The federal agency charged with protecting American motorists wants to know more about how hackers remotely commandeered and controlled a Jeep Cherokee. Hours after Fiat Chrysler Automobiles recalled 1.4 million cars affected by a flaw in their cellular connections, officials with the National Highway Traffic Safety Administration said Friday they’ll further probe the defect by conducting a formal recall query investigation. “Opening this investigation will allow NHTSA to better assess the effectiveness of the remedy proposed,” the agency said in a written statement.
The remedy works, said Chris Valasek, one of the researchers who first discovered the security flaw. After testing for the vulnerability again Friday, he wrote on Twitter: “Looks like I can’t get to @0xcharlie’s Jeep from my house via my phone. Good job FCA/Sprint!”
From his Pittsburgh home, Valasek had previously accessed and controlled co-worker Charlie Miller’s Jeep along a St. Louis highway. Researchers have demonstrated remote hacks before, but the scope and severity of the Jeep vulnerability was unprecedented. The recall for a cyber threat was the first of its kind.
Although a software patch and changes made by cellular provider Sprint appeared to fix the problem, news of the exploit and Chrysler’s response brought a fresh round of consternation on Capitol Hill, where federal lawmakers had already expressed concerns about automotive cyber security. The Jeep hack elevated their concerns to a new level.
“Cyber threats in cars are real and urgent, no figment of the imagination, as this huge recall demonstrates,” said Sen. Richard Blumenthal (D-CT). “Incredibly, Chrysler delayed disclosing this chilling cyber-security danger egregiously and inexcusably, and strong sanctions are appropriate to send a message that other auto manufacturers will heed.”
Chrysler had known about the security gap since October, and Sen. Ed Markey (D-MA) wondered why it took the company so long to let customers know they were at risk. “Despite knowing about this security gap for nearly nine months, Chrysler is only now recalling 1.4 million vehicles to fix this vulnerability,” he said.
That’s a potential pitfall for Chrysler, and something NHTSA will likely address in its investigation. Automakers are supposed to report safety-related defects to the agency within five days of discovery. But according to a chronology of events Chrysler submitted in its recall paperwork, it didn’t inform NHTSA until July 15. Even then, Chrysler said it told agency research and defects officials their plans were to only issue a technical service bulletin regarding the vulnerability. But Tuesday, WIRED published details about the Jeep exploit, and seventy-two hours later, Chrysler announced a formal recall.
In the interim, federal officials grew more concerned. “With WIRED Magazine, this is the first example of what’s to come,” said NHTSA associate administrator Nathaniel Beuse. “It’s going to be pretty dynamic and NHTSA and the industry will have to adapt.” Beuse said the article had rippled through the “entire federal government” and that members of the Department of Homeland Security said the hack needed to be addressed.
Blumenthal and Markey introduced legislation Tuesday that would set minimum standards for automotive software security and create a system that would help car shoppers be more knowledgeable about security in particular vehicles. Earlier, a report by Markey’s office concluded only two of 16 automakers could respond to a real-time infiltration. A House subcommittee has also been probing the readiness of automakers and NHTSA to fend off and respond to cyber attacks. Still, the idea that an issue that had concerned them is now reality was hard to believe.
“The automotive cyber vulnerabilities described in the press this week and acknowledged by today’s recall sound like the plot of a science fiction movie,” said Rep. Diana DeGette (D-CO), who serves on the Energy and Commerce committee probing the issue. “As the Internet of Things becomes a larger part of our lives, these weaknesses become ever-more real. Automakers and NHTSA must maintain a special vigilance as more internet-enabled vehicles take the road to ensure the driving public stays safe.”
In written statements, Chrysler officials said they were unaware of any real-world hacks and emphasized that the researchers needed extensive technical knowledge and extended periods of time to write code. “No defect has been found,” the company wrote. “FCA US is conducting this campaign out of an abundance of caution.”