DETROIT -- Fiat Chrysler will recall 1.4 million vehicles to close the software loophole that allowed hackers to remotely take control of a 2014 Jeep Cherokee.
FCA US said it "has applied network-level security measures" to block hackers from the ability to remotely access its vehicles via their Internet-ready Uconnect radios.
The recall involves a software patch that also stops the type of hack attack demonstrated by professional hackers Charlie Miller and Chris Valasek. The patch can either be installed at the dealer, or downloaded by a consumer and installed into the radio via a USB flash drive.
Previously, the automaker had only advised owners to download the software patch or take their vehicle to a dealer to have it installed. The campaign was stepped up to a formal recall and broadened today by FCA to include more vehicles, all equipped with 8.4-inch touchscreen Uconnect radios:
- 2013-15 Dodge Viper specialty vehicles
- 2013-15 Ram 1500, 2500 and 3500 pickups
- 2013-15 Ram 3500, 4500, 5500 Chassis Cabs
- 2014-15 Jeep Grand Cherokee and Cherokee SUVs
- 2014-15 Dodge Durango SUVs
- 2015 Chrysler 200, Chrysler 300 and Dodge Charger sedans
- 2015 Dodge Challenger sports coupes
The Dodge Dart and Journey, which also have 8.4-inch touchscreen Uconnect radios, are not affected, a spokesman confirmed.
To install the software patch, FCA said customers should visit a dedicated website and update and input their vehicle identification number and determine whether their vehicles are included in the recall.
The automaker said that to perform their remote takeover of the 2014 Cherokee, the hackers "required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code."
On Monday, Wired magazine detailed how Mr. Miller and Mr. Valasek were able to take command of an unmodified 2014 Jeep Cherokee while it was being driven on a St. Louis highway by journalist Andy Greenberg.
They did so via the SUV's Internet-connected Uconnect radio, which receives data through the Sprint cellular network.
Working via laptop computers from home, the hackers blasted the Cherokee's radio, turned on the wipers and a torrent of washer fluid and eventually shut off the Cherokee's engine while it was traveling on the highway.
Later, in a parking lot, they demonstrated how they could take control of the Cherokee's steering wheel, but only while the transmission was in reverse, and even disable the brakes, sending the SUV into a ditch.
FCA has come under fire from federal regulators and could face possible fines or other penalties for its handling of recent recalls.
National Highway Traffic Safety Administration chief Mark Rosekind said in a statement Friday that the agency "encouraged" FCA to elevate the voluntary software update to a full recall. The move was needed to demonstrate the "swift and strong response" that should follow the discovery of vehicle cyber vulnerabilities, Mr. Rosekind said.
Mr. Rosekind's comments signaled that automakers should take similar steps in the future when facing cybersecurity threats.
"NHTSA appreciates that FCA has already taken action to partially address this vulnerability by working with its cellular provider," Mr. Rosekind said. "Launching a recall is the right step to protect Fiat Chrysler's customers and it sets an important precedent for how NHTSA and the industry will respond to cybersecurity vulnerabilities."
At the same time, the agency today opened an investigation to assess the effectiveness of FCA's software patch as part of the recall, Mr. Rosekind said.
"Electronics and cybersecurity experts from NHTSA's Office of Defects Investigation and the Electronic Systems Safety Research Division of the Office of Vehicle Safety Research will continue to address this and other cybersecurity threats and take action when necessary to protect public safety," he said.
Earlier this week, Mr. Rosekind outlined the challenges as vehicle connectivity grows and the agency's latest research and priorities on the threat posed by cybersecurity.
--Larry P. Vellequette is a reporter for Automotive News. AN reporters Ryan Beene and David Phillips contributed to this report.