In a Part 573 safety recall report, Fiat Chrysler Automobiles (FCA) notified the NHTSA on July 23, 2015, of certain software security vulnerabilities in approximately 1.4 million model year (MY) 2013 through 2015 vehicles equipped with Uconnect Access head units 8.4A (RA3 radio) and 8.4AN (RA4 radio
... ) manufactured by Harman International (Recalls 15V-461 and 15V-508).According to FCA, software security vulnerabilities in the recalled vehicles could allow unauthorized third-party access to, and manipulation of, networked vehicle control systems.Unauthorized manipulation of vehicle control systems could reduce the driver's control of the vehicle, increasing the risk of a crash with an attendant increased risk of injury to the driver, other vehicle occupants, and other highway users.On July 29, 2015, the Office of Defects Investigation (ODI) opened Equipment Query, EQ 15-005, to determine the existance, nature and extent of similar security concerns in other head unit (HU) products installed in motor vehicles.On August 12, 2015, the Recall Management Division (RMD) issued an information request (IR) letter to Harman International requesting information pertaining to infotainment HUs provided to other vehicle manufacturers that share, or may share, similar wireless connectivity and to remind Harman of their responsibilities under Federal Law as an equipment manufacturer.Harman International responded and identified all infotainment head units supplied to other vehicle manufacturers with built-in cellular access or short range wireless communication features. The information submitted indicated that Volkswagen Audi AG and Bentley infotainment HUs used similar versions of the same Uconnect operating system.According to Harman, vulnerabilities identified by FCA are not present in the HUs supplied to Audi AG and Bentley given the distinct hardware components and software architectures of these varying infotainment systems.HU products supplied to the Volkswagen group contain software features and protocols unique to the supplied infotainment systems and respective vehicle systems.Additionally, Audi AG provided materials explaining why its infotainment technology provided increased safety and security.According to Audi, mobile online services and WiFi connectivity are located on a separate hardware module and vehicle systems are designed utilizing communication domains that are separated by a gateway.ODI reviewed all information submitted by Harman including supporting documentation for the HUs supplied to Audi AG and Bentley.Security architecture implementations in the head units supplied to other manufacturers are distinguishable from the Uconnect Access HUs provided to FCA.Audi AG and Bentley installed infotainment devices with countermeasures including multilayered security implementations and partitioned communication domains to reduce security vulnerability risks and mitigate or prevent cyber-attacks.Additionally, these other vehicles interacted with vehicle networks outside the infotainment system differently.Based on a thorough review of the technical information supplied in the course of this investigation, there does not appear to be a reason to suspect that the infotainment head units Harman supplied to other vehicle manufacturers contain the vulnerabilities identified by FCA.Accordingly, this investigation is closed.Read more