Ford, GM and Toyota sued for ‘dangerous defects’ in hackable cars

What if your car horn started blasting or your windshield wipers started wiping wiper fluid on their own? Even if you considered that to be a “prank,” what if your car accelerated when you weren’t pressing down on the gas pedal? What if you tried to stop but your brakes were non-responsive to continued stomping on the brake pedal? Should we wait until a terrible wreck happens before fixing flaws in cars that can be remotely hacked? Attorney Marc Stanley doesn’t think so; he filed a class action lawsuit against Ford, General Motors and Toyota “for failing to address a defect that allows cars to be hacked and control wrested away from the driver.”

“We shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect,” Stanley said. “Just as Honda has been forced to recall cars to repair potentially deadly airbags, Toyota, Ford and GM should be required to recall cars with these dangerous electronic systems.”

Last month, DARPA’s Dan Kaufman freaked out viewers on 60 Minutes when he remotely triggered a car’s windshield wipers, then blasted the horn, and then disabled the brakes. The show described it as: “Using a laptop, the hacker dialed the car’s emergency communication system and transmitted a series of tones that flooded it with data. As the car’s computer tried sorting it out, the hacker inserted an attack that reprogrammed the software, gaining total remote control.”

Here’s that portion of the transcript dealing with the driver’s reaction to no brakes:

Lesley Stahl: [disabling the breaks] Oh, no. No. No. No. No. No. No. No.

Kathleen Fischer: Brakes didn’t work, right?

Lesley Stahl: –I cannot– oh, my God. I can’t operate the brakes at all. Oh, my word. That is frightening.

60 Minutes pointed out that “there’s no known case of a car hacked this way,” but some people, such as former cybersecurity czar Richard Clarke, have said journalist Michael Hastings’ single-vehicle crash in 2013 was “consistent with a car cyber attack.”

If you follow telematics news, then you’ve heard about the security dangers for years; this ranges from high-tech car theft by stealing a keyless BMW in three minutes to a 14-year-old hacking a car with $15 worth of RadioShack parts. At Black Hat 2014, Charlie Miller and Chris Valasek unveiled their research into the most hackable vehicles. Last month, the I-Team showed how a car could be remotely hacked from 3,000 miles away. Although car hacking isn’t new, it’s finally grabbed the attention of people like Senator Ed Markey.

Markey released a “scathing report revealing that nearly all new cars can be hacked, but that only two out of 16 carmakers can ‘diagnose or respond to an infiltration in real time’.” In “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” (pdf), Markey “discusses the responses to this letter from 16 major automobile manufacturers: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo.”

Markey highlighted security and privacy issues ranging from driving data collected and shared with third parties to “inconsistent and haphazard” security measures to prevent remote access to vehicles.

The top two key findings from the report were fairly damning:

• Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
• Most automobile manufacturers were unaware of or unable to report on past hacking incidents.

After the 60 Minutes segment and Markey’s report, here comes the lawsuit (pdf). Stanley claims that car makers have known since 2011 that modern vehicles are hackable, yet charge a premium for their high-tech cars; he also bashes the automakers’ “safety” statements as fraudulent. “Disturbingly, as Defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, Defendants’ vehicles are not secure, and are therefore not safe.”

Among other claims leveled at the automakers, the lawsuit filed against GM, Ford and Toyota adds:

Defendants failed consumers in all of these areas when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because Defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others.

The PR release cites Toyota owner and named plaintiff Helene Cahen as saying, “It’s scary to know you could be driving down the highway and a hacker could seize control of your car. Toyota never mentions this risk when extolling its technology to sell you the car.”

Yes, telling potential customers how easily an attacker could exploit vulnerabilities in their hackable cars probably wouldn’t go over so well as to be approved by Toyota’s marketing department.

The lawsuit suggests, “Had Plaintiffs and the other Class members known of the defects at the time they purchased or leased their vehicles, they would not have purchased or leased those vehicles, or would have paid substantially less for the vehicles than they did.”