Wednesday, March 11, 2015

Auto makers sued over lousy on-board computer security

GM, Ford, and Toyota are the target of a class action suit:
"Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," Stanley said in a statement.

The suit claims that vehicles without proper electronics safeguards are "defective" and worth far less than similar non-defective vehicles and seeks unspecified monetary damages and injunctive relief.
Interesting.  One of the problems with Security efforts in the past is that it's been impossible to quantify the benefit.  This looks to assign a dollar value to that.
The lawsuit claims hackers could access ECUs on a vehicle's CAN bus and take control of basic functions such as braking, steering and acceleration, "and the driver of the vehicle would not be able to regain control.

"Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants' vehicles are not secure, and are therefore not safe," the lawsuit states.
I've been writing about this for years.  Interesting to see it show up in Court.
The lawsuit claims car owners were charged "substantial premiums" for CAN bus-equipped vehicles. And it argues that the automakers engaged in "unfair, deceptive, and/or fraudulent business practices" by failing to disclose security flaws.

"Had plaintiffs and the other class members known of the defects at the time they purchased or leased their vehicles, they would not have purchased or leased those vehicles, or would have paid substantially less for the vehicles than they did," the lawsuit said.
Actually, yes.  But surely, you say, automotive computer security is arcane.  The manufacturers couldn't be expected to understand such a new field, right?  Oops:
The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency (DARPA) found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes."

DARPA reported that the defect represents a "real threat to the physical well-being of drivers and passengers." Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, "but they did nothing," the lawsuit states.
Next target of the lawyers: the Internet Of Things, with its computerized light bulbs and central heating systems.


Steve said...

Unfortunately, this will most likely result in lots of millions of dollars for lawyers and essentially squat for the class, which is usually how class action suits come out.

Tony Tsquared said...

Another reason to ride a motorcycle.

Old NFO said...

Steve's right... dammit...

Sherm said...

Squat??? I'm already envisioning what I can do with the $10 I'll save with the coupon I'll receive for my post settlement dealer provided oil change. Ooo-la-la.