Auto blog
The problem with how automakers confront hacking threats
Thu, Jul 30 2015More than anyone, Chris Valasek and Charlie Miller are responsible for alerting Americans to the hacking perils awaiting them in their modern-day cars. In 2013, the pair of cyber-security researchers followed in the footsteps of academics at the University of Cal-San Diego and University of Washington, demonstrating it was possible to hack and control cars. Last summer, their research established which vehicles contained inherent security weaknesses. In recent weeks, their latest findings have underscored the far-reaching danger of automotive security breaches. From the comfort of his Pittsburgh home, Valasek exploited a flaw in the cellular connection of a Jeep Cherokee and commandeered control as Miller drove along a St. Louis highway. Remote access. No prior tampering with the vehicle. An industry's nightmare. As a result of their work, FCA US recalled 1.4 million cars, improving safety for millions of motorists. For now, Valasek and Miller are at the forefront of their profession. In a few months, they could be out of jobs. Rather than embrace the skills of software and security experts in confronting the unforeseen downside of connectivity in cars, automakers have been doing their best to stifle independent cyber-security research. Lost in the analysis of the Jeep Cherokee vulnerabilities is the possibility this could be the last study of its kind. In September or October, the U.S. Copyright Office will issue a key ruling that could prevent third-party researchers like Valasek and Miller from accessing the components they need to conduct experiments on vehicles. Researchers have asked for an exemption in the Digital Millennial Copyright Act that would preserve their right to analyze cars, but automakers have opposed that exemption, claiming the software that runs almost every conceivable vehicle function is proprietary. Further, their attorneys have argued the complexity of the software has evolved to a point where safety and security risks arise when third parties start monkeying with the code. Their message on cyber security is, as it has been for years, that they know their products better than anyone else and that it's dangerous for others to meddle with them. But in precise terms, the Jeep Cherokee problems show this is not the case. Valasek and Miller discovered the problem, a security hole in the Sprint cellular connection to the UConnect infotainment system, not industry insiders.
NHTSA closes investigation on 4.7M FCA power modules, no recall
Thu, Jul 30 2015FCA US hasn't had the best time with recalls as of late. Not only did the company recently agree to greater safety oversight and paid $105 million to the government, that came just days after hacking fears prompted a 1.4-million model recall campaign. However, a recent decision to close an investigation by the National Highway Traffic Safety Administration means that the automaker doesn't have to worry about another major recall possibly affecting 4.7 million vehicles, according to the agency's report (as a PDF). Last September, the Center for Auto Safety petitioned NHTSA to investigate an alleged problem with the totally integrated power module (TIPM) on these FCA US models. The group claimed that a fault with the component could cause a variety of maladies, including stalls, not starting, catching fire, unintended acceleration, and airbag non-deployment. At the time, it also submitted 70 cases where this had reportedly happened. According to NHTSA, "no valid evidence was presented in support of claims related to airbag non-deployment, unintended acceleration, or fire resulting from TIPM faults and these claims were found to be wholly without merit based on review of the field data and design of the relevant systems and components." The agency did find signs of an issue with the fuel pump relay in some Jeep Grand Cherokees and Dodge Durangos, but FCA US issued recalls for the problem in September 2014 and February 2015. Without anything else to go on, the Feds don't think it's worth investigating this topic any more.
UAW may be key to forced FCA merger with GM
Wed, Jul 29 2015Sergio Marchionne doesn't give up on a business deal easily. While outwardly not much has recently been said about FCA's attempted merger with General Motors, Marchionne might be hoping to garner a powerful, new ally that could help break things wide open. The United Auto Workers retiree health care trust is the single largest shareholder of GM with 8.7 percent of the stock, and having its support would certainly improve FCA's position in getting a deal done. "Whatever happens in terms of consolidation, it would never be done without the consent and support of the UAW," Marchionne said when FCA recently began contract talks with the UAW, The Detroit News reports. The boss is also allegedly on good terms with the union president Dennis Williams. Still, using the organization for a hostile takeover could be very difficult because of the way its votes are structured. Other activist investors might already be on board, though. Marchionne believes that consolidation in the industry is vital because automakers are investing to create the same technologies. A GM/FCA merger still has many roadblocks, though, including the fact that Marchionne's company is smaller than GM. From a regulatory perspective, the size of the merged company could raise serious anti-trust concerns among regulators, according to The Detroit News. There's also the concern for lost jobs from redundant work with the two combined businesses. Even if the UAW angle doesn't work out, there are contingency plans afoot for other merger targets. According to The Detroit News speaking to anonymous insiders, FCA bigwigs have a meeting in London on Thursday to take a close look at other options. In addition to GM, they are investigating possible deals with Volkswagen and the Renault-Nissan Alliance. In the past, PSA Peugeot Citroen and multiple Asian automakers have also been brought up as partners, and UBS has reportedly been providing financial advice on what to do.
Certain Chrysler owners eligible for buyback program
Mon, Jul 27 2015Certain car owners whose Chrysler vehicles contain dangerous defects will soon have a way to get rid of their lemons without losing money. As part of an agreement with federal regulators, Fiat Chrysler Automobiles has agreed to buy back more than 500,000 vehicles susceptible to veering out of control without warning at above market-value prices. The deal mainly covers certain models of RAM trucks, the Dodge Dakota pickup and Dodge Durango SUV. Further, owners of more than 1.5 million Jeep Liberty and Grand Cherokees at heightened risk for lethal fires are eligible to trade in their vehicles at above market value or, alternately, get a gift certificate if they prefer to have repairs made. Chrysler has "a heavy responsibility to make sure the products they make are safe for the traveling public," said Mark Rosekind, administrator of the National Highway Traffic Safety Administration. "... Here, we are sending an unambiguous signal to industry that if you skirt the laws or violate the law, or don't live up to the responsibility that consumers expect, we are going to penalize you." The buy-back and trade-in options for motorists come as part of an unprecedented penalty NHTSA slapped against Chrysler for violating federal motor-vehicle safety laws. Chrysler will pay a $105 million fine, the highest ever levied by the regulatory agency. In addition to the buy-backs, Chrysler also agreed to an independent monitor for three years. Investigators had outlined problems in the company's conduct in 23 recalls that affected more than 11 million defect vehicles. As part of a consent-order agreement, Chrysler acknowledged it did not notify vehicle owners of recalls in an effective manner and did not notify NHTSA of safety problems. Though those recalls affected millions of drivers, the buy-back and trade-in options are only for a small portion of the vehicles involved. Because Chrysler struggled to fix the problem and no repair was apparent, Rosekind said the buy-backs are reserved "for customers who didn't have a remedy." Buy-backs are for trucks and SUVs affected by three recalls that occurred in 2013 (recalls 13V-038, 13V-527 and 13V-529), that addressed a rear-axle pinion nut that could come loose and cause a loss of vehicle control. Those recalls covered 579,228 vehicles, including 2009-2012 Ram 1500, 2500, 3500, 4500 and 5500 trucks, 2009-2012 Dodge Dakotas, 2009 Chrysler Aspen and the 2009 Dodge Durango.
Fiat Chrysler to get $105M fine from NHTSA for recall woes
Sun, Jul 26 2015The National Highway Traffic Safety Administration is about to send a powerful message to automakers doing business in the United States, assuming reports of an upcoming $105 million fine against Fiat Chrysler Automobiles comes to fruition. In addition to the record-setting monetary fine, according to The Wall Street Journal, FCA will have to accept an independent auditor that will monitor the company's recall and safety processes and will be forced to buy back certain recalled vehicles. In other cases, such as with Jeep Grand Cherokee and Liberty models with gas tanks that could potentially catch fire in certain types of accidents, FCA will offer financial encouragement for owners to get their recall work done or to trade those older vehicles in on new cars, according to the report. FCA could reportedly reduce its fines if it meets certain conditions, though those remain unclear at this time. These actions against FCA are being taken after NHTSA began a probe into the automaker over almost two dozen separate instances where the government claims FCA failed to follow proper procedures for recalls and safety defects. Included in those safety lapses are more than 11 million vehicles currently in customer hands. These penalties and fines are separate from the investigation over security problems with Chrysler's Uconnect system that allowed hackers to obtain remote access into key vehicle systems in 1.4 million vehicles. Related Video: Image Credit: Marco Bertorello/AFP/Getty Earnings/Financials Government/Legal Recalls Chrysler Dodge Fiat Jeep RAM Safety fiat chrysler automobiles fine
Are old airbags killers?
Sat, Jul 25 2015Takata airbags may not be the only ones with some very serious problems. A new report from TheDetroitBureau.com claims that the National Highway Traffic Safety Administration has opened its second investigation into bad airbag inflators, and this time, they aren't from Takata. The focus of this latest case is on the airbag inflators in some 500,000 older Chrysler Town and Country minivans and Kia Optima sedans, all of which come from ARC Automotive. While the Takata case looks at problems stemming from the engineering and production process, the ARC investigation focuses on the age of the inflators. As TDB explains, airbag inflators are essentially what the military refers to as shaped charges, sort of like Claymores (for fans of the Call of Duty series). In combat, they blow up in a specific direction, protecting those behind the explosion, although in the case of airbags, the explosion "[creates] a precise rush of hot gases" that inflate the bags. NHTSA's worry is that with the increased average age of today's vehicles, years and years of being bounced, jolted, and shaken about and exposed to often-radical temperature changes have altered the nature of the explosives in these vehicles, causing too big of an explosion. "It may be a reasonable assumption that as these things age they deteriorate." – Analyst George Peterson "It may be a reasonable assumption that as these things age they deteriorate," analyst George Peterson told TheDetroitBureau.com. NHTSA boss Mark Rosekind backed up aging angle. "Cars are lasting on the road a lot longer than ever before," Rosekind told TDB, adding that seals could start breaking down. "Is aging now an issue? That's part of the investigation going on." NHTSA has only identified two "incidents" so far, although according to Center for Auto Safety Director Clarence Ditlow, there's genuine concern that there could be additional unidentified cases. "Could we have missed more? That could be the case," Ditlow told TDB, citing the misidentified deaths in the Takata investigation. Ditlow was quick to point out that, even in older vehicles, airbags are much more likely to protect than harm. "No one is saying you should disable your airbags," the safety advocate told TDB. "You're far more likely to be helped than hurt by one if they go off." At least one automaker, meanwhile, has already been advised of the investigation by NHTSA and is checking its airbags.
How to update and secure a vulnerable Chrysler Uconnect system
Sat, Jul 25 2015If you own one of the 1.4 million vehicles affected by the recent Chrysler software recall, you may want to watch this video. In it, we explain how to get the latest infotainment software loaded onto the 8.4-inch Uconnect system. The recall was a response to the findings of researchers who were able to hack into and remotely control a 2014 Jeep Cherokee through its cellular connection. Although Fiat Chrysler has worked with Sprint to plug most of the holes on the carrier side, there are still some vulnerabilities that only this latest software version can patch. Owners have three options to get the update: download it now, wait for a USB stick in the mail, or take the vehicle to an FCA dealer. Chrysler will be sending USB sticks loaded with the software update to customers. Anyone with an internet connection and a USB stick of their own with at least 4 GB capacity can speed things up by downloading the patch from the Uconnect website. We cover that process from start to finish in the video, with the final portion still applicable to those using the FCA-supplied USB stick. If after watching this you still don't want to tackle the patch yourself, you can take your vehicle to the dealer to have it done. Also note that this process is the same for all Uconnect updates, not just the one patching the exploits. Our demonstrator vehicle is a 2015 Ram 1500 pickup. The procedure should be very similar on other products with the 8.4-inch Uconnect system, with only the location of the USB port varying. Once you have the USB stick with the software on it – either after having downloaded it yourself or receiving it in the mail from Chrysler – the installation process is relatively simple. It takes about 15 minutes to perform the update; we edited out the wait in the video. To check whether or not your car's 8.4-inch Uconnect system is running the latest software, go to System Information on the touch screen's Settings page and look at Software Version. The update related to the recall is version 15.17.5. Related Video: Recalls Chrysler Dodge Jeep RAM Safety Technology Infotainment Videos Original Video hacking
Harsh words from senators over Chrysler's delay in reporting hack
Fri, Jul 24 2015The federal agency charged with protecting American motorists wants to know more about how hackers remotely commandeered and controlled a Jeep Cherokee. Hours after Fiat Chrysler Automobiles recalled 1.4 million cars affected by a flaw in their cellular connections, officials with the National Highway Traffic Safety Administration said Friday they'll further probe the defect by conducting a formal recall query investigation. "Opening this investigation will allow NHTSA to better assess the effectiveness of the remedy proposed," the agency said in a written statement. The remedy works, said Chris Valasek, one of the researchers who first discovered the security flaw. After testing for the vulnerability again Friday, he wrote on Twitter: "Looks like I can't get to @0xcharlie's Jeep from my house via my phone. Good job FCA/Sprint!" From his Pittsburgh home, Valasek had previously accessed and controlled co-worker Charlie Miller's Jeep along a St. Louis highway. Researchers have demonstrated remote hacks before, but the scope and severity of the Jeep vulnerability was unprecedented. The recall for a cyber threat was the first of its kind. Although a software patch and changes made by cellular provider Sprint appeared to fix the problem, news of the exploit and Chrysler's response brought a fresh round of consternation on Capitol Hill, where federal lawmakers had already expressed concerns about automotive cyber security. The Jeep hack elevated their concerns to a new level. "Cyber threats in cars are real and urgent, no figment of the imagination, as this huge recall demonstrates," said Sen. Richard Blumenthal (D-CT). "Incredibly, Chrysler delayed disclosing this chilling cyber-security danger egregiously and inexcusably, and strong sanctions are appropriate to send a message that other auto manufacturers will heed." Chrysler had known about the security gap since October, and Sen. Ed Markey (D-MA) wondered why it took the company so long to let customers know they were at risk. "Despite knowing about this security gap for nearly nine months, Chrysler is only now recalling 1.4 million vehicles to fix this vulnerability," he said. That's a potential pitfall for Chrysler, and something NHTSA will likely address in its investigation. Automakers are supposed to report safety-related defects to the agency within five days of discovery. But according to a chronology of events Chrysler submitted in its recall paperwork, it didn't inform NHTSA until July 15.
FCA issuing software update for 1.4M vehicles to prevent hacking
Fri, Jul 24 2015In the wake of a Jeep Cherokee being hacked remotely while on the road through its Uconnect infotainment system, FCA US is now issuing a software update for 1.4 million vehicles in the United States. Affected customers will receive a USB stick in the mail with the improved version; owners can check this website to see if their cars are affected. A large variety of models with FCA's 8.4-inch touchscreen infotainment system are affected. They include the 2015 Chrysler 200, 2015 Chrysler 300, 2015 Dodge Charger, and 2015 Dodge Challenger; 2013-2015 Dodge Viper; 2013-2015 Ram 1500, 2500, and 3500; 2013-2015 Ram 3500, 4500, and 5500 chassis cab; 2014-2015 Jeep Grand Cherokee and Cherokee; and 2014-2015 Dodge Durango. According to FCA in its announcement, the new software "insulates connected vehicles from remote manipulation." As of July 23, the company also "fully tested and implemented within the cellular network" additional security to prevent access to many of a vehicle's systems. FCA US says that it's conducting this campaign out of an abundance of caution and disputes the notion that there's a defect with these vehicles. Beyond the demonstration of the hack in the Cherokee, the automaker says that it's unaware of any other reports of these attacks actually happening. Related Video: Statement: Software Update July 24, 2015 , Auburn Hills, Mich. - FCA US LLC is conducting a voluntary safety recall to update software in approximately 1,400,000 U.S. vehicles equipped with certain radios. The recall aligns with an ongoing software distribution that insulates connected vehicles from remote manipulation, which, if unauthorized, constitutes criminal action. Further, FCA US has applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015. The Company is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.
Feds fretting over remote hack of Jeep Cherokee
Fri, Jul 24 2015A cyber-security gap that allowed for the remote hacking of a Jeep Cherokee has federal officials concerned. An associate administrator with the National Highway Traffic Safety Administration said Thursday that news of the breach conducted by researchers Chris Valasek and Charlie Miller had "floated around the entire federal government." "The Homeland Security folks sent out broadcasts that, 'Here's an issue that needs to be addressed,'" said Nathaniel Beuse, an associate administrator with the National Highway Traffic Safety Administration. Valasek and Miller commandeered remote control of the Cherokee through a security flaw in the cellular connection to the car's Uconnect infotainment system. From his Pittsburgh home, Valasek manipulated critical safety inputs, such as transmission function, on Miller's Jeep as he drove along a highway near St. Louis, MO. The scope of the remote breach is believed to be the first of its kind. The prominent cyber-security researchers needed no prior access to the vehicle to perform the hack, and the scope of the remote breach is believed to be the first of its kind. A NHTSA spokesperson said the agency's cyber-security staff members are "putting their expertise to work assessing this threat and the response, and we will take action if we determine it's necessary to protect safety." A Homeland Security spokesperson referred questions about the hack to Chrysler. Fiat Chrysler Automobiles has already been the subject of a federal hearing this month, in which officials scrutinized whether the company had adequately fixed recalled vehicles and repeatedly failed to notify the government about defects. But cyber-security concerns are a new and different species for the regulatory agency. Only hours before the Jeep hack was announced by Wired magazine earlier this week, NHTSA administrator Dr. Mark Rosekind said hacking vulnerabilities were a threat to privacy, safety, and the public's trust with new connected and autonomous technologies that allow vehicles to communicate. NHTSA outlined its response to the cyber-security challenges facing the industry in a report issued Tuesday. In it, the agency summarized its best practices for thwarting attacks and said it will analyze possible real-time infiltration responses. But the agency's ability to handle hackers may only go so far.