Fiat Chrysler cars were the only vehicles subject to a cyber-security flaw that allowed “white hat” hackers to take control of a Jeep last July, according to the National Highway Traffic Safety Administration. White hat hackers are computer security experts who specialize in penetration testing to ensure the security of an organization’s information systems, sometimes referred to as “ethical hacking.”
As we previously reported, legislation aimed at protecting drivers was introduced in November 2015 after researchers demonstrated that they could hack a Jeep’s internal system and take control of the vehicle on a highway while stationed in a house 10 miles away. The Jeep hack also caused the recall of 1.4 million Jeep, Chrysler, Dodge, and Ram vehicles, and pushed the NHTSA to launch an investigation into whether other automakers were exposed to similar vulnerabilities.
After a five-month investigation, the NHTSA concluded that only the Fiat Chrysler’s radio systems possessed a security flaw that could allow attackers to breach a vehicle’s systems and take over control of the vehicle’s speed, brakes, radio, windshield wipers, and transmission. The administration reported that the recall addressed the flaw and that fear of widespread vulnerability to hackers appears to be unfounded.
With such statements, it is likely that talented individuals are looking for other vulnerabilities in vehicle systems, refrigerators, home security systems, and all the other common devices which now (or soon will be) taking advantage of internet connectivity. Consumers have been subject to unknown cyber security risks for years in the form of modems with open backdoors, to Wi-Fi routers with embedded, uniform administrative passwords (and consumers not understanding hardening concepts). Highlighting such threats in a manner that can manifest in physical harm may bring further attention to the broader set of issues which have been ever present in firmware and middleware devices. Additionally, the costs for Fiat Chrysler to address the recall and in goodwill cannot be discounted. The lesson remains – companies need to be thoughtful about achieving the proper balance between business functionality, privacy, and cyber security. Involving the right parties throughout the product lifecycle through sound information governance is key, and inevitably will be required.