Jeep maker Fiat Chrysler has recalled 1.4 million cars to patch a critical software flaw that allowed hackers to hijack the car's critical functions.
Security researchers Charlie Miller and Chris Valasek used a zero-day exploit in the Jeep Cherokee's entertainment system to remotely commandeer the car while it was being driven by a Wired reporter on a St Louis highway.
The carmarker initially released a "software security update" on July 16 that it implored customers to either manually install or to have their dealer install "at no cost".
But it has now taken the unprecedented step of issuing a voluntary safety recall for all affected vehicles to ensure they are patched sooner rather than later.
Remote control flaw
The vulnerability sits in the Jeep's connected car system, Uconnect.
Although the current Jeep Cherokee range sold in Australia comes with Uconnect, unlike US models of the car it does not connect the car to the internet, and therefore, isn't vulnerable to the hack, a spokesperson told CarAdvice.
In the US, Uconnect enables a number of "remote control" benefits for car owners, from remotely starting the engine and cooling the car down before you get in, to sounding the horn or flashing its lights to locate it in a busy car park. It also has functionality that can turn the car into a wi-fi hotspot.
To demonstrate software they created to exploit the flaw, Miller and Valasek had Wired writer Andy Greenberg drive a Jeep while they remotely commanded the car to do certain things.
Some of those things were fairly innocuous - blasting the air-conditioner or the stereo and cleaning the windscreen. However, other successful commands - killing transmission and the brakes - will have carmakers worried, particularly as more cars become smarter and internet-connected.
The researchers plan to withhold details of the vulnerability they exploited until Black Hat 2015 in December. "From an attacker's perspective, it's a super nice vulnerability," Miller told Wired.
They plan to leave some important bits from their presentation.
First, although the initial point of entry is via Uconnect, the attacker is limited at that point to playing with the dashboard functions and GPS.
The more serious remote takeover functions were performed by accessing a chip in the head unit (the screen) and overwriting its firmware. Wired reported this process will be kept secret.
The researchers have also shared the findings with Fiat Chrysler over the past nine months, leading to the release of the "software security update" by the carmaker.
It is not the first time Miller and Valasek have hacked connected-car systems to take over critical functions.
At the Def Con conference in 2013, they showed how a Ford Escape and Toyota Prius were also vulnerable - but that demonstration relied on the hackers being in the car and patched directly into the car's systems.
A year later, they released detailed technical notes on how this was at all possible, and then showed off "intrusion prevention" technology they believed would make connected cars safe.
Of course, Miller and Valasek aren't alone in focusing their efforts on the security of connected car systems.
Studies at the University of Washington and UC San Diego in 2010 and 2011 showed how attackers could gain access to a car's systems remotely, and what they could do with that level of access.
A US Senate report released in February this year found only two of 16 "major auto makers" could diagnose or respond to an intrusion of their cars' systems in real time.
A recent vulnerability in BMW vehicles equipped with the company's ConnectedDrive software allowed hackers to unlock the doors of vehicles. Affected cars were patched over-the-air.
However, not everyone is buying the hype around connected car security risks.
John Ellis, founder of consultancy Ellis & Associates and former Ford technologist, told PCmag that "most" car makers shielded GPS systems from those that controlled steering and braking.
He believed connected car hacking was "nowhere near this cataclysmic event that people keep hearing about".
