Hackers and Your Internet-Connected Car

For the past five years, automakers have been rushing into providing Internet connectivity in their cars. Access to the Internet for directions, information, and other useful tools has resulted in increasing technological advancements in auto resources. However, the rush by manufacturers to include the latest and greatest technology was not accompanied by sufficient attention to cybersecurity. As a result, a former NSA analyst and another experienced hacker (Charlie Miller and Chris Valasek) were able to take control of a moving Jeep Cherokee that was being driven by a tech writing doing a story on whether cars could be hacked. The two cyber experts were able to get into the car’s wireless communications system. Once in the system, they were able to manipulate the air conditioning, blast the driver with Skee-lo at full volume, control its speed, turn on the windshield wipers, and eventually run the vehicle off the road. Danny Yadron and Mike Spector, “Hackers Show How Flaw Lets Them Control a Car,” Wall Street Journal, July 22, 2015, p. B1.

Hearings in the U.S. Senate confirm that auto makers are aware of the potential for hacking, but are behind in terms of providing their cars with adequate protections. The Senate Commerce Committee has announced legislation that would require the Federal Trade Commission and the National Highway Traffic Administration to work together to establish federal standards to protect drivers’ (and cars’) privacy, i.e., sufficient security to prevent hacking. Marco della Cava, “Hack of Connected Car Raises Alarm Over Driver Safety,” USA Today, July 22, 2015, p. 6B.

The problem with vehicles is more serious than with hacked credit card accounts because in the case of hacked bank and credit accounts, the accounts can be closed and the holder given a new card and account. However, as with the Jeep hacking experiment, the successful hack cannot be stopped, even by the driver. Once a car is hacked, the driver is trapped in a vehicle going 70 mph. In the Jeep experiment, the hackers were able to apply the brakes suddenly, and all the writer/drive could do was press on the gas and watch the RPMs climb. For more details on the ride by hackers, go here.

One obvious response has been to provide updates to the cars’ software in order to fix any glitches or vulnerabilities as the companies become aware of them. However, the auto makers need to move quickly. The hackers noted that Chrysler products were easier to hack than others cars. The issue of “hackability” presents an interesting product liability issue because now the automakers are aware of the problem and will need to take steps to cure this design defect in their vehicles. From this point forward, any accidents that involve cars with security weaknesses in the Internet function of the cars will result in liability for the cars’ manufacturer. The cars have a design defect. The question now is whether it can be fixed. How quickly it can be fixed controls how much risk and resulting liability the companies have.

The federal legislation, if passed, will establish minimum security standards, but certainly not foolproof ones. The question is whether the cars need some anti-hacker means to halting a hack once it is in progress.

DISCUSSION STARTERS                                                                 

What makes the finding that a car could be hacked a game-changer for auto manufacturers?

What will happen once a driver (other than those involved in experiements) experiences a hacking while driving? What are the legal issues then?