This is a complete circus of stupidity on the part of Chrysler, both in engineering and in their response to the problem.
The security researchers discovered massive flaws in a number of vehicles produced by Chrysler which would allow for an attacker with minimal hardware (a Sprint cellphone or an in-range WIFI device) to hack a wide range of vehicles produced from 2013 to 2015 from anywhere that has Sprint cellphone service, or just by getting close enough to the vehicle using WIFI.
They found that the telematics system of the car (built in GPS, bluetooth, wifi, etc) was totally unsecured and was not using any authentication or encryption. Firmware on critical components was not cryptographically signed, and even the WIFI password had an easy-to-guess factory default which was basically never changed.
They initially discovered only relatively minor problems, like being able to turn the volume up on the stereo and lock the user out of the volume control, but couldn't find ways to actually cause the drive systems to malfunction. They reported these findings, and months passed during which Chrysler did nothing. They continued to report findings as they dug deeper and deeper into the cars' vulnerabilities, eventually discovering that they could scan the whole country at once to discover vulnerable vehicles, identify them by GPS and VIN number, and discover exactly how vulnerable each one was. Still, Chrysler did nothing.
Next they discovered how to stop the brakes from working. How to mess with turn signals. How to change the speedometer. How to steer, accelerate, decelerate. They could remotely unlock the car, or lock it. In short, they had complete control over every single electronic system in the car. Still, Chrysler largely ignored them.
A couple days before their presentation at DEFCON 23, Sprint quietly blocked TCP port 6667 on their networks, the port used to hack Chrysler cars remotely. However, Chrysler had issued no software fixes and no statements of any kind. The fix from Sprint was effective, but the vulnerabilities in the car still remained, and while blocking port 6667 would stop someone 2 states away from hacking you with only their cell phone, the other problems all remained in place, including WIFI hacking and the fact that the car's firmware could be patched without authentication if an attacker happened to find another way in. (for example, bluetooth, OBD port, or tire pressure sensors, none of which these researchers bothered to try)
Finally, the researchers conducted a demo for Wired, in which they put a reporter in the ditch. Overnight, 1.4 million vehicles were recalled, and a firmware patch was finally released.
While it's good news that the problem is being fixed, what should be abundantly clear is that car makers do not see eye to eye with white-hat hackers and do not take this kind of problem seriously at all. Fixing bugs costs money, and admitting fault costs more. I, for one, am glad to see their stock figures dip. Sometimes the only way to knock sense into a corporation is to kink the fire-hose of money they need to survive.http://hackaday.com/2015/08/22/how-those-hacker-took-complete-control-of-that-jeep/