Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.
In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.
The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.
Fiat Chrysler has not yet commented to the BBC.
‘Fishing for victims’
“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.
“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.
“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”
He said that using a device like this had wider implications.
“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.
In July, security researchers Charlie Miller and Chris Valasek demonstrated that it was possible for hackers to control a Jeep Cherokee remotely, using the car’s entertainment system which connected to the mobile data network.
The flaw affected up to 1.4 million vehicles sold in the US.
At the time, Fiat Chrysler issued a voluntary recall so that customers could visit a dealership to have the software updated in affected vehicles. It also made asoftware update available to download from its website for tech-savvy users.
Fiat Chrysler told technology magazine Wired: “Consumer safety and security is our highest priority. We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”