Feds fretting over remote hack of Jeep Cherokee

NHTSA Official: Breach Is "First Example Of What's To Come"

A cyber-security gap that allowed for the remote hacking of a Jeep Cherokee has federal officials concerned. An associate administrator with the National Highway Traffic Safety Administration said Thursday that news of the breach conducted by researchers Chris Valasek and Charlie Miller had "floated around the entire federal government."

"The Homeland Security folks sent out broadcasts that, 'Here's an issue that needs to be addressed,'" said Nathaniel Beuse, an associate administrator with the National Highway Traffic Safety Administration. Valasek and Miller commandeered remote control of the Cherokee through a security flaw in the cellular connection to the car's Uconnect infotainment system. From his Pittsburgh home, Valasek manipulated critical safety inputs, such as transmission function, on Miller's Jeep as he drove along a highway near St. Louis, MO.

The scope of the remote breach is believed to be the first of its kind.

The prominent cyber-security researchers needed no prior access to the vehicle to perform the hack, and the scope of the remote breach is believed to be the first of its kind.

A NHTSA spokesperson said the agency's cyber-security staff members are "putting their expertise to work assessing this threat and the response, and we will take action if we determine it's necessary to protect safety." A Homeland Security spokesperson referred questions about the hack to Chrysler.

Fiat Chrysler Automobiles has already been the subject of a federal hearing this month, in which officials scrutinized whether the company had adequately fixed recalled vehicles and repeatedly failed to notify the government about defects. But cyber-security concerns are a new and different species for the regulatory agency.

Only hours before the Jeep hack was announced by Wired magazine earlier this week, NHTSA administrator Dr. Mark Rosekind said hacking vulnerabilities were a threat to privacy, safety, and the public's trust with new connected and autonomous technologies that allow vehicles to communicate. NHTSA outlined its response to the cyber-security challenges facing the industry in a report issued Tuesday. In it, the agency summarized its best practices for thwarting attacks and said it will analyze possible real-time infiltration responses.

But the agency's ability to handle hackers may only go so far. NHTSA requested a provision in the Grow America Act of 2015 that would have made it a criminal act to maliciously hack a car, but those provisions have been eliminated from current version of the bill before the Senate.

"This is the first example of what's to come. It's going to be pretty dynamic, and NHTSA and the industry will have to adapt."

Beuse said NHTSA had asked for new authority to do joint cyber-security research with other government agencies. That portion of the agency's request stayed in the pending legislation. "That's a good thing," he said, speaking at an automated-vehicle conference. "The other thing in there that we didn't get was criminal penalties for hackers. We're recognizing some things that we're working quickly to get resolved. We're going to use all the tools that we have."

Perhaps lawmakers will reconsider that provision in light of the Jeep hack. In the meantime, they're confronting the car-hacking threat in other ways. In separate legislation, Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) proposed a law Tuesday that would better protect drivers from cyber hackers and provide more information to car buyers. A House subcommittee is probing the automakers and NHTSA's ability to counter cyber threats.

The Uconnect vulnerability potentially affects not just Jeep Cherokees, but many of the company's models equipped with the infotainment system. Valasek (pictured above) and Miller informed the company of their findings months ago, and Chrysler says it has a software patch available for affected customers to download. They can also have their local dealership install the software patch.

Although the auto industry has taken hacking threats more seriously in recent years, the researchers' findings underscore that flaws are still a sore spot.

"When we first started talking about cyber security two to three years ago, it was always like, 'It's too hard, so no one will do it," Beuse said. "With Wired magazine, this is the first example of what's to come. It's going to be pretty dynamic, and NHTSA and the industry will have to adapt."

Related Video:

More Information