Regulators left in dark over Chrysler security flaw for 18 months

According to Fiat Chrysler, the remote hijacking flaw was not a "safety defect" under US law.

screen-shot-2015-08-06-at-09-23-30.png
Chrysler Group
The existence of a vulnerability within Fiat Chrysler vehicles which allowed a security researcher to take control of a Jeep was only admitted to safety regulators 18 months after flawed cars were released onto the road.

As reported by Bloomberg on Wednesday, Fiat Chrysler executives delayed for a year and a half before admitting to the flaw.

Fiat Chrysler did not consider the radio vulnerability a safety risk, but on July 24, Chrysler was forced to recall 1.4 million vehicles after being pushed by the US the National Highway Traffic Safety Administration (NHTSA).

The security flaw came to light after researchers Charlie Miller and Chris Valasek demonstrated how to remotely attack a Uconnect-equipped vehicle. Uconnect is software which connects a vehicle to its owner's smartphone, allowing the driver to remotely turn on the engine, track their car over GPS, access driving directions and conduct hands-free calling and texting, and is found in a number of the automaker's cars.

A severe vulnerability allowed the researchers to remotely control the car -- commanding the vehicle to perform actions such as switching off the engine, a serious threat to owner safety.

The researchers exposed additional details of the cyberattack at the Black Hat security conference in Las Vegas this week. It was only after the team informed Fiat Chrysler of their plans to publicize the flaw at Black Hat that NHTSA was informed.

Why the delay? According to documents filed by the automaker to the regulator, the software vulnerability was not considered a "safety defect" under US law -- which would require a report to NHTSA within five days of discovery if considered a risk to public safety.

Fiat Chrysler spokesman Eric Mayne told the publication:

"Prior to last month, the precise means of the demonstrated manipulation was not known. [The firm] opposes irresponsible disclosure of explicit 'how-to' information that could help criminals gain unauthorized access to vehicle systems."

Models equipped with 8.4-inch touch screens including 2014-2015 Jeep Grand Cherokee and Cherokee SUVs, 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans and 2013-2015 Ram 1500, 2500 and 3500 pickups are among those recalled.

Fiat Chrysler said the recall is voluntary for owners who want to check whether their vehicle is affected by the remote hijacking flaw, and no injuries or complaints as of yet have been reported.

Customers will also receive a USB flash drive containing updates to vehicle firmware if they do not want to drive to a dealership for the security upgrade, as updates cannot be issued over the air. However, in the interests of security, plugging in a USB drive received in the post is not recommended.

Read on: Why Chrysler's car hack 'fix' is staggeringly stupid

Read on: Top picks

In pictures: