Fiat Chrysler recalls 1.4 million cars due to security flaw

Fiat Chrysler is recalling 1.4 million cars in the United States because of vulnerabilities that security researchers recently found in the onboard system UConnect. Due to the problems, malicious parties over the internet can, among other things, turn off the brakes.

Fiat Chrysler is recalling relatively young cars on Friday that have 8.4″ touchscreens. This includes the Dodge Durango, Dodge Viper, Jeep Cherokee, Jeep Grand Cherokee, Chrysler 200 and Chrysler 300. The affected cars were made at the end of the year. 2013, all of 2014 and early 2015.

The recall in the US comes after security researchers reported earlier this week that they found vulnerabilities in the cars’ onboard systems. The researchers discovered that in an American Jeep Cherokee it is possible to switch off the brakes completely, suddenly activate them or switch off the engine at low speeds via UConnect. They could do this via the internet, and therefore without a distance limit.

Fiat Chrysler says it wants to perform a software update to fix the vulnerabilities in UConnect. The software cannot be updated automatically. It is therefore plausible that Fiat Chrysler is therefore recalling the cars. Incidentally, a patch was already released this week for drivers who want to install the software manually using a USB stick. Fiat Chrysler is now also handing out a USB stick to victims to be sure to update the vulnerable software.

The car manufacturer emphasizes that so far there are no known cases where malicious parties have exploited the vulnerabilities. According to Fiat Chrysler, this would require ‘unique and extensive technical knowledge’ and ‘long-term physical access to a test vehicle’. In addition, it would take some time to write malicious code.

Finally, not all details have been disclosed about the leak, except that it is enough to know the IP address of a car to be able to abuse the leak. The security researchers say they will reveal more information during the Black Hat conference in Las Vegas. The conference will take place in early August. The researchers will then not publish any firmware.