Lawsuit seeks damages against automakers and their hackable cars

A Dallas-based trial attorney has filed a lawsuit against Toyota, Ford and GM for failing to address a defect that allows cars to be hacked and control wrested from the driver.

A Dallas law firm has filed a lawsuit against three major automakers claiming they have failed to take basic measures to secure their vehicles from hackers.

The lawsuit, filed by Dallas-based attorney Marc Stanley on behalf of three vehicle owners and "all others similarly situated," alleges that the automobiles are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.

"Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," Stanley said in a statement.

The suit claims that vehicles without proper electronics safeguards are "defective" and worth far less than similar non-defective vehicles and seeks unspecified monetary damages and injunctive relief.

Modern cars and light trucks contain more than 50 separate electronic control units (ECUs) -- small computers connected through a controller area network (CAN) or other network such as Local Interconnect Networks or Flexray.

The lawsuit claims hackers could access ECUs on a vehicle's CAN bus and take control of basic functions such as braking, steering and acceleration, "and the driver of the vehicle would not be able to regain control.

"Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants' vehicles are not secure, and are therefore not safe," the lawsuit states.

Ford declined comment on the matter. Neither GM or Toyota responded to a request for comment.

Scott Morrison, a distinguished engineer at CA's Layer 7 Technologies, said that nothing dates a car more quickly than its electronics.

"You can get into five-year-old luxury car and it...feels like a Nintendo game...compared to the experience on your smartphone," Morrison said in an earlier interview with Computerworld.

Last year, at the Black Hat security conference in Las Vegas, two industry experts released a 92-page report revealing "the 20 most hackable cars."

Also last year, a 14-year-old during a cybersecurity challenge was able to hack into a car's CAN with an electronic remote auto communications device he assembled overnight with $15 worth of Radio Shack parts.

The lawsuit claims car owners were charged "substantial premiums" for CAN bus-equipped vehicles. And it argues that the automakers engaged in "unfair, deceptive, and/or fraudulent business practices" by failing to disclose security flaws.

"Had plaintiffs and the other class members known of the defects at the time they purchased or leased their vehicles, they would not have purchased or leased those vehicles, or would have paid substantially less for the vehicles than they did," the lawsuit said.

The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency (DARPA) found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes."

DARPA reported that the defect represents a "real threat to the physical well-being of drivers and passengers." Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, "but they did nothing," the lawsuit states.

The lawsuit also cites a study released last month by Sen. Edward Markey (D-Mass.) that claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.

The 14-page report is based on responses from 16 automakers to questions about  security vulnerabilities and how driver information is collected and protected.

The report states that automakers have adopted technology without addressing the possibility of hacker infiltration into vehicle systems. Most automobile manufacturers were unaware of, or unable to report on, past hacking incidents, the report states.

The first part of the report focuses on how modern technologies give hackers windows of opportunity. It claims that only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, "and most say they rely on technologies that cannot be used for this purpose at all.

"Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions," the report states.

Last November, the world's 19 biggest automakers agreed to principles they said will protect driver privacy in an electronic age where in-vehicle computers collect everything from location and speed to what smartphone the driver uses.

A 19-page letter committing to the principles was submitted to the Federal Trade Commission from the industry's two largest trade associations, the Alliance of Automobile Manufacturers (AAM) and the Association of Global Automakers (AGA).

The AAM represents Detroit's Big Three automakers -- Ford, GM and Chrysler -- along with Toyota, Volkswagen AG and others. The AGA also represents Toyota, along with Honda Motor Co., Nissan Motor Co. and Hyundai Motor Co. among others.

Markey stated that the principles are an important first step, but fall short in a number of key areas by not offering explicit assurances around choice and transparency.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AAMAdvancedDefense Advanced Research Projects AgencyFederal Trade CommissionHonda Motor Co.HyundaiHyundai Motor Co.ModernNissan MotorNissan Motor Co.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place