Sprint says its network not at fault in hacking demonstration of Chrysler vehicles

Sprint (NYSE: S) said its network was not the culprit behind a recent media exposé that revealed how connected Fiat Chrysler vehicles were vulnerable to hacking and remote manipulation. Fiat Chrysler has made network-level changes to update the security of its vehicles and announced a voluntary recall of 1.4 million vehicles.

While some analysts fault Sprint, whose network supports Fiat Chrysler's Uconnect infotainment system, others said the concerns were overblown by the initial Wired story from last week about a remotely hacked Jeep Cherokee. According to the report, Uconnect's cellular connection lets anyone who knows the car's IP address gain access to the system's functionality from anywhere in the country.

"This matter was related to software in certain vehicles equipped with 8.4-inch touchscreens and not to Sprint, the carrier providing connectivity to the touchscreens," Sprint said in a statement to FierceWireless. "At the automaker's direction, we provided assistance by developing and implementing a network-level measure to prevent unauthorized remote network access to the software in the touchscreens."

Chris Valasek, one of the security researchers who conducted the Uconnect hacking, said after the network-level changes were implemented that he was unable to conduct the hack again.

Fiat Chrysler said in a statement that it has "applied network-level security measures to prevent the type of remote manipulation demonstrated in a recent media report. These measures--which required no customer or dealer actions--block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015."

The automaker said it "is unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents--independent of the media demonstration."

The car maker said customers affected by the recall will receive a USB device that they may use to upgrade vehicle software, which "provides additional security features independent of the network-level measures." Fiat Chrysler said "the software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code. No defect has been found. FCA US is conducting this campaign out of an abundance of caution."

A Chrysler spokesman declined to comment beyond the company's statement and said he could not disclose how the vehicle's systems in the Wired article were hacked. "There has been much public discussion surrounding cyber-security risks in virtually all aspects of our everyday lives," he told FierceWireless. "Appropriately, this discussion is also relevant to the automotive sector as increasing concern is expressed by customers, advocates and manufacturers that vehicle information systems remain secure from risks to customer safety and privacy."

Fiat Chrysler is the only publicly named customer of Sprint's Velocity telematics platform. In contrast, AT&T Mobility (NYSE:T) has spent the last several years investing in the connected car market and has deals with General Motors, Nissan, Audi, Tesla, BMW, Subaru, Ford Motor Co. and Volvo. AT&T expects to have at least 50 percent market share of new connected cars in 2015. 

Strategy Analytics analyst Roger Lanctot stressed that he is not a security expert, but he said his conversations with those in the automotive industry "point to unavoidable culpability and involvement of Sprint because Chrysler was using the Sprint Velocity platform. So that means they had integration responsibility for the telematics control unit in the car."

Like other carriers round the world, Lanctot said, Sprint has been trying to play a value-added role as a systems integrator for a car company. Sprint, he said, presumably has deep knowledge about securing M2M connections since it does so all over the country every day. "So to have this happen is a very significant embarrassment," he said. "It should simply never have happened."
Kerton Group analyst Derek Kerton said that he thinks the argument cuts both ways. "I both think it's completely overstated in terms of the threat. On the other hand, I think it does reveal some vulnerabilities."

Kerton said that because Fiat Chrysler and Sprint are saying so little it's tough to know how big of a problem there is, but he said that he thinks the Wired article made it unclear if the hackers needed physical access to the vehicle to hack into its system. That would make the potential vulnerability much less severe.

At the same time, he said, "one of the few things we know is that the firewall between car driving and infotainment electronics was breached," and that the hackers were able "to go from Uconnect and then into the rest of the car," which he said is not supposed to happen.  

The overarching message is that carriers and device makers need to enhance security for the Internet of Things, Kerton said. "This is revealing that IoT is a slightly different game than what carriers are used to," he said.

For more:
- see this Chrysler statement
- see this Chrysler blog post
- see this Wired article
- see this NYT article
- see this Kansas City Business Journal article
- see this Bloomberg article

Related articles:
HERE acquisition viewed as essential to vehicle security by German automotive consortium
Hackers prompt lawmakers to address connected car safety
GM plans to use Cisco tech to test compatibility of Wi-Fi and vehicle-to-vehicle systems in 5.9 GHz band
Analyst: AT&T could see long-term growth from Mexico, connected car
Strategy Analytics: 22% of U.S. consumers would add connected car to shared data plan
Report: Connected cars could cause spikes in data traffic at rush hour
GM expects $350M in profit over next 3 years due to AT&T LTE deal

Suggested Articles

The U.S. Department of Justice is charging Huawei with racketeering and conspiracy to steal trade secrets.

Verizon said the State of New York OGS has authorized Verizon as one of multiple contractors to offer services to state agencies and public safety.

P.I. Works announced that its field proven 5G Centralized SON and 5G Performance Management solutions have been successfully deployed into Telefónica