The US Supreme Court on Monday refused to hear Fiat-Chrysler’s appeal in a lawsuit over security holes that famously let researchers paralyze a Jeep Cherokee that should have been zooming down the highway instead of waiting for an 18-wheeler to catch up and turn it into oily pudding.
(Which, thankfully for driver and Wired journalist Andy Greenberg, it did not.)
The court’s action means that one of the first legal cases involving cybersecurity risks in cars will go to trial in October.
The car company’s wish for the class action suit to go away is based on the fact that, as it’s pointed out, none of the cars belonging to (or leased by) the 200,000 class members actually got hacked. Besides, it fixed the bug, it said.
Well, we never would have bought the cars in the first place if we’d known about the security holes in your entertainment system, the class members say. Besides, the suit argues, the cars are worth a whole lot less now because of those vulnerabilities. The class members are seeking $50,000 per affected car to offset the loss in resale value.
Four owners or lessees of Chrysler vehicles brought the suit (PDF) against the car company in 2015, after renowned automobile/security researchers hackers Charlie Miller and Chris Valasek remotely took over a Jeep Cherokee from 10 miles away.
They were able to control the Jeep’s brakes and accelerator, as well as other less-essential components like radio, horn and windshield wipers, by exploiting the Jeep’s entertainment system, called uConnect, over a cellular network.
That led to a historic recall of a whopping 1.4 million vehicles. The researchers’ response? You ain’t seen nuthin’ yet.
A year later, they were back to show what they could have done if they’d continued to work on the attack in secret, as malicious hackers might have done. Namely, in spite of Fiat-Chrysler’s patch, Miller and Valasek came up with yet another attack in which they managed to spin a steering wheel 90 degrees while the car was traveling at 60 mph. Another year, another Jeep stuck in a ditch next to a cornfield.
The plaintiffs in the class action suit, filed against the US subsidiary of Fiat-Chrysler and the manufacturer of the uConnect software, contend that the company knew about the vulnerability for three years and failed to fix it.
If you’re curious about the technical details of how the researchers pried open the Jeep’s Controller Area Network (CAN), you can check out the pair’s research notes, which they released in 2017.
They weren’t the first to gift the world with automotive hackery, either: open source software tools and hardware designs that support car hacking include a toolset called CANtact; GoodThopter, an open-source board with a built-in CAN interface; and the open source EVTV Due CAN sniffer. In fact, the plaintiffs in the class action say that the vulnerabilities were first revealed as early as 2011.
Fiat Chrysler put out a statement saying that it was looking forward to presenting its case in court:
None of the more than 200,000 class members in this lawsuit have ever had their vehicles hacked, and the federal safety regulators at NHTSA (the U.S. National Highway Safety Administration) have determined that FCA US has fully corrected the issues raised by the plaintiffs.
Some say that the “yea, but we fixed it” defense doesn’t cut it. Chris Wysopal, for one, co-founder and CTO of Veracode, said that a big time lag between bug discovery and patch issuance leaves the transmission stuck in “risky!” for consumers:
Fiat Chrysler defense is "we fixed it". But how long it takes to be fixed should matter. In this case the plaintiffs allege it was 4 years. Consumers often only find out about the risk after the fix is made available.
— Weld Pond | Chris Wysopal (@WeldPond) January 7, 2019
Chris Wysopal @WeldPond
Fiat Chrysler defense is “we fixed it”. But how long it takes to be fixed should matter. In this case the plaintiffs allege it was 4 years. Consumers often only find out about the risk after the fix is made available.
Mike W
This is why I had this type of system disabled in my VW. No thanks!
DudeSweet
I’m typically against class-action lawsuits for a couple reasons, but am on the fence here. If the plaintiffs claims in this article are accurate, they are completely bogus: “Besides, the suit argues, the cars are worth a whole lot less now because of those vulnerabilities. The class members are seeking $50,000 per affected car to offset the loss in resale value.”
Duh? New cars depreciate, on average, 30% in the first 3 years. FCA vehicles and especially Jeeps (except for Wranglers) are even worse. Dodge (excluding RAM pickups), Chrysler, Fiat, and Non-wrangler Jeeps have the highest depreciation of all high-volume brands in the US- and it’s not even close. This predates the uConnect fiasco and is mostly because they, on average, have terrible reliability by almost all metrics.
On the other hand I would LOVE to see a major MFG punished for horrible security standards to set a precedent to all the others. Auto MFGers might be the only companies with a worse security record than IoT!