Class Action Filed Against Chrysler Following “Hack” of Jeep Cherokee

 Connected Cars Present Safety, Security and Privacy Challenges

The Connected Car
The Connected Car

On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system.  The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers.  Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855).  The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act.  Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity.  Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system.  Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.”  The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions.  Plaintiffs argue that the uConnect system should be segregated from the other critical systems.  Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit.  Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.

The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept.  The plaintiffs seek damages, of course, but not tied specifically to any statutory violation.  Also, plaintiffs seek a court order to monitor any recall program or remedial measure.

Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address.  In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.

[See story at:

http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news ]

However, Congress is likely to cast another critical eye on these issues.  Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars.  Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.”  If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks.  Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.”  Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues.  The legislators are focusing on the collection of data associated with these systems.  The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).

connected car 2

NYT Article on BYODs, Workplace App Policies

interiors of an office

This is a nice overview of the concerns facing employers who have an active, creative workforce using websites and apps that are not necessarily in comformity with in-house security standards.  See article at:

http://www.nytimes.com/2013/03/04/technology/it-managers-struggle-to-contain-corporate-data-in-the-mobile-age.html?pagewanted=2&hpw

Quotes from the article:

“People are going to bring their own devices, their own data, their own software applications, even their own work groups,” drawing off friends and contractors at other companies, said Bill Burns, the director of information technology infrastructure at Netflix. “If you try and implant software that limits an employee’s capabilities, you’re adding a layer of complexity.”

“The popular term now when people bypass the in-house organization is ‘shadow I.T.,’ ” says Sunny Gupta, chief executive of Apptio.

In the comments section below the article, many industry observers share their thoughts:

From Milwaukee, one says:

To be honest, the problem isn’t really the integrity of the apps, but the app user. If a person is going to mis-use proprietary information, they will do it, security or no security.

From New York, the comment is:

HIPPA rules are only taken seriously after the breach, fine or lawsuit. BYOD is what keeps hospital CIOs and CEOs up late at night.

Another suggests corporate IT teams continually lag behind what their personnel wants or is doing.  One suggests IBM SmartCloud.  And, finally, others mention that the best security is no outside devices inside the office or an agreement by the employee to have their device readily available and subject to getting wiped clean remotely without notice.