FCA Uconnect Vulnerability
Description
NCCIC/ICS-CERT is aware of a public report and video of researchers demonstrating remote exploits on a magazine reporter’s automobile. The report and video focus on unauthorized remote access to the Fiat Chrysler Automobile (FCA) Connect automotive infotainment system. ICS-CERT is issuing this alert to provide notice of this report and video, and that a patch is available from the FCA.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}
SUMMARY
NCCIC/ICS-CERT is aware of a public report and video of researchers demonstrating remote exploits on a magazine reporter’s automobile. The report and video are available at: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. The report and video focus on unauthorized remote access to the Fiat Chrysler Automobile (FCA) Connect automotive infotainment system. According to this report, the vulnerability is exploitable by leveraging known VIN information to the Uconnect system via the Sprint network. The report itself claims the researchers have been sharing this research with FCA for nearly 9 months. FCA released a security notice and a firmware patch to owners of vehicles with the Uconnect feature on July 16, 2015. ICS-CERT is issuing this alert to provide notice of this report and video, and that a patch is available from the FCA.
The report included vulnerability details for the following vulnerability:
| Vulnerability Type | Remotely Exploitable | Impact |
|---|---|---|
| Authentication | Yes | Remote Code Execution, loss of availability |
14.00
FOLLOW-UP
ICS-CERT released the follow-up advisory titled ICSA-15-260-01 Harman-Kardon Uconnect Vulnerability on September 17, 2015, on the ICS-CERT web site.ICSA-15-260-01 Harman-Kardon Uconnect Vulnerability, https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01, web site last accessed September 17, 2015.
MITIGATION
FCA sent a security notice to all users of Uconnect, which can be viewed here:
http://media.fcanorthamerica.com/newsrelease.do?id=16827&mid=1
The patch for Uconnect can be obtained at:
http://www.driveuconnect.com/software-update/
FCA has also posted a rebuttal blog concerning the released report, and additional information on where and how affected customers may download a software update to USB devices to use in their personal vehicles. This information is available at:
http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/
Affected customers can use the following link to make an appointment with a US FCA dealership to have this update installed:
http://www.mopar.com/find-a-dealer/.
The patch when applied removes the ability for an unauthorized user from exploiting this particular vulnerability and prevents them from interfacing with the car over the Internet. ICS‑CERT is currently coordinating with the vendor and security researcher to identify any additional mitigations.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
Mitigations
This product is provided subject to this Notification and this Privacy & Use policy.