Connected Cars Present Safety, Security and Privacy Challenges

On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system.  The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers.  Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855).  The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act.  Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity.  Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system.  Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.”  The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions.  Plaintiffs argue that the uConnect system should be segregated from the other critical systems.  Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit.  Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.

The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept.  The plaintiffs seek damages, of course, but not tied specifically to any statutory violation.  Also, plaintiffs seek a court order to monitor any recall program or remedial measure.

Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address.  In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.

[See story at:

http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news ]

However, Congress is likely to cast another critical eye on these issues.  Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars.  Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.”  If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks.  Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.”  Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues.  The legislators are focusing on the collection of data associated with these systems.  The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).