1.4m Fiat Chrysler radio hack recall may be tip of iceberg

Fiat Chrysler's hackable infotainment may be the tip of the iceberg, with safety regulators broadening investigations to see if other automakers are at risk. While Fiat Chrysler recalled 1.4m Dodge, Jeep, and Chrysler vehicles after a flaw in its Uconnect system – potentially allowing hackers to access the dashboard systems while the car is moving – was identified, The National Highway Traffic Safety Administration has now requested further data from infotainment provider Harman Kardon, with an estimated 2.8m systems now under the microscope.

The NHTSA did not specify which of Harman Kardon's other automaker customers might be using the systems in question, though did indicate that they were for vehicles other than the original Fiat Chrysler models identified.

Its probe is intended "to determine the nature and extent of similarities in other infotainment products provided to other vehicle manufacturers," the NHTSA said in an announcement, with the investigation filed on July 29.

"If sufficient similarities exist," it continued, "the investigation will examine if there is cause for concern that security issues exist in other Harman Kardon products."

Harman Kardon is an established auto-component supplier, and has a number of well known automakers on its books. According to the company, it provides systems for BMW, Mercedes-Benz, Subaru, and Volvo, among others.

Fiat Chrysler has a fix already for the affected Uconnect systems, saying in a statement last month that it had "applied network-level security measures to prevent the type of remote manipulation demonstrated" in the proof-of-concept hack.

"These measures – which required no customer or dealer actions – block remote access to certain vehicle systems and were fully tested and implemented within the cellular network on July 23, 2015," FCA continued.

Meanwhile, the company also offered a USB stick to upgrade affected cars – including versions of the Jeep Grand Cherokee, Dodge Challenger, and Chrysler 300 – to a new version of Uconnect, though insisted that the update only consisted of "additional security features independent of the network-level measures."

No other automaker has commented on the exploit.

SOURCE NHTSA [pdf link]