By: Grace A. Nguyen and Alexandra R. Rambis
April 24, 2016
A number of breaches at high profile companies such as Target, Neiman Marcus, Home Depot and JP Morgan has pushed data security into the spotlight. Large companies, however, are not the only businesses susceptible to data breaches. Data security has now become a priority for the auto industry. While the technology in cars has become increasingly more sophisticated, it has also left automobiles vulnerable to the threat of cyber-attacks. In 2015, as an experiment, two researchers were able to hack into a Jeep Cherokee wirelessly.1 After hacking into the car, they were able to disable the car’s brakes, honk the horn, commandeer the steering wheel, turn off the car’s ignition, and could even track the car’s GPS coordinates and trace its route.
Cyber auto hackings have been made possible because automobiles are now equipped with modern technology, much like a smartphone. In fact, nearly 100% of automobiles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.2 For example, many Fiat Chrysler cars, SUVs, and trucks now contain an internet-connected computer feature, which controls the vehicle’s entertainment and navigation, enables phone calls, and offers a Wi-Fi hot spot.3 These internet-connected computer features let anyone who knows the car’s IP address gain access from anywhere in the country and presumably the world.4 After the researchers were able to remotely hack into the Jeep Cherokee, Chrysler recalled approximately 1.4 million vehicles to fix the security flaw.5 Chrysler has now implemented a program to continuously test vehicle systems in order to identify susceptibilities and develop solutions.
Additionally, this new technology has created the threat of cyber car thefts. With the advent of the electronic fob, or “keyless” car keys, there are now several ways for car thieves to gain entry into vehicles without actually having the key in their possession. Since many cars now unlock when the electric key fob is in close proximity to the car, thieves are able to steal cars from the dealership lot when the key is near the car, but not in their possession. After gaining entry into the vehicle, thieves can clone the electric fob keys using a device that only costs $30. The device can then be plugged into the car’s diagnostic port in the passenger footwell, and the information obtained from the car can be used to reprogram a blank electric fob and start the car.6 In 2014 alone, approximately 6,000 cars–amounting to 42% of all vehicle thefts–in London were stolen using this method.7
In response to this growing threat of cyber-attacks on automobiles, two U.S. Senators filed a bill, the Security and Privacy in Your Car (SPY Car) Act, in July 2015 that would require the federal government to establish standards to ensure that automakers secure drivers against vehicle cyber-attacks.8 The bill would establish a rating system that informs consumers about how well the vehicle protects drivers’ security and privacy beyond the proposed federal minimum standards, and also calls for vehicles to be equipped with technology that can detect, report and stop hacking attempts in real time.9 Further, the bill would ban the use of personal driving information collected by automakers through a vehicle’s computer system for advertising or marketing purposes unless the vehicle owner clearly opts in to the data collection.
As a result of these technological vulnerabilities in automobiles, the auto industry faces potential liability in the event of a cyber-attack. In March 2015, a class action lawsuit alleging damages exceeding $5,000,000 was filed on behalf of three vehicle owners against Toyota, Ford and GM. The suit claims that vehicles without proper electronics safeguards are defective because the automobiles are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.10
Currently, the case is pending on appeal following the trial court’s decision to grant the defendants’ motion to dismiss. In the interim, those in the auto industry should be aware of these potential risks and take steps to ensure they are protected against the threat of a cyber-attack. This case will undoubtedly be a landmark decision should it make it to the Supreme Court, and the plaintiffs’ utilization of the appellate process indicate their intent to take this case to the highest court necessary. For now, one thing is certain: regardless of how the court decides, this case will have far reaching implications on the automobile industry.