
Of all of the challenges and known roadblocks ahead of the connected car movement, chief among them are the legal considerations of automakers building and selling cars that are connected to the Internet, connected to infrastructure and connected to each other. We have now learned of the Stanley Law Group of Dallas, Texas, that has brought a class action suit against Toyota, Ford and GM for allegedly selling connected vehicles with “known defects” that could enable the cars to be hacked.
“Disturbingly, as defendants have known, their controller area network (CAN) bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants’ vehicles are not secure, and are therefore not safe,” the lawsuit states. Further, the lawsuit claims car owners were charged “substantial premiums” for CAN bus-equipped vehicles and that automakers engaged in “fraudulent business practices” by failing to disclose security flaws” that produced “defective vehicles [that] are worth far less than…defect-free vehicles.”
Since 1996, the CAN bus has been the standardized electronic backbone of automotive safety, security, comfort and drivetrain systems for virtually all vehicles around the world. There has been no worldwide malicious attempt to undermine CAN bus systems to date, aside from those highly publicized research-based efforts that could be characterized better as vehicle “tampering” rather than “hacking.” The lawsuit tends to focus its language a bit too much on CAN bus connectivity and how this nearly 30-year-old, proven automotive architecture is somehow the new-found source of electronic chaos.
That being said, the OBD-2 port is quite vulnerable to breaches, particularly if used with third-party connected dongles with direct access to the CAN bus system. Also, the automakers’ rush toward vehicle connectivity and integration with off-board processing to deliver competitive connected services has clearly caused some car companies to incorporate on- and off-board technologies into their newer vehicles without implementing security measures at the early development stage. One possible solution could be as simple as using hack-proof semiconductors that would mitigate software and app breaches.
Unfortunately, the vulnerabilities of connected systems have been an ongoing concern among lawmakers as well as consumers. As was reported by the vehicle hacking study commissioned by Sen. Edward Markey (D-MA), most automakers have failed to address data security and are largely unaware that there were hacking incidents in the first place.
Last November, 19 of the world’s largest automakers agreed to self-regulate by adopting the Privacy Principles advocated by the Alliance of Automobile Manufacturers and the Association of Global Automakers. Within these Principles, automakers committed to voluntary measures that would protect consumer data privacy and establish guidelines on how consumer data would be used and why. Combined with a more concerted engineering effort to block intrusion by hackers, automakers could genuinely make meaningful progress in protecting their connected cars as well as the people who drive them.
So, the question now is this: Can the lawsuit succeed? Given that connected vehicles – or for that matter all connected devices – cannot be guaranteed 100 percent hack-free, automakers must show targeted, good-faith effort to engineer security measures into their electronics systems in a proactive manner until industry standards for automotive cybersecurity are established. This will not only help to fend off lawsuits, it will generate marketable consumer trust and even create a competitive advantage over other automakers that are still stuck in 1996.
Source: Connected Car Lawsuits Begin – Connected World