First, it was phone tapping, then computer hacking and identity theft. Now, the electronic fear du jour is car hacking. As our cars are powered by ever-increasing numbers of computers and software programs, and as automakers promote connectivity (from traffic-monitoring apps to mobile phone synchronization and collision avoidance systems), alarms have been raised about the possibility of hackers obtaining access to a car’s computers. One particularly bleak scenario involves hackers wreaking havoc on self-driving cars, whose hapless passengers won’t even have time to grab the steering wheel before their four-wheeled mobile devices engage rampage mode.
While nothing like this has happened in real life, researchers (including two individuals funded by DARPA for a 2013 study) have been able to access a vehicle’s computer systems using a laptop and, reportedly, obtain control of the vehicle’s steering, brakes, engine, and other components. While conducted in a controlled environment, these experiments caught the attention of Washington, D.C. and the media. A report released last month by U.S. Senator Ed Markey’s office, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” mentions those experiments and concludes that no major auto manufacturer is properly prepared to handle the hacking and data privacy risks posed by existing and forthcoming automotive technology. Yet the report also noted that none of the automakers questioned by Markey had received any indications of hacking or attempted hacking in the real world. Is car hacking the next great security threat, or much ado about nothing?
Dallas attorney Marc Stanley takes the position that car hacking is a threat. On March 10, Stanley’s law firm filed a putative class action lawsuit in the U.S. District Court for the Northern District of California against Toyota, Ford, and General Motors, alleging that those automakers’ vehicles are susceptible to hacking, thus breaching the manufacturers’ warranties and various state and federal consumer protection laws. The 343-page complaint requests injunctive relief (in the form of a recall or free replacement program), disgorgement, and other damages. As of this writing, the automakers had not responded to the complaint.
This lawsuit raises interesting questions. Since a real-world car hacking incident has never been reported, are the plaintiffs’ claims ripe? The complaint argues that the alleged ability of hackers to access vehicle computers renders false the manufacturers’ representations of their vehicles’ safety. Further, say the plaintiffs, since Toyota, Ford, and GM have refused to either repair the vehicles or replace them at no cost, the manufacturers have breached both express and implied warranties.
The argument that the vehicles at issue are not safe because they could be hacked is a creative attempt to circumvent the ripeness issue. But it seems likely that ripeness will present a large initial hurdle for the plaintiffs in this case. That a few researchers were able to access a vehicle’s computer system in a controlled setting is not necessarily evidence that the vehicles could be compromised by a malevolent third party, nor that such a hypothetical situation renders the vehicles unsafe to drive.
The plaintiffs have requested their money back from the manufacturers, yet they admit in the complaint that they are still driving their vehicles and make no assertions that the vehicles are otherwise unfit for their intended purpose. At this point in time, the plaintiffs’ allegations appear speculative at best.
This is not to say that automakers should not take the hacking threat seriously. The Markey report raises important questions about consumer safety that automakers would be well advised to attempt to answer. As cars increasingly become mobility devices, in which occupants can surf the Internet, download music and apps, monitor traffic and road conditions and the like, the proliferation of computer systems creates added risks, including hacking. That a vehicle has not been maliciously hacked does not mean that it could not happen or that it would not in the future. Should that happen, immediate media, political, and legal scrutiny will descend on the automaker at issue, who will be asked what it knew, what it should have known, and what safeguards it should have developed. All automakers have a common interest in preventing that day from ever happening.
To what extent will automakers remain responsible for the computer systems in their vehicles? Will those systems someday come with a separate warranty that is longer (or shorter) than existing bumper-to-bumper warranties? Will the consumer become responsible for updating firewalls, virus protection, etc.? If a vehicle is hacked and it is discovered that the owner had not brought the car in for service to have a software update performed, should the owner share the liability? Right now, these questions are being asked in the abstract. Sooner than we think, the answers will have real-world impact.
One issue raised by the Markey report but not included in Stanley’s class action is that of privacy. Vehicles record copious amounts of data, such as vehicle performance and geographic location. As drivers increasingly use their vehicles as an extension of their mobile devices, the proliferation of data stored in or transmitted through the computer systems will no doubt prove tempting to hackers. Indeed, it seems plausible that, in the future, a hacker might be more likely to attempt to steal your identity through your car’s computer than to try to disable your brakes or steering.
Interestingly, the Markey report expresses more concern with automakers’ use of vehicle data than with hackers. Given Washington’s interest in demonizing manufacturers since the General Motors ignition switch debacle, this is not surprising. Yet, it seems to paint only half the picture—the less concerning, though no doubt more politically convenient, half. Yes, automakers do record and store vehicle data, and may share some of that data with third parties. But Google and Facebook do the same thing, on a mind-boggling scale. To the extent vehicles record and store personal information, should Washington be protecting drivers from the automakers or from hackers? The hacking risk may be speculative at this point, while automakers’ collection of data is actually happening, yet the potential harm from hacking would likely be greater than any harm caused by automakers doing what all the major technology companies do.
In this brave new world of speculative but plausible threats, the best approach may be to stay calm and carry on and not let the premature panic or political pontificating obscure the fact that these issues are real and they do need to be addressed. But vehicles are not, and are not likely to become, mobile time bombs. Anyone interested in improving vehicle safety should start with the American public’s lack of driving skills. We have done an awfully good job of endangering ourselves on the roads already, with or without hackers.
Source: http://ift.tt/1x0E2AG
from hacker samurai http://ift.tt/1GXhEYT
via IFTTT
No comments:
Post a Comment