U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Alert (ICS-ALERT-15-203-01)

FCA Uconnect Vulnerability

Original release date: July 22, 2015 | Last revised: September 17, 2015

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



SUMMARY

NCCIC/ICS-CERT is aware of a public report and video of researchers demonstrating remote exploits on a magazine reporter’s automobile. The report and video are available at: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. The report and video focus on unauthorized remote access to the Fiat Chrysler Automobile (FCA) Connect automotive infotainment system. According to this report, the vulnerability is exploitable by leveraging known VIN information to the Uconnect system via the Sprint network. The report itself claims the researchers have been sharing this research with FCA for nearly 9 months. FCA released a security notice and a firmware patch to owners of vehicles with the Uconnect feature on July 16, 2015. ICS-CERT is issuing this alert to provide notice of this report and video, and that a patch is available from the FCA.

The report included vulnerability details for the following vulnerability:

Vulnerability TypeRemotely ExploitableImpact
AuthenticationYesRemote Code Execution, loss of availability

FOLLOW-UP

ICS-CERT released the follow-up advisory titled ICSA-15-260-01 Harman-Kardon Uconnect Vulnerability on September 17, 2015, on the ICS-CERT web site.a

MITIGATION

FCA sent a security notice to all users of Uconnect, which can be viewed here:

http://media.fcanorthamerica.com/newsrelease.do?id=16827&mid=1

The patch for Uconnect can be obtained at:

http://www.driveuconnect.com/software-update/                 

FCA has also posted a rebuttal blog concerning the released report, and additional information on where and how affected customers may download a software update to USB devices to use in their personal vehicles. This information is available at:

http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/

Affected customers can use the following link to make an appointment with a US FCA dealership to have this update installed:

http://www.mopar.com/find-a-dealer/.

The patch when applied removes the ability for an unauthorized user from exploiting this particular vulnerability and prevents them from interfacing with the car over the Internet. ICS‑CERT is currently coordinating with the vendor and security researcher to identify any additional mitigations.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

 


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top