Lawsuit Claims Toyota, GM & Ford Deceived Consumers About Hackability Of Connected Cars

A recently filed class action lawsuit claims that Toyota, Ford and General Motors knowingly put consumers at risk by selling connected cars that can be susceptible to hackers looking to remotely control vehicle functionality. 

The lawsuit [PDF],filed today in U.S. District Court in California, alleges that the car manufacturers deliberately misled consumers by hiding the dangers associated with computer car systems and failing to address subsequent safety concerns.

The problem was spotlighted in February when 60 Minutes aired a segment (see video below) showing how hackers could use a laptop to take over total control of a car — allowing them to remotely operate everything from the horn to the wipers to the brakes.

“When [automakers] introduce a new technology in their vehicles, and tout its benefits, they must test the technology to ensure that it functions properly,” the suit states. “But Defendants failed consumers in all of these areas when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because Defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others.”

According to a report [PDF] by Massachusetts Senator Edward Markey last month detailing security and privacy gaps in connected vehicles sold by 16 manufacturers, today’s cars and light trucks contain more than 50 separate electronic control units (ECUs) connected through a controller area network (CAN) or other network.

Vehicles sold by Toyota, GM and Ford contain more than 35 separate ECUs, according to the 343-page lawsuit.

The functionality, safety and privacy of vehicles depend on these units operating properly and communicating clearly with each other.

While technological features such as built-in navigation and entertainment systems can prove helpful to consumers, past tests conducted by manufacturers and industry groups have found the features also create vulnerabilities to hacking attacks that could be used to modify the operation of a vehicle.

Last year, in a Defense Department-funded test on a 2012 model American-made car, hackers demonstrated they could create the electronic equivalent of a skeleton key to unlock the car’s networks.

Markey’s report found that nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusion.

According to the lawsuit, Toyota, GM and Ford have known for years that their CAN equipped vehicles have been susceptible to hacking and that ECUs cannot detect or stop the attacks, but have done little to address the issues.

“The CAN in all Toyota vehicles, Ford vehicles, and GM vehicles are essentially identical in that they are all susceptible to hacking and thus suffer from the same defect,” the suit states.

The suit claims that defects in the security of the networks allow hackers to take control of such basic functions such as braking, steering and acceleration, while preventing the driver from regaining control of the vehicle.

“We shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect,” the lead attorney for the suit says in a statement [PDF]. “Just as Honda has been forced to recall cars to repair potentially deadly airbags, Toyota, Ford and GM should be required to recall cars with these dangerous electronic systems.”

Additionally, many of the suit’s plaintiffs say they were never made aware when purchasing their vehicles that their safety or personal information were at risk.

“It’s scary to know you could be driving down the highway and a hacker could seize control of your car,” she says. “Toyota never mentions this risk when extolling its technology to sell you the car.”

Because the automakers have heavily marketed the benefits of connected vehicles without noting the vulnerability of hacks, the lawsuit claims that vehicle owners have suffered losses in money and property.

“Had Plaintiffs and the other Class members known of the defects at the time they purchased or leased their vehicles, they would not have purchased or leased those vehicles, or would have paid substantially less for the vehicles than they did,” the suit states.