A Dallas law firm has filed a lawsuit against three major automakers claiming they have failed to take basic measures to secure their vehicles from hackers.
The lawsuit, filed in the US District Court for the Northern District of California by attorney Marc Stanley, is on behalf of three vehicle owners and “all others similarly situated”. It alleges that the cars are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.
“Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers,” Stanley said in a statement.
But the case is bringing to light problems which may bedevil the car industry in the future. After all if they are having problems with the security on cars now, how are they going to manage when autodriven vehicles are in charge.
Modern cars and light trucks contain less than 50 separate electronic control units (ECUs) — small computers connected through a controller area network (CAN) or other network such as Local Interconnect Networks or Flexray.
New high tech cars will contain shedloads of them, and if hacked could be driven by hackers into walls or other cars.
The court case claims that the car companies are also habitually secretive about these sorts of problems – something that does not bode well if you are sitting in the back of a self drive taxi.
“Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants’ vehicles are not secure, and are therefore not safe,” the lawsuit states.
Last year, at the Black Hat security conference in Las Vegas, two industry experts released a 92-page report revealing “the 20 most hackable cars.”
DARPA reported that the defect represents a “real threat to the physical well-being of drivers and passengers.” Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, “but they did nothing,” the lawsuit states.