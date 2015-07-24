* U.S. regulator launches probe of cybersecurity recall
By Bernie Woodall and Joseph Menn
DETROIT/SAN FRANCISCO, July 24 Fiat Chrysler
will recall 1.4 million vehicles in the United States to install
software to prevent hackers from gaining remote control of the
engine, steering and other systems in what federal officials
said was the first such action of its kind.
The announcement on Friday by FCA US LLC, formerly Chrysler
Group LLC, was made days after reports that cybersecurity
researchers used a wireless connection to turn off a Jeep
Cherokee's engine as it drove, increasing concerns about the
safety of Internet-enabled vehicles.
The researchers used Fiat Chrysler's
telematics system to break into a volunteer's Cherokee being
driven on the highway and issue commands to the engine, steering
and brakes.
The National Highway Traffic Safety Administration (NHTSA)
said on Friday it would investigate whether FCA's solution to
upgrade software was enough to protect consumers from hackers,
although FCA said in its recall announcement that it was unaware
of any injuries.
A spokesman for NHTSA said that it was the first recall of
vehicles because of concerns about cybersecurity, and experts
said they hoped it would send a shock through the auto industry
and beyond it.
RISKS OF CONNECTIVITY
The risks of increasing connectivity to physical devices
extend far beyond cars and into hospitals and chemical plants
and factories, they said.
"It's a huge problem, and it's an architectural problem with
this Internet-of-Things concept," said Nicholas Weaver, a
security researcher at the nonprofit International Computer
Science Institute in Berkeley, California.
He said that at present there is a divide in terms of
design, in that cars and other products could be accessible from
a variety of sources, such as smartphones, as with the Cherokee,
or else can be designed to communicate only with a single
authenticated server.
Products designed to be accessible by a range of means
including smartphones leave a large "attack surface" that is
easier to penetrate. But products that communicate only with a
single authenticated server allow the company that owns the
server to compile a raft of information about the user,
increasing privacy concerns, Weaver said.
Ed Skoudis, an expert in securing connected devices, said
the fact that the recall came so soon after publication of the
FCA cybersecurity issue "is a shot across the bow of other IoT
manufacturers that this could cost them a lot of money."
Skoudis said he hoped companies would reconsider what they
spend on security earlier in the design process in order to
avoid similar recalls, lawsuits and the threat of increased
regulation.
COMPUTERS ON WHEELS
Automakers have until now sought to play down the threat
that hackers could gain control of a vehicle using a wireless
connection. While hackers had previously demonstrated the
ability to tamper with onboard systems using a physical
connection to the car's diagnostic system, the researchers were
able to control the Jeep Cherokee remotely.
U.S.-traded shares of Fiat Chrysler closed 2.5 percent lower
at $15.15 on Friday.
The NHTSA and members of Congress have expressed concern
about the security of Internet-connected vehicle control
systems.
Two Democratic Senators introduced a bill on Tuesday that
would direct the NHTSA to develop standards for isolating
critical software and detect hacking as it occurs.
"We have said that cars today are essentially computers on
wheels, and the last thing drivers should have to worry about is
some hacker along for the ride," Fred Upton, the Republican
chairman of the House Energy and Commerce Committee and the
committee's ranking Democrat, Frank Pallone Jr of New Jersey,
said in a statement on Friday.
Some carmarkers, including BMW and Tesla Motors
Inc, can update car software over the air, as Apple Inc
does with its phones. But others do not, and the Senate
bill would not require that.
The recalled vehicles include some of the top-selling FCA
products including the Jeep Grand Cherokee and Cherokee SUVs
from model years 2014 and 2015 and 2015 Dodge Challenger sports
coupes, among others. (bit.ly/1IrgUR1)
FCA said it would mail a memory stick to affected customers
to upgrade vehicle software and add security. A spokeswoman for
FCA said the USB sticks would be mailed to customers "as soon as
possible."
The company also said it had already deployed a fix with its
telecommunications provider to block remote access of the kind
the researchers used.
FCA declined to comment beyond the statement it issued on
the recall. The company did not respond to queries on whether
the USB devices to be mailed to customers are on hand or have to
be manufactured.
An NHTSA official said the investigation would also look at
"how quickly they (FCA) are able to complete the recall."
In broad terms, "this is another example of a problem with
an embedded system, some computer that is something that is not
really a computer from a user perspective but is built to make
something else work," said Steven Bellovin, a professor of
computer science at Columbia University. "I suspect we're going
to need some kind of regulatory frameworks."
(Reporting by Joseph Menn in San Francisco, Bernie Woodall and
Joe White in Detroit, David Morgan in Washington, and Abinaya
Vijayaraghavan and Sweta Singh in Bengaluru; Editing by Grant
McCool and Matthew Lewis)