More disturbing details about the Jeep hack

July 23, 2015, 6:26 PM UTC

Last week, Wired magazine revealed that two hackers were able remotely to disrupt the driving of a 2014 Jeep Cherokee driven by one of the magazine’s writers, even turning off the car’s transmission. While embarrassing and worrisome to Jeep’s corporate parent, Fiat Chrysler Automobiles N.V., it also was more than a little scary for anyone who owns a Jeep.

But a Wednesday blog post from FCA reveals even more troubling details. It turns out that FCA was aware of the hackers’ work for quite a while; the company had been communicating with the hackers – Charlie Miller and Chris Valasek – for the past year, according to the blog post by FCA vice president of communications Gualberto Ranieri.

In the post, Ranieri didn’t describe the content of the conversations with the hackers– or whether they were helping FCA – though the timing of the Wired article suggests that FCA’s efforts to improve the car’s digital security have been under way for some time prior to publication.

Doing business with self-styled hackers, whether their intent is noble or otherwise, is tricky for the maker of any product. The victims of a future intrusion or hack could legitimately claim that FCA should have gone immediately and directly to police or other authorities. On the other hand, it’s understandable that FCA’s own engineers and suppliers would want to learn as quickly as possible how to close loopholes and protect themselves against mischief and crime.

It was only last week that FCA notified owners of ten models, including Ram pickups, Chrysler 200s and Grand Cherokees, of a software update to improve security. (It didn’t explain that hackers had been able to wirelessly control Jeep functions, like radio and windshield wipers.) On Wednesday, Ranieri wrote that FCA doesn’t know of “a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle.”

According to Wired, the hackers were able to control remotely some of the Jeep’s functions even while Wired magazine writer Andy Greenberg was behind the wheel. Greenberg was cooperating with the hackers for the purpose of the story. The pair badly frightened him when they remotely turned off the car’s transmission, forcing him off Interstate 64, near St. Louis – after a semi-trailer bore down on his limping vehicle.

In an email interview with Fortune, Ranieri declined to say how many FCA owners received the software update. He said FCA sent the update to owners of those models equipped with FCA’s Uconnect infotainment system and an 8.4-inch touch screen. Uconnect links to the Internet via a cellular connection through Sprint, also creating a WiFi hotspot in the car – earlier hacks by Miller and Valasek on a Ford Motor Co. driven by Greenberg were accomplished via a direct wire connection.

Owners of the affected vehicles can download the update to a USB drive and manually install in the vehicle. Otherwise, a dealer can do the job, FCA said. So far, automakers can’t push software updates wirelessly – though that capability is under development.

Next week at the Black Hat cyber security conference in Las Vegas, Miller and Valasek plan to release the code that gained them access to Greenberg’s Jeep – a move that FCA opposes as dangerous. In the hackers’ view, the release will help automakers gain awareness and skill at blocking intrusions.