Fiat Fixes Auto Remote Exploit

Thursday, July 23, 2015 @ 03:07 PM gHale

With technology advances getting stronger in the automotive industry, hacking into and taking over a vehicle is getting more publicity these days.

Along those lines, Fiat Chrysler Automobile (FCA) patched a vulnerability with the automotive infotainment system as there is a public report and video of researchers demonstrating remote exploits on a magazine reporter’s automobile, according to a report on ICS-CERT.

Siemens Fixes SIPROTEC DoS Vulnerability
Sm@rtClient Android Vulnerability Fixed
RuggedCom ROS Fixes POODLE
Mitigation Plan for Infusion System Hole

The report and video focus on unauthorized remote access to the Fiat Chrysler Automobile (FCA) Connect automotive infotainment system.

The report found the vulnerability is exploitable by leveraging known VIN information to the Uconnect system via the Sprint network. The report said the researchers shared the research with FCA for nearly 9 months. FCA released a security notice and a firmware patch to owners of vehicles with the Uconnect feature on July 16.

ICS-CERT issued its alert to provide notice of this report and video, and that a patch is available from FCA.

The report included vulnerability details for the remotely exploitable authentication vulnerability that could lead to a loss of availability.

FCA sent a security notice to all users of Uconnect.

Click here for the patch for Uconnect.

FCA has also posted a rebuttal blog concerning the released report, and additional information on where and how affected customers may download a software update to USB devices to use in their personal vehicles.

Affected customers can use the following link to make an appointment with a US FCA dealership to have this update installed.

The patch when applied removes the ability for an unauthorized user from exploiting this vulnerability and prevents them from interfacing with the car over the Internet. ICS CERT is currently coordinating with the vendor and security researcher to identify any additional mitigations.