Fiat Chrysler Automobiles NV waited 18 months to tell federal safety regulators about a security flaw in radios being installed in more than a million vehicles that hackers exploited in July to seize control of a Jeep.
The automaker says it was working on a fix, and didn’t consider the problem a safety defect. The National Highway Traffic Safety Administration saw otherwise. Eight days after being notified by the company, the agency pushed Fiat Chrysler to recall 1.4 million cars and trucks — the first auto recall prompted by cybersecurity concerns.
The episode came just days before Fiat Chrysler agreed to a record $105 million penalty to settle complaints about its recall performance on other issues, including malfunctioning air-bags. NHTSA faces its own criticism for failing to promptly get unsafe vehicles off the streets.
Cybersecurity threats present a new dimension to the problem, one that critics say demands an even faster response to keep hackers from worming their way into vehicles and causing havoc. A Senate report in 2014 concluded that only two of 16 automakers had the ability to detect and respond to a hacking attack.
“We want to make sure the automakers and regulators stay ahead of this,” said Mark Rechtin, autos editor for Consumer Reports. While there have been no reports of hackers being able to access random cars, “once it happens, and it happens badly, no one will be able to trust their cars,” Rechtin said.
The researchers who took control of a Jeep detailed their exploit at the Black Hat cybersecurity conference in Las Vegas on Wednesday. Another hacker said he will reveal vulnerabilities with General Motors’ OnStar navigation system mobile app on Friday. And there’s been a rise in auto thefts using key-cloning systems for electronic fobs.
Charlie Miller and Chris Valasek, the hackers, used their laptops to take over a Jeep Cherokee driven by a reporter for Wired magazine. The two say they were able to access the SUV’s electronic control units, cutting out engine power as it drove on a Missouri freeway.
Fiat Chrysler says there was a dramatic difference between what was known about their cybersecurity vulnerability in January 2014, when the company-supplied timeline to regulators begins, and July, when the hackers showed they could take control of a Jeep’s driving functions.
The company’s description of events leading up to the July recall says it knew in January 2014 that radio communications ports had been left open unintentionally, allowing them to “listen to and accept commands from unauthenticated sources.” It doesn’t mention the possibility that such access might lead to a hacker taking control of steering, braking or other functions that could cause a car to crash.
Fiat Chrysler said in a statement it advised NHTSA of the security issue “in a reasonable and timely manner.” The company said it’s “conducting a remedial campaign as a safety recall in the interest of protecting its customers” out of “an abundance of caution.”
The company said it contacted NHTSA after the hackers informed Fiat Chrysler of their plan to publicize the security flaw at Black Hat, including information to facilitate unauthorized and unlawful access to the automaker’s vehicles.
“Prior to last month, the precise means of the demonstrated manipulation was not known,” Fiat Chrysler spokesman Eric Mayne said in an e-mail. The company “opposes irresponsible disclosure of explicit ‘how-to’ information that could help criminals gain unauthorized access to vehicle systems.”
To help focus regulators’ attention on cyberthreats, the U.S. Senate promised the chronically understaffed agency more resources and personnel in a bill passed last week. But the funding is contingent on NHTSA making numerous changes in the wake of a Department of Transportation Inspector General’s report critical of its slow response in recalls with more typical vehicle issues.
On the cyber front, NHTSA has an open audit of the Fiat Chrysler recall to make sure that it includes all potentially affected vehicles and the company’s fix actually works, agency spokesman Gordon Trowbridge said. There’s also an active investigation into Harman International Industries Inc., supplier of the Uconnect communications system used by Fiat Chrysler and several other auto companies.
Another immediate focus is whether other automakers with similar systems have the same vulnerability, Trowbridge said. The agency has been having regular conversations with manufacturers and suppliers on cybersecurity, he said.
Automakers have reached out to NHTSA “to let us know they are aware of the issue and the steps they are taking to assess their own security protections,” Trowbridge said.
The auto industry’s two biggest trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, said July 14 they would form an information-sharing and analysis center by the end of the year to collaborate against emerging cyber threats.
The Fiat Chrysler hacking experiment should serve as “a wake-up call” to automakers to be more proactive in securing software and other systems, or else they’ll face new government regulations mandating security, said Ken Westin, a security analyst with the cybersecurity company Tripwire Inc. based in Portland, Oregon.
Westin is skeptical of government regulation and isn’t convinced that an agency like NHTSA has the resources and expertise to oversee cybersecurity.
Harman needs to let independent researchers test its devices and software, Westin said. Hacking vulnerabilities are often created not because products and software from vendors are insecure, but because of how they are applied and configured in a certain setting, he said.
“A lot of the automakers are going to start demanding independent verification” of software and products, said Westin. “We see this in other areas of security when there’s a breach from a third party.”
The vulnerability exposed in the Jeep hacking incident is unique to Fiat Chrysler, Harman Chief Executive Officer Dinesh Paliwal said in an interview Aug 4. Automakers modify radios and entertainment systems to suit their customers, he said.
“This does not exist, to our assessment, in any other vehicle,” said Paliwal.
A Harman spokesman declined to comment on why it took 18 months to inform regulators about the vulnerability.
Documents Fiat Chrysler filed with NHTSA note that it didn’t consider the software issue, identified by a third party in January 2014, to be a safety defect under U.S. law. Under the Motor Vehicle Safety Act, which governs how and when recalls are conducted, automakers must notify NHTSA within five days of discovering a flaw that presents an unreasonable risk to public safety.
The NHTSA notice of its Harman investigation said that the vulnerability may exist in products it supplies to other companies. Harmon’s website indicates it supplies entertainment systems to BMW AG and as well as the Mercedes-Benz brand of Daimler AG. Both companies said their vehicles were safe.
BMW’s information and entertainment system is separated from the safety-relevant driving system by several gateways that implement firewalls, message filtering and message blocking, the company said in an e-mailed statement.
Mercedes-Benz spokesman Benjamin Oberkersch said the German manufacturer is taking comprehensive measures to protect its cars from hacking attacks. He declined to comment on the Harman investigation.
GM became aware of the researcher’s hack July 29 and had patched its server by the next morning, said OnStar spokesman Stuart Fowle. Later on July 30, OnStar found another way hackers could unlock and start the car if the owner of the car used an iPhone. They fixed the app for the Apple phone that same day, Fowle said.
Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report in 2014 on gaps in car-security systems, concluding that only two of 16 automakers had the ability to detect and respond to a hacking attack.
Markey said in an interview that congressional hearings into the GM ignition switch and air bags made by Japan’s Takata Corp. showed that understaffed and underfunded regulators are sometimes slow to react.
“This whole issue of computers on wheels is something new,” Markey said. “Based upon what happened over the last several years with Takata and all these other issues, we need to ensure they’ve got the resources.”