Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Fiat Chrysler's bad week just got even worse: the US National Highway Traffic Safety Administration has recalled 1.4 million of the manufacturer's cars after a dangerous software flaw was revealed just days ago.

Renowned hackers Charlie Miller and Chris Valasek warned on Tuesday of a ridiculous vuln in the computer systems built into Fiat Chrysler cars: the flaw can be exploited by an attacker to wirelessly take control of the engine, brakes and entertainment system.

The cars connect to the internet via Fiat Chrysler's uConnect cellular network, and thus can be accessed and tampered with from miles away by anyone who knows the vehicle's public IP address. No authentication is required. The US network has been attempting to block incoming connections, we're told.

The NHTSA has also been probing whether or not Fiat Chrysler's efforts to patch the vuln were fully effective. The motor giant has produced a software fix for the root cause of the vulnerability – unfortunately, the update has to be manually installed via a USB stick plugged into the car.

"In an effort to mitigate the effects of this security vulnerability, Chrysler has had the wireless service provider close the open cellular connection to the vehicle that provided unauthorized access to the vehicle network," said the NHTSA recall notice.

"This measure may not have been implemented on all vehicles and does not address access by other means that will be remedied by the software update. The manufacturer has not yet provided a notification schedule."

The recall affects five models of Fiat Chrysler's 2013-2015 Ram range, 2014-2015 Jeep Grand Cherokee, Cherokee and Dodge Durango models, this year's Dodge Charger and Dodge Challenger vehicles and any Dodge Viper sold in the past two years.