The fallout over the the now famous Jeep hack has begun. First of all, Chrysler along with other carmakers are facing a senate bill which is aimed at forcing car makers to improve their defenses against these sorts of hacks:
On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. The legislation, as described to WIRED by a Markey staffer, would call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles’ defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.
Now I am in favor of this because it’s becoming clear that car makers aren’t willing or able to properly protect drivers who have infotainment systems like these in their vehicles. Thus they need some sort of “incentive” to do so and legislation is great for that. But in the end, this may not matter because a class action lawsuit has been filed against Chrysler over the Jeep hack:
On Tuesday three Jeep Cherokee owners filed a complaint against both Fiat Chrysler Automobiles and Harman International, the maker of the Uconnect dashboard computer in millions of Chrysler vehicles. A security flaw in that cellular-connected computer served as the entry point for security researchers Chris Valasek and Charlie Miller when they showed WIRED last month that they could wirelessly hack into a 2014 Jeep over the internet to hijack its steering, brakes and transmission. Now the small group of plaintiffs is hoping to invite anyone with those vulnerable Uconnect systems in their car or truck to join them in their litigation. If their complaint is certified by a court as a class action, the broad spectrum of affected Chrysler vehicles means it could snowball into a case with more than a million potential plaintiffs.
In their complaint against the two companies, plaintiffs Brian Flynn and George and Kelly Brown accuse Chrysler and Harman of fraud, negligence, unjust enrichment and breach of warranty. They point out that Valasek and Miller alerted Chrysler to their findings of architectural vulnerabilities in Jeep Cherokees in a paper in early 2014 that mentioned connections between the Jeep’s Internet-enabled entertainment system and its CAN Bus, the network that controls critical driving features like steering and brakes. Those connections, the plaintiffs argue, represent a serious defect in vehicles Chrysler and Harman knowingly sold to customers. “The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system through the CAN bus,” their complaint reads. “uConnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”
I have to agree with the plaintiffs on this one. In the case of the Jeep hack or the “OwnStar” hack where OnStar equipped cars that use the iOS version of the RemoteLink were “Owned”, once you’re into these systems you have partial or complete control of the car. From a computer science perspective, that’s insane as there is no way that having a system that allows you to stream music from your iPhone into your cars stereo system should control brakes, steering, and the like. And I do believe that this is only the beginning. GM is likely to be the next target of a lawsuit seeing as a proof of concept is already out there. You can also bet that hackers, lawyers and all sorts of others are looking at every other car maker as it is safe to say that some if not most of them are likely in the same boat as GM and Chrysler when it comes to what level of control that a hacker could have if they were able to hack into a car. Finally, I believe that as a preemptive measure, security updates will be coming out and be tied to recalls or some sort of “service campaign” so that car makers can say “See, we take this issue seriously.”
Stay tuned. This is about to get very interesting.
Related
This entry was posted on August 5, 2015 at 10:50 am and is filed under Commentary with tags Chrysler, Lawsuit. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Chrysler Faces Class Action Lawsuit And Congressional Action Over Jeep Hack
The fallout over the the now famous Jeep hack has begun. First of all, Chrysler along with other carmakers are facing a senate bill which is aimed at forcing car makers to improve their defenses against these sorts of hacks:
On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. The legislation, as described to WIRED by a Markey staffer, would call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles’ defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.
Now I am in favor of this because it’s becoming clear that car makers aren’t willing or able to properly protect drivers who have infotainment systems like these in their vehicles. Thus they need some sort of “incentive” to do so and legislation is great for that. But in the end, this may not matter because a class action lawsuit has been filed against Chrysler over the Jeep hack:
On Tuesday three Jeep Cherokee owners filed a complaint against both Fiat Chrysler Automobiles and Harman International, the maker of the Uconnect dashboard computer in millions of Chrysler vehicles. A security flaw in that cellular-connected computer served as the entry point for security researchers Chris Valasek and Charlie Miller when they showed WIRED last month that they could wirelessly hack into a 2014 Jeep over the internet to hijack its steering, brakes and transmission. Now the small group of plaintiffs is hoping to invite anyone with those vulnerable Uconnect systems in their car or truck to join them in their litigation. If their complaint is certified by a court as a class action, the broad spectrum of affected Chrysler vehicles means it could snowball into a case with more than a million potential plaintiffs.
In their complaint against the two companies, plaintiffs Brian Flynn and George and Kelly Brown accuse Chrysler and Harman of fraud, negligence, unjust enrichment and breach of warranty. They point out that Valasek and Miller alerted Chrysler to their findings of architectural vulnerabilities in Jeep Cherokees in a paper in early 2014 that mentioned connections between the Jeep’s Internet-enabled entertainment system and its CAN Bus, the network that controls critical driving features like steering and brakes. Those connections, the plaintiffs argue, represent a serious defect in vehicles Chrysler and Harman knowingly sold to customers. “The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system through the CAN bus,” their complaint reads. “uConnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”
I have to agree with the plaintiffs on this one. In the case of the Jeep hack or the “OwnStar” hack where OnStar equipped cars that use the iOS version of the RemoteLink were “Owned”, once you’re into these systems you have partial or complete control of the car. From a computer science perspective, that’s insane as there is no way that having a system that allows you to stream music from your iPhone into your cars stereo system should control brakes, steering, and the like. And I do believe that this is only the beginning. GM is likely to be the next target of a lawsuit seeing as a proof of concept is already out there. You can also bet that hackers, lawyers and all sorts of others are looking at every other car maker as it is safe to say that some if not most of them are likely in the same boat as GM and Chrysler when it comes to what level of control that a hacker could have if they were able to hack into a car. Finally, I believe that as a preemptive measure, security updates will be coming out and be tied to recalls or some sort of “service campaign” so that car makers can say “See, we take this issue seriously.”
Stay tuned. This is about to get very interesting.
Share this:
Like this:
Related
This entry was posted on August 5, 2015 at 10:50 am and is filed under Commentary with tags Chrysler, Lawsuit. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.