By AARON KESSLER Copyright 2015 New York Times News Service
WASHINGTON — When the call came to officials at the National Highway Traffic Safety Administration, they knew they had a problem they had never faced but had long feared.
On the line was Fiat Chrysler Automobiles, with news that two technology researchers had hacked wirelessly into a Jeep Cherokee, through its dashboard connectivity system.
They had managed to gain control of not just features like the radio and air-conditioning, but the actual functions of the car: the engine, the brakes and the steering.
That revelation set in motion a nine-day flurry of activity by the automaker and the safety agency that culminated Friday in a sweeping recall of 1.4 million vehicles.
“Launching a recall is the right step to protect Fiat Chrysler’s customers, and it sets an important precedent for how N.H.T.S.A. and the industry will respond to cybersecurity vulnerabilities,” said Mark R. Rosekind, the agency’s administrator.
In an age when the cars on the nation’s highways are increasingly web-connected, it was the first safety recall issued for a hacking threat. And it brought immediate demands on Capitol Hill for action to root out and guard against flaws in other cars that could pose a similar danger.
The initial call from Fiat Chrysler to Washington on July 15 led to a long set of discussions between the automaker and regulators that extended through the weekend, according to a person briefed on the activities.
Staff specialists at the safety agency aimed to grasp the full scope of the breach, and were particularly alarmed that the hacking allowed someone to essentially crash a vehicle.
The researchers, Charlie Miller and Chris Valasek, had given the automaker a heads up: The two men planned to make their findings public early last week.
The vulnerability existed far beyond just the Jeep, they said. Other vehicles across Chrysler’s lineup of cars and trucks used the same system, called Uconnect, that had let them in. Hundreds of thousands of vehicles could be affected.
Fiat Chrysler software specialists scrambled to make a patch available to plug the hole, and released one on the automaker’s website on July 16, the day after the call to Washington.
The company also planned to issue a technical service bulletin — a notice mainly used by dealers, but not considered a recall.
Officials at the safety agency, however, wanted to know more about the exact functions that could be taken over by hackers. In N.H.T.S.A. parlance, if the result presented an “unreasonable risk to safety,” a recall would be required.
And if drivers were vulnerable to an attack where they could lose control of their cars, that would certainly seem to qualify, even though a recall for a web security threat had never before taken place.
In the meantime, the researchers made their findings known on Tuesday in an article published by the news technology site Wired, telling how they had taken control of a cooperating driver’s car from 10 miles away as it sped down a St. Louis highway. (It was the same day, coincidentally, that Mr. Rosekind was visiting Michigan for a speech in which he addressed the need for improved web security in vehicles.)
N.H.T.S.A. officials decided that the vulnerability was simply too dangerous not to require a formal recall. Additionally, without a recall, the automaker would not be required to file regular compliance reports on how many affected vehicles had been fixed.
After further conversations between Washington and the company’s headquarters in Auburn Hills, Mich., Fiat Chrysler settled Thursday on a recall affecting 1.4 million vehicles.
(A small percentage of that number, the company said, involves certain 2015 models getting a separate software patch unrelated to the remote Jeep hacking.)
Fiat Chrysler issued a public statement saying that security “is a top priority,” as is retaining consumer confidence in its vehicles. Fiat Chrysler will send affected owners a USB drive they can plug into their vehicles to install an update to block the hacking vulnerability. Owners can also download the update directly onto their own portable drive.
The recall affects certain vehicles equipped with 8.4-inch touch screens from the 2013 model year onward. That includes some Jeep Cherokees and Grand Cherokees, Dodge Durangos, Ram pickup trucks, Chrysler 200 and 300 sedans, Dodge Chargers and Vipers. (The company set up a VIN search tool to let consumers check if their vehicle is affected.)
The automaker also said it had “applied network-level security measures” on the Sprint cellular network that communicates with its vehicles as another step to block the vulnerability.
On Friday, Mr. Valasek, one of the two researchers, posted on social media that when he tried connecting again to his test Jeep, the pathway through Sprint’s network had been blocked.
Precise aspects of what Fiat Chrysler knew about possible Uconnect problems before this month remain unclear. In documents filed with regulators on Friday, the company said that testing in January 2014 identified “a potential security vulnerability” with a communications port used with the system.
A supplier began work on security improvements shortly thereafter, the company said, and those changes made it into later production vehicles. But the software patch for other potentially affected vehicles was not released until this month.
A Fiat Chrysler spokesman, Berj Alexanian, declined to comment on the precise timeline of when the patch was developed, but said that since its release the company has “taken more steps to ensure the confidence and security of our customers,” including deciding, “in an abundance of caution, to continue the distribution under the auspices of a recall.”
“This will maximize awareness of the software’s availability and expedite its proliferation,” he said.
One thing remains clear, however: The repercussions of the first hacking-related auto recall are only beginning.
“This was a wake-up call for automakers,” said Michelle Krebs, a senior analyst with Autotrader.com. “I will bet emergency meetings are being called at many auto companies.”
Web security specialists say that while intrusions into consumers’ computers and phones result in financial damage, or possibly issues like identify theft, the danger posed by vehicles is unique in its potential to inflict physical harm.
“The transformation you’ve seen is that hacking has moved into the safety realm,” said Jon Allen, a security specialist with Booz Allen Hamilton. “Autos take it to a new level.”
On Capitol Hill, lawmakers called for ensuring that other automakers do not face similar problems.
“Both automakers and N.H.T.S.A. should be immediately taking steps to verify that other similar vulnerabilities do not exist in other models that are on the road,” said Senator Edward Markey, Democrat of Massachusetts.
Mr. Markey, along with Senator Richard Blumenthal, Democrat of Connecticut, recently drafted legislation to set federal standards for web security protection in vehicles.
The chairman of the House Energy and Commerce Committee, Fred Upton, Republican of Michigan, and the panel’s top Democrat, Frank Pallone Jr. of New Jersey, also issued a statement, saying that “cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride.”
