Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
The move marks a milestone for the industry, which last year set a record with 64 million autos called back for fixes in the U.S. The National Highway Traffic Safety Administration, under fire from Congress for not catching defects more quickly, has been considering punitive action against Fiat Chrysler for failing to protect vehicle owners.
Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on July 23, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
Fiat Chrysler was already distributing software to insulate some connected vehicles from illegal remote manipulation after Wired magazine published a story about software programmers who were able to take over a Jeep Cherokee being driven on a Missouri highway.
The company, led by Chief Executive Officer Sergio Marchionne, reiterated that it’s not aware of any real-world unauthorized remote hack into any of its vehicles. It stressed that no defect was found and said it’s conducting the campaign out of “an abundance of caution.”
NHTSA said it encouraged the action to protect consumers against a vulnerability that could affect a driver’s control.
“Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities,” NHTSA Administrator Mark Rosekind said in a statement Friday.
The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
“That’s not a small number to go after,” Mark Boyadjis, an analyst with IHS Automotive, said in a telephone interview. “This is a pretty quick response and much of it could be P.R. driven. But I think it will keep consumers comfortable and prevent current ones and future ones from straying away from the brand.”
This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
That capability makes the possibility of remote hacking of cars a reality. Earlier hacks have mostly been achieved by jacking the researchers’ laptops into diagnostic ports inside the cars.
Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
“This is not a Sprint issue but we have been working with Chrysler to help them further secure their vehicles,” said Stephanie Vinge Walsh, a Sprint spokeswoman.
NHTSA said it would open an investigation of the remedy “to ensure that the scope of the recall is correct and that the remedy will be effective,” agency spokesman Gordon Trowbridge said in an e-mailed statement. The agency said its electronics and cybersecurity experts will continue to monitor hacking threats and take action when necessary.
There’s a possibility the recall could affect consumer confidence in Fiat Chrysler, even though the company isn’t the only one with cybersecurity challenges, said Thilo Koslowski, vice president and automotive practice leader at technology consultant Gartner Inc.
“It validates that cyber-hacking with cars is a serious issue that the auto industry must pay attention to,” he said. “The auto industry needs to develop new technology to combat these technological problems.”
General Motors Co. has a team working on cybersecurity and has hired Harris Corp.’s Exelis and other firms to develop anti- hacking systems, said Mark Reuss, the Detroit automaker’s executive vice president for global product development. GM seeks to block hackers’ access to its autos, he said, and if they do get in, it tries to prevent them from gaining control.
“It’s probably one of the most important things we spend time on,” Reuss said. “Anyone who wants to do something like that will probably get on, so you have to look at what happens when they do.”
GM has also worked with the U.S. military and with Boeing Co. on its anti-hacking systems, he said.
Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report in 2014 on gaps in car-security systems, concluding that only two of 16 automakers had the ability to detect and respond to a hacking attack.
Markey questioned why it took nine months after learning about the security gap for Fiat Chrysler to order a recall.
“There are no assurances that these vehicles are the only ones that are this unprotected from cyberattack,” he said Friday in an e-mail. “A safe and fully equipped vehicle should be one that is equipped to protect drivers from hackers and thieves.”
Although general cyber threats have been acknowledged previously by the industry, the specific ability to take control of critical vehicle functions in the affected Fiat Chrysler vehicles only became clear with the Wired magazine report, said Fiat Chrysler spokesman Eric Mayne.
“Prior to this month, the precise means of the demonstrated manipulation was not known,” Mayne said.
Representatives Fred Upton and Frank Pallone, leaders of the House Energy and Commerce Committee, sent letters to 17 manufacturers and NHTSA in May to gather information about how the industry is addressing cybersecurity.
“As the underlying technologies seemingly evolve by the day, so too must our manufacturers and regulators keep pace to protect drivers from these growing threats,” the Michigan Republican and New Jersey Democrat said in a statement Friday.
(By Bloomberg Reporters Mark Clothier and Jeff Plungis; with assistance from Patrick Ralph in New York, David Welch in Southfield, Michigan, and Jordan Robertson in Washington.)