Fiat Chrysler Didn’t Notify Regulators About Hack Risk for 18 Months

Fiat Chrysler Automobiles NV waited 18 months to tell federal safety regulators about a security flaw in radios being installed in more than a million vehicles that hackers exploited last month to seize control of a Jeep.

The automaker says it was working on a fix and didn’t consider the problem a safety defect. But the National Highway Traffic Safety Administration saw otherwise. Eight days after being notified by the company, the agency pushed Fiat Chrysler last month to recall 1.4 million cars and trucks – the first recall prompted by cybersecurity safety concerns.Jeep Patriot

The episode came just days before Fiat Chrysler agreed to a $105 million penalty to settle complaints about its recall performance on other issues and as NHSTA faces its own criticism for failing to promptly get unsafe vehicles off the street.

Cybersecurity threats present a new dimension to the problem, one that critics say demands even faster response to keep hackers from worming their way into vehicles and causing havoc. A Senate report last year concluded only two of 16 automakers had the ability to detect and respond to a hacking attack.

“We want to make sure the automakers and regulators stay ahead of this,” said Mark Rechtin, autos editor for Consumer Reports. While there have been no reports of hackers being able to access random cars, “Once it happens, and it happens badly, no one will be able to trust their cars.”

Hacking Details

The researchers who took control of a Jeep will detail their exploit at the Black Hat cybersecurity conference in Las Vegas Wednesday. Two days later at a hacking conference in Los Angeles, another hacker said he will reveal vulnerabilities with General Motors’

OnStar navigation system mobile app. And there’s been a rise in auto thefts using key-cloning systems for electronic fobs.

To help focus regulators’ attention on cyberthreats, the U.S. Senate promised the chronically understaffed agency more resources and personnel in a bill passed last week.

But the funding is contingent on NHTSA making numerous changes in the wake of a Transportation Department Inspector General’s report critical of its slow response in recalls with more typical vehicle issues.

On the cyber front, NHTSA has an open audit of the Fiat Chrysler recall to make sure it includes all potentially affected vehicles and the company’s fix actually works, agency spokesman Gordon Trowbridge said. There’s also an active investigation into Harman International Industries Inc., supplier of the Uconnect communications system used by Fiat Chrysler.

Same Vulnerability

Another immediate focus is whether other automakers with similar systems have the same vulnerability, Trowbridge said. The agency has been having regular conversations with manufacturers and suppliers on cybersecurity, he said.

Automakers have reached out to NHTSA “to let us know they are aware of the issue and the steps they are taking to assess their own security protections,” Trowbridge said.
The auto industry’s two biggest trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, said July 14 they would form an information-sharing and analysis center by the end of the year to collaborate against emerging cyber threats.

More Proactive

The Fiat Chrysler hacking experiment should serve as “a wake-up call” to automakers to be more proactive to secure software and other systems, or else they’ll face new government regulations mandating security, said Ken Westin, a security analyst with the cybersecurity company Tripwire Inc. based in Portland, Oregon.

Westin is skeptical of government regulation and isn’t convinced that an agency like NHTSA has the resources and expertise to oversee cybersecurity.

Harman needs to let independent researchers test its devices and software, Westin said. Hacking vulnerabilities are often created not because products and software from vendors are insecure, but because of how they are applied and configured in a certain setting, he said.

“A lot of the automakers are going to start demanding independent verification” of software and products, he said. “We see this in other areas of security when there’s a breach from a third party.”

Unique Vulnerability

The vulnerability exposed in the Jeep hacking incident is unique to Fiat Chrysler, Harman Chief Executive Officer Dinesh Paliwal said in an interview Tuesday. Automakers modify radios and entertainment systems to suit their customers, he said.

“This does not exist, to our assessment, in any other vehicle,” he said.

A Harman spokesman declined to comment on why it took 18 months to inform regulators about the vulnerability.

Documents Fiat Chrysler filed with NHTSA note that it didn’t consider the software issue, identified by a third party in January 2014, to be a safety defect under U.S. law. Under the Motor Vehicle Safety Act, which governs how and when recalls are conducted, automakers must notify NHTSA within five days of discovering a flaw that presents an unreasonable risk to public safety.

Fiat Chrysler said in a statement it advised NHTSA of the security issue “in a reasonable and timely manner.” The company said it’s “conducting a remedial campaign as a safety recall in the interest of protecting its customers” out of “an abundance of caution.”

Hacking Demonstration

What changed was the Jeep hacking demonstration, published in Wired magazine last month, illustrating the threat for the public. Charlie Miller and Chris Valasek, the hackers, were ability to use their laptops to take over a Jeep Cherokee driven by a reporter. The two say they were able to access the SUV’s electronic control units, controlling functions like speed and braking.

The company said it contacted NHTSA after the hackers informed the company of their plan to publicize the security flaw at Black Hat, including information to facilitate unauthorized and unlawful access to Fiat Chrysler vehicles.

“Prior to last month, the precise means of the demonstrated manipulation was not known,” Fiat Chrysler spokesman Eric Mayne said in an e-mail. The company “opposes irresponsible disclosure of explicit ‘how-to’ information that could help criminals gain unauthorized access to vehicle systems.”

Other Products

The NHTSA notice of its Harman investigation said that the vulnerability may exist in products it supplies to other companies. Harmon’s website indicates it supplies entertainment systems to BMW AG and as well as the Mercedes-Benz brand of Daimler AG. Both companies said their vehicles were safe.

BMW’s information and entertainment system is separated from the safety-relevant driving system by several gateways that implement firewalls, message filtering and message blocking, the company said in an e-mailed statement.

Mercedes-Benz spokesman Benjamin Oberkersch said the German manufacturer is taking comprehensive measures to protect its cars from hacking attacks. He declined to comment on the Harman investigation.

GM became aware of the researcher’s hack July 29 and had patched its server by the next morning, said OnStar spokesman Stuart Fowle. Later on July 30, OnStar found another way hackers could unlock and start the car if the owner of the car used an iPhone. They fixed the app for the Apple phone that same day, Fowle said.

Establish Rules

Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.

The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements. The lawmakers released a report in 2014 on gaps in car-security systems, concluding that only two of 16 automakers had the ability to detect and respond to a hacking attack.

Markey said in an interview that congressional hearings into the GM ignition switch and airbags made by Takata Corp. showed that understaffed and underfunded regulators are sometimes slow to react.

“This whole issue of computers on wheels is something new,” Markey said. “Based upon what happened over the last several years with Takata and all these other issues, we need to ensure they’ve got the resources.”

(With assistance from Mark Clothier in Southfield, Michigan, Christoph Rauwald in Frankfurt and David Welch in New York.)