The growth of the Internet-connected car has opened up a new potential vulnerability that computer hackers could exploit.
John Villasenor is professor of electrical engineering, public policy, and management and a nonresident senior fellow at the Brookings Institution. This column appeared Sept. 4 on Slate.
Last month, Wired published an account describing how security researchers Charlie Miller and Chris Valasek were able to wirelessly hack into a Jeep Cherokee. After first taking control of the entertainment system and windshield wipers, they then disabled the accelerator. Even more alarming, Miller and Valasek also wirelessly disabled the Jeep’s brakes, leaving Andy Greenberg, the Wired writer who was at the wheel, “frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.” A few days later, Fiat Chrysler Automobiles announced a recall affecting about 1.4 million vehicles.
This particular vulnerability will presumably be quickly patched. But given the headlong rush of automobile manufacturers to make “connected” vehicles, it’s likely that other vehicle cybersecurity holes will be discovered as well — some of which might enable cyberattackers to take control of a vehicle over the Internet and cause an accident. And if that happens, who is liable?
There are three main groups that could potentially be held accountable: the cyberattackers, the companies involved in manufacturing and selling the vehicle, and, under some circumstances, the vehicle’s owner.
Of course, the most direct blame falls on the cyberattackers. If they intentionally acted to impede the function of a vehicle and ended up causing — inadvertently or not — an accident, they would stand exposed to both criminal prosecution as well as civil liability. But finding the cyberattackers in such a situation could be difficult, especially if they were careful to hide their tracks. In addition, even if the attackers could be found, they might be located in a different country, which could further complicate efforts to seek compensation or prosecution.
Companies involved in manufacturing and distributing the vehicle containing the cybersecurity flaw could also be held liable. While the prospect of cyberattack-induced car crashes is new, products liability law — which provides the framework for seeking remedies when a defective product (or misrepresentations about a product) causes harm to persons or property — is well-established. People injured in the accident could seek damages under multiple theories of liability, including negligence, manufacturing defects, design defects, misrepresentation, breach of warranty and failure to warn.
However, whether the victims could prevail in a products liability claim is another matter. Manufacturers will quickly lawyer up when vehicle cybersecurity vulnerabilities are identified. A hint of this was visible in the July 24 recall announcement from Fiat Chrysler Automobiles. “No defect has been found,” FCA dubiously proclaimed in response to the Wired article. In addition, FCA wrote that the hack “required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code.” Intended message: Finding and exploiting that vulnerability involved such a high level of sophistication that there was no reasonable way for FCA to have foreseen or prevented it in advance — and no liability for any harms that might result.
A jury in a products-liability trial might be skeptical. If the brakes can be disabled by someone miles away who simply pushes a button on a keyboard, it’s hard to argue with a straight face that there’s no defect present.
Finally, under some limited circumstances the car’s owner could have liability exposure. If the owner had no awareness of the vulnerability even after the recall was issued, there would likely be no liability — after all, many owners might never receive, or never read, a recall notice. But suppose a person injured in the accident could prove that the owner was specifically made aware of the problem and of a simple, no-cost way to address it, and yet had deliberately decided to do nothing? As John Edwards, a products-liability attorney with Hinman and Carmichael LLP, told me in an email, “if a person got a recall notice about a safety defect that can be shown to pose a potential danger to others and ignored it, that could certainly be the basis for a claim of negligence.” That same principle, Edwards added, would apply not only to traditional vehicle safety defects but also to a potentially dangerous cybersecurity exposure.
It would be nice to think that the issues of liability for a cyberattack-induced car accident will never need to be tested in court. But unfortunately, that’s unlikely to be the way things play out. More realistically, the best we can hope for is that any such accidents result in minimal harms, and that manufacturers redouble their efforts — which clearly haven’t been sufficient — to ensure that connected cars can’t be connected to cyberattackers.