First Car-Hacking Class Action Filed against Ford, GM and Toyota

Dallas, TXSo, imagine you are driving at 70 mph in your car when suddenly the windshield wipers go on, the entertainment system clicks on full blast, the horn is honking and the air conditioner starts blowing arctic cold air. Then suddenly you feel the brakes engage. The vehicle is coming to full stop with a freeway full of cars coming up fast in your rearview mirror.

That’s what a Black Hat car hacker can do - remotely seize control of your vehicle’s computer system - with potentially disastrous consequences.

Marc Stanley, from the Stanley Law Group in Dallas, Texas, has recently filed the first-ever class-action suit on behalf of owners with vehicles equipped with computer systems that, as the documents describe, “are susceptible to computer hacking and are therefore unsafe.”

“These vehicles owners don’t ‘think’ they are vulnerable to it,” says Stanley. “That’s what the current science says.”

In fact, only this week, two rapidly becoming well-known security engineers, Charlie Miller and Chris Valasek, grabbed the headlines by doing a spectacular video demonstration of a potential hacker’s ability to hack into a Jeep and disable the vehicle’s braking system through its onboard computer system.

Stanley’s class action names Ford, GM and Toyota as defendants in the case. Although none of his clients, so far, have had their vehicles hacked, the suit alleges that the automakers have breached their contracts to sell safe and defective-free vehicles.

The suit also alleges breach of privacy given the potential for hackers to use the onboard communications system to literally “eavesdrop” on people riding in the vehicles.

Automakers and consumers have been adopting car technology at a rapid rate. As Stanley describes it, “It’s a wild west environment” out there in terms of rules, regulations and security systems for highly computerized vehicles.

Although the technology was meant to provide safety and convenience for drivers, it does not provide appropriate security to keep intruders out of the system.

Originally, it was thought that the onboard computer systems could only be compromised by physically accessing the port typically used by mechanics using computers to diagnosis mechanical problems.

However, researchers have now provided a number of high-profile car-hack demonstrations whereby car system invaders can seize control of the vehicle wirelessly through Bluetooth systems, cellular telephone network systems used to provide roadside assistance, onboard Wi-Fi systems, and even through the vehicle’s entertainment system.

The vehicles use a controller area network, or a CAN or CAN bus system, that connects to electronic control units or ECUs. Hackers gain access to the CAN bus system and simply start telling the ECUs what to do and the driver no longer has control of his own car.

“You could do this to a single car vehicle or a group of similar vehicles. All they have to do is call some code using a piece of software and turn off the vehicle ignition while it is in motion driving down the highway, or apply the brakes, or any other scenario you can imagine.”

Plaintiffs in the class action own a variety of vehicles including a 2008 Lexus RX 400 H, a 2014 Ford Escape and a 2013 Chevrolet Volt.

According to the documents, the “vehicles contain more than 35 separate electronic control units (ECUs), connected through a controller area network (“CAN” or “CAN bus”). Vehicle functionality and safety depend on the functions of these small computers, the most essential of which is how they communicate with one another.”

“The members and potential members of the class action include anyone who owns a vehicle with onboard Wi-Fi, OnStar, Lexus Connect or any other computer system that is hackable,” says Stanley.

“Technology is good as long as it is reined in properly. This is sort of like participating in unprotected sex after people became aware of the AIDS virus,” he adds. “There is just no protection for vehicles owners. We just want the automakers to make our cars safe,” says Stanley.

There are, so far, no injuries or deaths that can be related to a car-hacking event. However, that potential exists.

“That is the nightmare scenario,” says Stanley. “The idea that this could result in injury or death. Unfortunately, I have to say that is a likely outcome.”

Interestingly, two US Senators who have been concerned about the increasing use of “connected devices,” including the increasing use in cars, introduced legislation this week asking the NHTSA and the FTC to establish federal standards to secure vehicles and the privacy of drivers. The legislation, The Security and Privacy In Your Car Act (SPY Car Act 2015), would also mandate a dashboard rating of the security level of the vehicle.

Fiat Chrysler also reacted quickly to the highly publicized hacking demonstration of its Jeep. Fiat Chrysler will recall 1.4 million cars and trucks in the United States and update the vehicles’ software with a Uconnect patch to prevent hackers from entering the vehicles through CAN bus and ECUs.