Vulnerability Note VU#819439
Fiat Chrysler Automobiles UConnect allows a vehicle to be remotely controlled
Fiat Chrysler Automobiles (FCA) UConnect may allow a remote attacker to control physical vehicle functions.
According to a WIRED news article, an unknown vulnerability in FCA UConnect software allows some functions of recent models of Jeep Cherokee to be controlled by a remote attacker. Other FCA makes (including Chrysler, Dodge, and Ram) that use UConnect may also be vulnerable.
FCA with the National Highway and Transportation Safety Administration (NHTSA) has initiated a safety recall (NHTSA campaign 15V461000, "Radio Software Security Vulnerabilities") for all possibly affected makes and models:
For more information, see NHTSA's report and the chronology of events leading to the recall.
It appears that some UConnect systems were configured with services listening on the Sprint mobile network. An attacker would have to have access to the Sprint mobile network.
FCA vehicles are designed with safety systems that mitigate, but do not completely prevent, this type of attack.
The researchers Miller and Valasek have released a whitepaper detailing their findings. Previously, they talked about attack surfaces against cars at Black Hat 2014.
The paper Comprehensive Experimental Analyses of Automotive Attack Surfaces, published in 2011, documents similar research, including successful experiments gaining remote control of physical vehicle functions.
A remote attacker could control some physical functions of a vulnerable vehicle, potentially causing significant physical damage and serious or fatal injury.
An FCA blog post states that the researchers could "...remotely controlled some functions..." but that "To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."
Apply an update
Threat modeling and secure architecture
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Fiat Chrysler Automobiles||Affected||-||27 Jul 2015|
CVSS Metrics (Learn More)
This vulnerability was publicly demonstrated by Charlie Miller and Chris Valasek, and initially reported by WIRED magazine. Thanks to FCA for quickly working with us to issue this vulnerability note.
This document was written by Garret Wassermann and Art Manion.
- CVE IDs: Unknown
- Date Public: 21 Jul 2015
- Date First Published: 24 Jul 2015
- Date Last Updated: 14 Sep 2015
- Document Revision: 78
If you have feedback, comments, or additional information about this vulnerability, please send us email.