A team of privacy experts is urging a California appeals court to resurrect a case spotlighting the hacking of computers in cars, warning breaches could result not only in stolen identity but physical injury.
“‘Connected vehicles’ expose American drivers to the risks of data breach, auto theft, and physical injury,” the Electronic Privacy Information Center asserted in a friend-of-the-court brief to the 9th U.S. Circuit Court of Appeals.
They, and others, are asking that a lawsuit out of San Francisco be restored. The case, Helene Cahen v. Toyota, focuses on the electronic monitoring and Internet connectivity built into cars. A trial judge dismissed the case for lack of standing, but the brief contends the ruling should be reversed.
And it’s no longer just about privacy, it’s about public safety, too, the the brief argues.
“The internal computer systems for these vehicles are subject to hacking, unbounded data collection, and broad-scale cyber attack,” the brief explains. “Despite this extraordinary risk, car manufacturers are expanding the reach of networked vehicles that enable third party access to driver data and vehicle operational systems.
“The plaintiffs in this case seek the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk. That should be allowed to proceed.”
WND reported a year ago when two U.S. senators proposed the SPY Car Act of 2015 to create privacy standards for computer systems that control today’s generation of electronics-heavy vehicles.
The proposal came just as a Wired.com contributor reported hackers who set him up in a new vehicle were able to take over its controls while he was driving at 70 mph.
“As the two hackers remotely toyed with the air-conditioning, radio and windshield wipers, I mentally congratulated myself on my courage under pressure,” wrote Andy Greenberg at Wired in an article headlined “Hackers remotely kill a Jeep on the highway.”
In the 2015 article, he reported, suddenly his vehicle slowed to a crawl, an 18-wheeler =approached from behind and “the experiment had ceased to be fun,” he wrote.
Privacy advocates have warned since 2011 about in-car tracking and other computer devices. Marc Rotenberg of the Electronic Privacy Information Center wrote then that data from embedded “black boxes” in vehicles could provide unwanted information to state agencies.
Later, the systems were upgraded, connecting vehicles to the Internet.
Greenberg explained that the industry’s Uconnect is prompting questions.
It’s an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs and trucks that controls the vehicles’ entertainment and navigation, enables phone calls and provides a Wi-Fi hot spot.
Greenberg noted the cell connection also “lets anyone who knows the car’s IP address gain access from anywhere in the country.”
The hackers with whom he was working, he said, have “only tested their full set of physical hacks, including targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit.”
EPIC already has written extensively about the “Internet of Things,” explaining how various technologies communicate with each other through systems such as IPv6, RFID, Wi-Fi and GPS in appliances, smartphones, wearable computers and other devices.
“The ubiquity of connected devices would enable [the] collection of data about sensitive behavior patterns, which could be used in unauthorized ways or by unauthorized individuals,” EPIC said.
With “340 trillion trillion trillion” Internet Protocol addresses available, there’s no problem with assigning each vehicle one, the article explained.
The new brief argues that some of these issues need to be adjudicated so that American consumers know what they’re getting into.
In dismissing the case, the court “underestimated the substantial risk to public safety of connected cars and misconstrued the plaintiffs’ invasion of privacy claim. Whether or not the court ultimately agrees with the allegations presented, they are clearly sufficient to establish Article III standing,” the brief argues.
Additionally, the “court’s conclusion is also wrong because it fundamentally misunderstands the security vulnerabilities created by connected cars,” EPIC writes.
“Cars today are dependent on extraordinarily complex onboard computer systems. According to the Government Accountability Office, the typical modern high-end car contains over 100 million lines of code – substantially more than a Boeing 787 passenger airline[r], which contains 6.5 million lines of code, or an F-22 U.S. Air Force jet fighter, which contains 1.7 million lines. … As these vehicles have become more complex, the potential for software errors and related vulnerabilities correspondingly rise.”
However, the brief notes, “car manufacturers have failed to take adequate steps to address these vulnerabilities.”
Since first appearing in the 1970s, “electronic control units” in cars “have grown in complexity, replacing or controlling many mechanical functions. The typical modern vehicle now relies on computerization for almost everything from ‘engine management to steering, braking, climate control, navigation, [and] infotainment,'” the brief says.
By now, everything, “engine management system, brake controller, airbags, seatbelt pretensioners, door locks, gauge cluster, sound system, seat controls, communications sysems and telematics units are all interconnected.”
In short, that means “window switches have a potential path of communication to the brake controller, the entertainment system has a channel to communicate through to the vehicle’s airbags, and so on.”
There also is no “authentication” system, “allowing anyone with access to the system, authorized or not, to control vehicle components,” it explains, with access available through Bluetooth or GPS.
As a result, millions of cars on the road ‘are vulnerable and pose a serious security risk to their occupants and to others.”
The warning followed: “Wide-scale malicious automobile hacking is no longer theoretical. The lower court failed to appreciate the nature and immediacy of the problem when it concluded that the threat is ‘speculative.’ Although a full-scale remote car hijacking is certainly a serious risk to car owners and others …. Hijacking is not the only risk… Connected cars leave consumers open to car theft, data theft, and other forms of attack as well. These attacks are not speculative; many customers have already suffered due to vulnerable car systems.”
Ransomware attacks and electronic disabling are just a few of the problems that already have been reported.
“Connected vehicles raise significant public safety concerns that the courts cannot ignore. One company has already recalled 1.4 million vehicles because of the risk of remote hacking,” the brief says.
And some 20 states regulate the collection and use of driver data.
“But wide scale malicious automobile hacking is certainly imminent, if not already occurring,” EPIC says.
Earlier this year, WND columnist Craige McMillan warned: “Let’s face it: Hacking these vehicles isn’t a possibility; it’s a certainty. It might be a kid spoofing you, trying to make you crash. Maybe a gang that’s going to reprogram your destination and part out both you and your vehicle. Heck, they could even operate from overseas via your onboard Internet.
“Professional criminal gangs already orchestrate crashes on freeways and busy streets to bilk insurance companies; why wouldn’t they turn to hacking as well? A skilled team of such experts could probably hack you right up into a semi tractor trailer, bolt the door and take you and the vehicle anywhere they wanted.”
His concern was for the fully computerized, self-driving vehicles.
“Somehow, self-driving cars just don’t seem very well thought out to me. The penalty for not thinking this out before we do it is going to be very large, indeed.”