August 19, 2015 Practice Points

Hacking Today's Vehicles

By Patrick J. Cleary

On July 21st, Wired ran a first-person story in which Andy Greenberg experienced a terrifying ride in a 2014 Jeep Grand Cherokee. See Andy Greenberg, "Hackers Remotely Kill a Jeep on the Highway—With Me In It," Wired. Greenberg was alone in the vehicle, and for all intents and purposes, the vehicle was the same as a vehicle on a dealer's lot. In the story, Greenberg recalled driving down the interstate, when suddenly random and uncommanded vehicle actions occurred. The actions were first innocuous, like turning on the windshield wipers and changing the radio volume, but then become sinister. The accelerator pedal stopped responding to Greenberg's frantic pedal pumping and the brakes stopped working. Two researchers, Charlie Miller and Chris Vasalek, executed a hack of the vehicle's electronics, causing the events Greenberg recounted. Although in 2011, researchers at the University of California-San Diego and University of Washington published a paper where they disclosed wirelessly disabling the brakes on a sedan, Greenberg's story is the first confirmed remote hack of the vehicle controls of a moving vehicle identifying a specific vehicle and vehicle flaw. (The university-based researchers did not disclose how they disabled the brakes, nor the identity of the manufacturer.)

How the Jeep Was Hacked
At this year's Black Hat convention, Vasalek and Miller explained how they hacked the vehicle. The Jeep incorporates Fiat Chrysler's UConnect entertainment/navigation system. UConnect has both Wi-Fi and cellular access. Miller and Vasalek were remotely able to identify the network passwords, identifying that the Wi-Fi passwords were associated when the UConnect was first turned on. As designed, the UConnect system is not directly connected with the vehicle's Electronic Control Unit(ECU), although one microcomputer received information from UConnect and the ECU. Miller and Vasalek rewrote the software for that microcomputer, sent it to the computer through the vehicle's Wi-Fi connection, and directly connected UConnect and the ECU. Through this new connection, Miller and Vasalek could send vehicle control commands over the Internet, the UConnect would receive the commands, transmit them to the ECU, and then control the vehicle operation.

Other Hacking Efforts
Greenberg's story is not the first time hackers have controlled a moving vehicle. In 2014, Miller and Valasek were able to control specially modified Ford and Toyota vehicles. Last week, two other experts were able to hack a modified Tesla S vehicle. In the Ford, Toyota, and Tesla vehicles, the experts connected laptops to the vehicles' connection ports and while in the vehicles, executed commands to hack the vehicles. Separately, Samy Kamkar announced last month that he could hack GM's OnStar system to remotely start vehicles. See Jessica Conditt, "OnStar hack remotely starts cars, GM working on a fix," Engadget.com.

Responses
Every original equipment manufacturer (OEM) has issued responses to the hacking stories. Some, like BMW, have discussed how data is protected and Internet communications are segregated from vehicle command data. Other OEMs have mentioned their efforts in working with security experts and developing industry guidelines for vehicle data security.

Fiat Chrysler quickly issued a recall for the affected vehicles to update the entertainment system, but also stated exploiting the flaw "required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code" and added manipulating its software "constitutes criminal action."

Tesla issued a challenge to all hackers, offering a bounty to any hacker who finds security flaws in their vehicles. Tesla also announced it was hiring security specialists and has an email address where members of the public can disclose security risks in the vehicles.

Several economic loss class actions have been filed against Ford, GM, Toyota and Fiat Chrysler, but no personal injury lawsuits filed against any OEMs as of August 15, 2015.

Senators Markey and Blumenthal filed the Security and Privacy in Your Car Act last month, calling on NHTSA to develop standards for vehicle security and driver privacy.

Implications
Hackers, malicious or friendly, can potentially access and control any vehicle that does or can connect to the Internet. Further, if the vehicle has an Internet-connected component that connects to the CAN network, they can potentially access and control any vehicle. While we are not aware of any hacking effort causing an accident, we expect to see claims of hacking-caused accidents in the future. We further expect to see legislative, regulatory, and industry responses to these hacking efforts, and litigation concerning every hacked vehicle and connected component.

Keywords: hacking, products liability, NHTSA, electronics, connected vehicles, litigation, remote control, security breach

Patrick J. Cleary is with Bowman and Brooke, LLP, in Columbia, South Carolina.


Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).