Should carmakers be held accountable for cyber security vulnerabilities?

June 10, 2015

Should carmakers be held accountable for cyber security vulnerabilities?

Last March, a Dallas law firm filed a class action lawsuit against Toyota, Ford, and General Motors, alleging that their vehicles breach the manufactu...

Last March, a Dallas law firm filed a class action lawsuit against Toyota, Ford, and General Motors, alleging that their vehicles breach the manufacturers’ warranties and various state and federal consumer protection laws due to the vehicles susceptibility to hacking. The complaint states that we shouldn’t need to wait for a hacker or terrorist attack before requiring car makers to fix the defects.

This lawsuit raises interesting questions:

  • Since there haven’t been any reported real-world car hacking incidents, is this complaint justified?
  • Are the few research cases of cyber-attacks on vehicles’ networks sufficient evidence that the cars aren’t safe to drive?
  • Since there’s no data logging equipment in a vehicle, are we even sure that there hasn’t been a hack that caused an issue?
  • Automakers clearly need to take the hacking threat seriously as cars become more connected to the Internet. Should an attack occur, there will be an intense and immediate focus on the automaker, who will interrogated by media and lawmakers alike, on what they knew and what they should have done. Of course, every automaker wants to keep that from ever happening.

    Ultimately, the responsibility may not completely fall on the car makers, as car owners could be required to purchase antivirus protection, update firewalls, and take other precautions that were considered routine in PC ownership. If a vulnerability software fix exists but the drivers haven’t brought their vehicle into the dealership for service, is the driver responsible or is the car manufacturer responsible for providing over-the-air (OTA) updates? These and many other questions need to be resolved as cars become part the Internet of Things.

    Finally, cyber-attacks can be targeted at information stored in the vehicles, rather than the vehicle systems themselves. Modern cars gather vast amounts of data today, mainly used for performance and reliability purposes. But as car makers offer more connected applications and seek to monetize this data, the car will become a more enticing target for hackers wishing to steal that data. It’s likely that more cyber security incidents will be in data theft than in malicious attacks on your brakes. Most corporations just need to worry about protecting their data from hackers, while car makers need to worry about protecting both data and lives. This makes the challenge more difficult and potentially more costly if (when) they fail.

    The lawsuit on Toyota, Ford and GM raises many questions, for which there are no clear answers. There are past examples of car makers ignoring safety issues because they didn’t want to spend the money to fix the problems. Pressure from lawsuits could possibly prevent this behavior from repeating when automakers are faced with security issues. Conversely, the lawsuits could drive the car makers to be less transparent in reporting issues, make them less cooperative with white-hat hackers, and could ultimately make the situation worse. Only time will tell the true impact on automotive cyber security of this lawsuit, and those lawsuits that will invariably follow.

    For the past two years, Gene Carter has been the Director of Product Management for the Embedded Security Business Unit at Security Innovation. Carter has spent the past 20 years in embedded and automotive product management roles for NXP Semiconductors, Philips Semiconductors, and Coto Technology. He holds an MBA from the University of Southern California’s Marshall School of Business and a BSc in Electrical Engineering from Tufts University.

    Gene Carter, Security Innovation