Only Fiat Chrysler cars were vulnerable to hackers, says NHTSA

The federal agency says last summer's recall of 1.4 million Jeep, Chrysler, Dodge and Ram vehicles closed the gap that allowed hackers to remotely take over a Jeep Cherokee.

Salesperson Jerry Camero, right, delivers a 2016 Jeep Cherokee Limited to a customer at a Fiat Chrysler dealer in Doral, Fla. in November 2015.

(AP Photo/Alan Diaz)

January 9, 2016

Federal safety regulators have determined that only Fiat Chrysler radios have a security flaw that allowed friendly hackers to take control of a Jeep last year.

The National Highway Traffic Safety Administration said in documents posted online Saturday that it's ending a five-month investigation into the vulnerabilities of automotive radios.

The agency also said last summer's recall of 1.4 million Jeep, Chrysler, Dodge and Ram vehicles closed the opening that allowed hackers to remotely take over a Jeep Cherokee.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

The hack by security experts Charlie Miller and Chris Valasek touched off the NHTSA investigation in July and raised fears that millions of cars and trucks could be vulnerable. They were able to change the Cherokee's speed and control the brakes, radio, windshield wipers and transmission through the Uconnect infotainment system.

The hackers informed Fiat Chrysler of their findings and detailed them at a cyber conference, triggering the investigation.

But the fear of widespread vulnerability to hackers appears to be unfounded. NHTSA investigators said in documents that similar radios made by Harman International went to Volkswagen, Audi and Bentley, but that those vehicles have safety systems that would stop hackers.

"Based on a thorough review of technical information supplied during the course of this investigation, there does not appear to be a reason to suspect that the infotainment head units Harman supplied to other vehicle manufacturers contain the vulnerabilities identified by FCA," NHTSA said in the documents.

In addition, the agency said Sprint, Fiat Chrysler's wireless provider, blocked access to a radio communications port that was unintentionally left open. The FCA recall also included software changes that thwarted hackers, the agency said.

"Third party security evaluation and regression testing identified vulnerabilities that were either remedied by Sprint or through updates to the FCA Uconnect software," the agency said.

NHTSA also checked 30 consumer complaints to the company and the agency but could not confirm that hackers caused any of the reported problems.

In February 2015, Sen. Edward Markey (D) of Massachusetts said that as automakers load up cars with electronics and wireless technology, they have failed to adequately protect those features against the possibility that hackers could take control of vehicles or steal personal data. He sent a series of questions about the technology to manufacturers, reported The Associated Press.

The responses from 16 manufacturers "reveal there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information," a report by Markey's staff concludes.

Most new cars are also capable of collecting large amounts of data on a vehicle's driving history through an array of pre-installed technologies, including navigation systems, telematics, infotainment, emergency assistance systems and remote disabling devices that allow car dealers to track and disable vehicles whose drivers don't keep up with their payments or that are reported stolen, the report said.

Half the manufacturers said they wirelessly transfer information on driving history from vehicles to another location, often using third-party companies, and most don't describe "an effective means to secure the data," the report said.

Today's cars and light trucks typically contain more than 50 electronic control units — effectively small computers — that are part of a network in the car. At the same time, nearly all new cars on the market today include at least some wireless entry points to these computers, such as tire pressure monitoring systems, Bluetooth, Internet access, keyless entry, remote start, navigation systems, WiFi, anti-theft systems and cellular-telematics, the report said. Only three automakers said they still have some models without wireless entry, but those models are a small and declining share of their fleets.