Automotive cybersecurity is an intractable nightmare with significant though inchoate implications for consumers and existential exposure for auto makers. This reality became painfully clear earlier this month when the U.S. Supreme Court declined to hear FiatChrysler Automotive’s appeal in a class action lawsuit over allegations of vulnerabilities in its Jeeps and other trucks.
The case will go to trial in March.
At the core of the lawsuit, arising from the infamous 2015 so-called “Jeephack” orchestrated by Chris Valasek and Charlie Miller (now General Motors employees), is the issue of FCA’s liability and responsibility for the hack or future hacks. The litigation raises the question of whether truck buyers can sue over hypothetical future injuries without being actual victims of cybersecurity.
Approximately 200,000 FCA vehicle owners are parties to the class action and the penalty they are asking the court to apply is $2,000 per vehicle. Obviously that means FCA’s exposure in the litigation is potentially $400M. In reality, given that 1.4M vehicles are implicated in the alleged FCA vulnerability the actual exposure is $2.8B.
The consumers have said that, had the defects been disclosed, they never would have purchased the vehicles in the first place or would have paid less for them. They also said the defects reduce their vehicles’ resale value. A U.S. District judge certified the class action for claims of fraudulent concealment, unjust enrichment and violation of various state and federal consumer protection laws..
The significance of the lawsuit is that it quantifies the potential value of cybersecurity to the consumer at $2,000/car. It also suggests that large numbers of consumers are starting to care enough and understand enough about cybersecurity to take legal action where and when it is found to be wanting.
The action is the latest step in the process of the automotive industry coming to grips with the implications of cybersecurity. Every month brings word of yet another vehicle hack. Usually these “reveals” are accompanied by a description of the remedy being offered by the car maker – often in the form of a software update delivered either wirelessly to the car or during a dealer visit.
The cost of a dealer visit for a software update can be between $200 and $300. The lawsuit increases by tenfold the understanding of that financial exposure and elevates cybersecurity to a board-level concern for most auto makers. Members of the Auto-ISAC, which is coordinating the industry’s reaction to the cybersecurity dilemma, acknowledge a steady flow of reported hacking attempts of cars.
But, as an industry, we appear to be whistling past the graveyard.
The simultaneous announcements from car makers of hacks and fixes reflects the reality that most automotive hacks, of late, have been conducted by ethical or white hat hackers. Hackers working as individuals or as employees of organizations such as IOactive, Lab Mouse of Tencent’s Keen Labs have used automotive hacks to build their reputations and relationships with auto makers.
A wide range of cybersecurity suppliers have also used hacks of auto makers or their suppliers as “door openers.” Multiple automotive cybersecurity companies have hacked cars and components as part of educating auto makers to the scope of the cybersecurity problem.
The choreographed nature of these hack-fix announcements further reflects the limited preparedness of the industry. The pending lawsuit calls into question the adequacy of the existing process of consumer notification regarding vehicle vulnerabilities.
The reality is that cars may never be certifiably secure. In fact, it is known that car company’s enterprise operations have been hacked into via their connected cars and vice versa. Knowing that is enough to cause some lost sleep among senior auto executives while motivating others to elevate cybersecurity to a board-level responsibility.
The automotive industry has one of the most complex supply chains and is further compromised by its dependency on networks of franchise dealers. Add car sharing networks and autonomous vehicles into the mix and you have a gargantuan challenge.
If FCA can be sued on the grounds of potential vulnerability, successfully or not, the time has arrived to prioritize cybersecurity counter-measures. The challenge for auto makers is that consumers assume their vehicles are secure. The reality is that nearly any car can be hacked given enough time and determination on the part of the hacker.
The saving grace is that to-date most hacks have required significant time and effort including disassembly of vehicle systems and reverse engineering of firmware. It is also somehow reassuring that the potential opportunity derived from the hacking appears to boil down to vehicle or identity theft. Thus far terrorism remains nothing more than a boogeyman.
The onset of near-universal vehicle connectivity along with collision avoidance, self-parking and other automated driving features, demand better cybersecurity preparedness in the industry. As to whether a lack of preparedness exposes auto makers to billions of dollars in liability, the courts will decide. One thing is clear, the Supreme Court of the United States chose not to dismiss the lawsuit – so the entire industry will be paying attention this March.
Roger C. Lanctot is Director, Automotive Connected Mobility in the Global Automotive Practice at Strategy Analytics. Roger will be participating in the Future Networked Car Workshop, Feb. 7, at the Geneva Motor Show –https://www.itu.int/en/fnc/2019.
More details about Strategy Analytics can be found here: https://www.strategyanalytics.com/access-services/automotive#.