable because it appears to be a result of the publicly demonstrated exploit, software problems have increasingly become the source of recalls as computer systems have taken over more vehicles. Just last week, Toyota recalled 625,000 hybrid cars to fix a problem that could shut down their hybrid systems while the car was being driven.

The Fiat Chrysler recalls include:

2013 through 2015 model Dodge Vipers

2013 through 2015 Ram 1500, 2500 and 3500 model pickup trucks

2013 through 2015 Ram Chassis Cabs

2014 through 2015 Jeep Grand Cherokees and Grand Cherokee SUVs

2014 through 2015 model Dodge Durango SUVs

215 model Chrysler 200, Chrysler 300 and Dodge Charger sedans

2015 model Dodge Challenger sports coupes