Back in July, WIRED grabbed international headlines with an article dramatically titled, Hackers Remote Kill a Jeep on the Highway – With Me In It. Thrill-seeking readers were not disappointed with the introduction which described a nightmare scenario:
Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
While the above might be enough to have nervous drivers reaching for the bus schedule, writer Andy Greenberg had volunteered to be a crash test dummy for hackers Charlie Miller and Chris Valasek. Although he had willingly allowed his vehicle to be remotely tampered with he could not alter or stop the experiment in any way and he freely admits how unnerved he became:
I didn't panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.
This toying with Greenberg was more than just a black hat party trick. It led, at least in part, to a recall of 1.4 million Fiat Chrysler vehicles in order to install software to prevent hackers from gaining remote control of the engine, steering and other systems in what federal officials said was the first such action of its kind.
Miller and Valasek are more than just hackers of course. Chris Valasek, is Director of Vehicle Security Research for IOActive and Charlie Miller, Security Researcher for Twitter. Together they wrote a technical paper called Adventures in Automotive Networks and Control which discloses the extent of control a malicious hacker might take over a vehicle, how they do it and how such an attack can be detected.
That paper was published in 2014 but it was not the first warning bell to sound about automotive security vulnerabilities. A paper titled, Experimental Security Analysis of a Modern Automobile was presented at the 2010 IEEE Symposium on Security and Privacy and others have followed with some regularity.
Earlier this year, Senator Ed Markey published a report titled, Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk, in which he outlines both the extent of the problem and the automotive industry's apparent lack of concern:
- Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions
- Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
The dangers of car security breaches are not limited to the personal injury that might occur should a driver lose control of the vehicle to a hacker. Modern cars also collect and transmit, largely unprotected, large amounts of personal data about the driver – exposing him or her to potential privacy and security issues.
Senator Markey's report also outlined the personal data issues:
- Automobile manufacturers collect large amounts of data on driving history and vehicle performance
- A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data
Together with Senator Richard Blumenthal, Senator Markey introduced the Security and Privacy in Your Car (SPY Car) Act to establish federal standards to secure cars and protect drivers' privacy. Markey says:
“Drivers shouldn't have to choose between being connected and being protected. We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”
Personal Injury Liability and Automotive Security
Clearly there is criminal intent when a hacker takes control of a car or uses information he has scraped from the car's data collection and transmission functions to gain a physical or financial advantage over the driver. Any financial loss or personal injury suffered will be directly attributable to his actions and the hacker would be tried in a criminal court.
However, given the significant and growing body of research and information available on car security vulnerabilities, to what extent is a car manufacturer liable for not addressing known security flaws that lead to personal injury or financial loss?
There is a current class action suit against GM, Ford and Toyota in California. The complaint gives a clear outline of the legal principles at work here:
1. There are certain basic rules all automobile manufacturers must follow. This case arises from a breach of these rules by the Defendants: Toyota Motor Corporation and Toyota Motor Sales, U.S.A., Inc. (together, “Toyota”), Ford Motor Company (“Ford”), and General Motors LLC (“GM”).
2. When Defendants sell or lease any vehicle to a customer, they have a duty to ensure the vehicle functions properly and safely, and is free from defects. When they become aware of a defect in their vehicles, they have an obligation to correct the defect or cease selling the vehicles. When Defendants introduce a new technology in their vehicles, and tout its benefits, they must test the technology to ensure that it functions properly. And when Defendants provide a warranty to a customer, Defendants are bound to stand by that warranty.
In time, legislation will evolve to protect consumers from the new dangers presented by car hacking and modern technology like driverless cars. For now however, there are no related automotive product liability precedents to draw on. You can however, be sure that we are watching the legal landscape with great interest and will keep you informed of any changes that effect personal injury law.
In the meantime, let's all buckle up and enjoy the journey into the future of automotive technology and legislation. It looks like we may be in for bumpy ride.