Fiat Chrysler will recall 1.4 million vehicles in the United States to install software to prevent hackers from gaining remote control of the engine, steering and other systems in what federal officials said was the first such action of its kind.
The announcement on Friday by FCA US LLC, formerly Chrysler Group LLC, was made days after reports that cybersecurity researchers used a wireless connection to turn off a Jeep Cherokee's engine as it drove, increasing concerns about the safety of Internet-enabled vehicles, Reuters reported.
The researchers used Fiat Chrysler's telematics system to break into a volunteer's Cherokee being driven on the highway and issue commands to the engine, steering and brakes.
The National Highway Traffic Safety Administration said on Friday it would investigate whether FCA's solution to upgrade software was enough to protect consumers from hackers, although FCA said in its recall announcement that it was unaware of any injuries.
A spokesman for NHTSA said it was the first recall of vehicles because of concerns about cybersecurity and experts said they hoped it would send a shock through the auto industry and beyond it.
Risks of Connectivity
The risks of increasing connectivity to physical devices extend far beyond cars and into hospitals and chemical plants and factories, they said.
"It's a huge problem, and it's an architectural problem with this Internet-of-Things concept," said Nicholas Weaver, a security researcher at the nonprofit International Computer Science Institute in Berkeley, California.
He said that at present there is a divide in terms of design, in that cars and other products could be accessible from a variety of sources, such as smartphones, as with the Cherokee, or else can be designed to communicate only with a single authenticated server.
Products designed to be accessible by a range of means, including smartphones, leave a large "attack surface" that is easier to penetrate. But products that communicate only with a single authenticated server allow the company that owns the server to compile a raft of information about the user, increasing privacy concerns, Weaver said.
Ed Skoudis, an expert in securing connected devices, said the fact that the recall came so soon after publication of the FCA cybersecurity issue "is a shot across the bow of other IoT manufacturers that this could cost them a lot of money."
Skoudis said he hoped companies would reconsider what they spend on security earlier in the design process to avoid similar recalls, lawsuits and the threat of increased regulation.