Hackers Could Take Control Of Your Car, But You Can’t Sue Carmakers For That Risk (Forbes Cross-Post)

Photo credit: “Car center console and smart phone display hacker icon” // ShutterStock

Cars contain millions of lines of software code, which makes them tempting targets for hackers. Further, with the increased automation of cars, we face growing risks that malicious hackers will remotely take control of cars and cause significant personal or property damage. Ideally, car manufacturers would be actively combating this risk, but news reports instead regularly point out their failings to design secure software car. Nevertheless, a recent court ruled that buyers can’t sue car manufacturers for hackable software…at least, not until there’s some tragedy.

The Case

Ford, General Motors and Toyota were sued for selling cars that allegedly contained software that a malicious hacker could use to seize control and cause physical and property damage. While that sounds really scary, such damage has not apparently occurred yet. The court summarizes: “Defendants point out that plaintiffs do not allege any hacking incidents that have taken place outside of controlled settings, and that the entire threat rests on the speculative premise that a sophisticated third party cybercriminal may one day successfully hack one of plaintiffs’ vehicles.”

Citing a case involving easily defeated hotel locks, the court says plaintiffs’ allegations of harm were too speculative:

it is difficult for me to conclude whether plaintiffs’ vehicles might be hacked at some point in the future…Plaintiffs have alleged only that their cars are susceptible to hacking but have failed to plead that they consequently face a credible risk of hacking.

The plaintiffs also argued that they overpaid for their cars because the software insecurity makes their cars less valuable. The court has a not-very-comforting response:

all vehicles manufactured post-2008 are required to be equipped with some form of the CAN bus protocol that plaintiffs allege to be insufficient. This means that potentially all post-2008 cars vehicles on the American market, and not just defendants’ vehicles, lack the allegedly necessary security protections and firewalls. Because the alleged harm is unmanifested and widespread, how that would translate into economic injury is unclear.

Because the plaintiffs could not show how they have already suffered sufficiently concrete harms, the court dismissed the lawsuit but gave the plaintiffs a chance to try again.

Implications

Class action lawsuits are a poor mechanism to redress security deficiencies. After all, no product is 100% secure, and the last thing we need is plaintiffs’ lawyers pouncing when well-meaning manufacturers experience unavoidable security failures.

Still, data security is one of the most important social issues of our modern era, and that’s especially true for cars. Nowadays it’s hard to distinguish a car from a computer, except that most computers can’t physically drive their users into brick walls or off a cliff. Given the serious physical and property damage risks created by hacked cars, we need automakers to treat the integrity of a car’s security as important as the car’s integrity in a rollover. Carmakers compete aggressively with each other over the physical safety of their cars; it’s time for them to compete over data security as well.

Case Citation: Cahen v. Toyota Motor Corp., 2015 WL 7566806 (N.D. Cal. Nov. 25, 2015). The initial complaint.