Fiat Chrysler Automobiles (FCA) and supplier Harman are under regulatory scrutiny in the US after the automaker reportedly delayed 18 months before telling NHTSA about a security flaw in radios fitted in over 1m vehicles.
Hackers last month exploited the flaw to seize control of a Jeep.
According to Bloomberg, the automaker claimed it was working on a solution and didn’t consider the problem a safety defect but, soon after being notified by the automaker, NHTSA prodded FCA last month to recall 1.4m cars and trucks in the first such action prompted by cybersecurity safety concerns.
Days later, FCA Fiat Chrysler agreed to a US$105m penalty connected with its recall performance on other issues and as NHSTA faces criticism for failing to promptly get unsafe vehicles off the roads.
A senate report last year concluded only two of 16 automakers could detect and respond to a hacking attack, Bloomberg noted.
“We want to make sure the automakers and regulators stay ahead of this,” Mark Rechtin, autos editor of Consumer Reports, told Bloomberg. There have been no reports of hackers being able to access random cars but: “Once it happens, and it happens badly, no one will be able to trust their cars.”
Since the Jeep demo, another hacker has claimed there are vulnerabilities with General Motors’ OnStar navigation system mobile app. There has also been a rise in vehicle thefts using key-cloning systems for electronic fobs.
NHTSA has an open audit of the Fiat Chrysler recall to make sure it includes all potentially affected vehicles and the company’s fix actually works, agency spokesman Gordon Trowbridge told Bloomberg. An active investigation into Harman International, supplier of the Uconnect communications system used by Fiat Chrysler, is also active.
Trowbridge said another immediate focus is whether other automakers with similar systems have the same vulnerability. The agency has been talking regularly with manufacturers and suppliers on cybersecurity, Trowbridge added.
Automakers have contacted NHTSA “to let us know they are aware of the issue and the steps they are taking to assess their own security protections,” Trowbridge reportedly said.
The Fiat Chrysler hacking experiment should serve as “a wake-up call” to automakers to be more proactive to secure software and other systems, or else face new government regulations mandating security, Ken Westin, a security analyst with cybersecurity company Tripwire, told Bloomberg.
Westin reportedly is sceptical of government regulation and not convinced an agency like NHTSA has resources and expertise to oversee cybersecurity.
“A lot of the automakers are going to start demanding independent verification” of software and products, he said. “We see this in other areas of security when there’s a breach from a third party.”
The vulnerability exposed in the Jeep hacking incident is unique to Fiat Chrysler, Harman CEO Dinesh Paliwal told Bloomberg, adding automakers modify radios and entertainment systems to suit customers.