Jeep Cherokee Owners File Lawsuit Against Fiat Chrysler, Harman After Hackers Wirelessly Hijack Vehicle

It was inevitable: A few weeks after hackers showed that a Jeep Cherokee could be hijacked remotely, three car owners have filed a lawsuit seeking class-action status against Fiat Chrylser Automobiles and Harman International, the maker of the Uconnect onboard infotainment system.

The three Jeep Cherokee owners who filed a complaint against FCA and Harman on Tuesday [PDF] accuse FCA and Harman of fraud, negligence, unjust enrichment and breach of warranty.

Charlie Miller and Chris Valasek, the security researchers who hacked the Jeep while a Wired.com reporter was driving it, exploited a security flaw in Uconnect that gave them the entry point to wirelessly take control of the vehicle. The plaintiffs point out that hackers had alerted FCA to the fact that there were architectural vulnerabilities in Jeep Cherokees in a paper back in 2014.

At that time, Miller and Valasek noted that there are connections between the internet-enabled Uconnect and the vehicle’s CAN Bus, which Wired.com notes is the network that controls critical driving features like the steering and brakes. Having those connections between the system that plays streaming music and the system that controls your brakes is a serious defect in vehicles FCA and Harman sold to customers, the plaintiffs argue.

“The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure Uconnect system through the CAN bus,” thee complaint reads. “Uconnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”

The plaintiff’s lawyer tells Wired.com that the suit also seeks an injunction against the two companies that would force Chrysler to stage another recall to address those architectural security claims.

Though FCA had issued a software patch for the Uconnect issue a week before Wired’s story, after working with Miller and Valasek on it in early 2015, the lawsuit argues that neither the patch nor the subsequent recall (issued under pressure from the National Highway Traffic and Safety Administration) fixes the problem.

“As long as the Uconnect system is physically connected to the vehicles’ CAN bus, the potential for vulnerability exists,” the complaint reads. “The overarching defect is a design and system architecture problem in that non-secured systems are coupled with essential engine and safety controls. This is not a software issue.”

The lawsuit argues that the plaintiffs suffered from fraud, because their defective vehicles aren’t worth as much as they thought, as they’re vehicles that are “known to be subject to the unreasonable risk of catastrophic accident because of defects.”

The complaint adds that “plaintiffs and Class members are subjected to a continuing increased risk of severe injury or death but for the Defendants’ failure to disclose or remedy the defect.”

It’s unclear what total damages the lawsuit might seek, but if the lawsuit is certified as class-action, it could potentially include millions of drivers with vulnerable Uconnect systems in their vehicles. And though this might be the first lawsuit filed regarding Uconnect and FCA, there could always be more.

“It’s way too early to have any idea what kind of damages the class has suffered,” the attorney for the three plaintiffs told Wired. “Right now we’re just focusing on trying to make these vehicles safe.”

Chrysler and Harman Hit With a Class Action Complaint After Jeep Hack [Wired.com]