Products Liability Law Daily NHTSA closes recall query regarding security vulnerabilities in FCA vehicles
Tuesday, January 12, 2016

NHTSA closes recall query regarding security vulnerabilities in FCA vehicles

By John Dumoulin

The National Highway Traffic Safety Administration’s Office of Defects Investigation (ODI) has closed its recall query concerning possible security vulnerabilities in model year 2013 through 2015 vehicles manufactured by Fiat Chrysler Automobiles (FCA). The investigation was related to Safety Recalls 15V-461 and 15V508 that had been launched by FCA (NHTSA ODI InvestigationNo. RQ15-004, January 5, 2016).

Underlying complaint and investigation. On July 23, 2015, FCA launched Safety Recall 15V-461 to remedy security vulnerabilities in approximately 1.4 million model year 2013 through 2015 vehicles equipped with Uconnect head units (HU) 8.4A (RA3 radio) and 8.4AN (RA4 radio) manufactured by Harman International. On July 24, 2015, ODI opened Recall Query RQ 15-004 to investigate HU security vulnerabilities and remedy effectiveness in the recalled population and to determine whether similar units have been supplied for use in other FCA vehicles.

In an August 11, 2015, letter, FCA submitted a second Part 573 safety recall report expanding the scope of the Uconnect RA4 model radio to include an additional 7,810 model year 2015 Jeep Renegade vehicles manufactured from September 18, 2014, through June 25, 2015 (Recall 15V-508). Scope analysis indicated that Uconnect radios installed in FCA vehicles not included in recalls 15V-461 or 15V-508 (subject recalls) are not equipped with built-in cellular access or short-range wireless communication features and, thus, do not contain the security vulnerabilities addressed by the subject recalls.

Vehicles subject to the recalls are: model year 2014 through 2015 Dodge Durango, Jeep Grand Cherokee and Jeep Cherokee sport utility vehicles; model year 2013 through 2015 Ram 1500, 2500, 3500, and 4500/5500 pickup trucks; model year 2013 through 2015 Dodge Viper vehicles; and model year 2015 Chrysler 200, 300, Jeep Renegade, Dodge Charger, and Challenger vehicles.

According to FCA, long- and short-range wireless vulnerabilities identified in the recalled vehicles could allow unauthorized third-party access to, and manipulation of, networked vehicle control systems. Successful exploitation of the vulnerabilities, coupled with reverse engineering of networked microprocessor control modules, could result in unauthorized manipulation of vehicle control systems. This unauthorized manipulation of vehicle controls and systems could expose the driver, vehicle occupants, or other highway users to an increased risk of injury. FCA and its network provider, Sprint, conducted a nationwide campaign to block access to a radio communications port that was unintentionally left open. On July 27, 2015, short-range wireless vulnerabilities were also blocked. Finally, third-party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software.

ODI identified a total of 30 complaints or field reports on unique vehicles submitted by FCA (29) or received by NHTSA (1) alleging incidents of theft from a vehicle or anomalous performance that the owner alleged were caused by, or may have been caused by, remote hacking. Twenty-six (87 percent) of these reports were submitted after a magazine article was published on July 21, 2015, describing the remote hacking of an FCA vehicle by researchers who were able to affect the operation of various vehicle control systems, including the service brakes, steering, throttle, and ignition. Most of the complaints involved vehicle systems that were not safety critical (e.g., complaints related to radio, navigation system, or air-conditioning control) and did not affect vehicle control.

Three complaints reported engine stalls. One owner reported sudden unintended acceleration allegedly related to hacking. None of the complaints or field reports reviewed involved the steering and braking vehicle control effects demonstrated by the research hackers prior to the recall. There were no confirmed incidents of hacking in any of the records reviewed by ODI.

ODI determination. ODI said the remedies completed by Sprint and FCA appear to have eliminated vulnerabilities that might allow a remote actor to impact vehicle control systems. ODI closed the investigation but said this action does not constitute a finding that a safety-related defect does not exist.

Companies: Chrysler; FCA US LLC

MainStory: TopStory NHTSANews MotorEquipmentNews MotorVehiclesNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Reading Products Liability Law Daily on phone

Product Liability Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on product liability legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More