DETROIT (AP) — Fiat Chrysler has decided to recall about 1.4 million cars and trucks in the U.S. just days after two hackers revealed that they took control of a Jeep Cherokee SUV over the Internet.
The company also disclosed in government documents that the hackers got into the Jeep through an electronic opening in the radio and said it would update software to close it. On Thursday, Fiat Chrysler sealed off a loophole in its internal cellular telephone network with vehicles to prevent similar attacks, the automaker said in a statement.
The vulnerability exposed by the hack rippled through the auto industry and drew the attention of government safety regulators, who on Friday opened an investigation into the Jeep incident.
The National Highway Traffic Safety Administration said it would find out which other automakers use the same radios. It came as the industry is rapidly adding Internet-connected features such as WiFi and navigation that are convenient for drivers but make the car more vulnerable to outside attacks.
“I think it’s a pretty big deal,” said James Carder, chief information security officer for LogRhythm Inc., a Boulder, Colorado, security company. “This isn’t intellectual property going out the door, this is 1.4 million lives on the line.”
Automakers, he said, have become accustomed to testing mechanical safety, but most aren’t doing enough online security testing. Carder said he wouldn’t be surprised to see a few more recalls as automakers check vehicle security. He noted that Internet-accessible cars have only been around for a few years, limiting the number of cars and trucks that could be affected.
Shortly after the hack was disclosed in a Wired magazine article this week, Fiat Chrysler said it would contact owners of 471,000 vehicles and offer software updates to fix the problem. But documents show that the wider recall came at the urging of government safety regulators.
Fiat Chrysler, which faces penalties from NHTSA for recall delays over several years, said in documents that it agreed to the recall even though there were no problems in the field other than the Jeep attack, and it had no complaints or warranty claims. The company also implied in its statement that the hackers broke the law by manipulating a vehicle remotely without authorization.
The fix came after two well-known hackers, Charlie Miller and Chris Valasek, remotely took control of the Cherokee through its UConnect entertainment system. They were able to change the vehicle’s speed and control the brakes, radio, windshield wipers, transmission and other features.
Miller said Friday that he didn’t think Fiat Chrysler’s statement about criminal activity was directed at them because they hacked into a vehicle they own. “I don’t think they are saying anything bad against us in that statement, just reminding people that if someone were to hack their car, it’d be against the law,” he said.
The recall affects vehicles with 8.4-inch touchscreens including 2013 to 2015 Ram pickups and chassis cabs and Dodge Viper sports cars. Also covered are 2014 and 2015 Dodge Durango and Jeep Grand Cherokee and Cherokee SUVs, as well as the 2015 Chrysler 200 and 300, and the Dodge Charger and Challenger.
NHTSA encouraged people to get the repairs done as soon as possible and said the recall is the right step to protect customers. “It sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities,” the agency said in a statement.
Mark Reuss, General Motors’ product development chief, wouldn’t comment specifically on the Jeep incident, but said Friday that GM is learning about security measures from the U.S. military and aircraft manufacturers such as Boeing.
“Cyber security is one of the most important things we spend time on these days,” he told reporters on Friday.
Miller said he and Valasek first told Fiat Chrysler about their research in October and have been in touch with the company several times since then.
Owners of the recalled vehicles will get a USB drive that they can use to update the software. Fiat Chrysler says it provides added security beyond the cellular network fixes.
Customers can go to http://www.driveuconnect.com/software-update/ and punch in their vehicle identification number to find out if they’re included in the recall.
Carder, the security expert, said the odds that an average person’s vehicle would be hacked are slim, but the news will make people more paranoid. He owns the same model Jeep that was hacked, and says he’ll get the software fix done quickly.
“I’m sure my wife would appreciate it,” he said.
AP Business Writer Bree Fowler in New York contributed to this report.