Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch. All while the reporter videoed it (see this CBS web page).
Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.
According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.
The researchers took over the car via its radio (OK, it is a little more complicated than that; through the “infotainment” system). It is all interconnected and there is very little security in it.
Over the last three years this case has been working its way – slowly – through the courts. The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.
A year later the researchers figured out how to break through the patch, although that required physical access to the car.
And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode. The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park. That will unlock the cruise control.
You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.
At this point the U.S. Supreme Court said that the car owners do have standing. This is a huge win for attorneys who want to sue over cyber-security issues.
Chrysler says that they are looking forward to the trial (sure they are. If they were so confident, why have they been fighting to avoid going to trial for the last three years). They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed. The plaintiffs say that the resale value of their cars has been damaged.
The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.
For businesses, this is yet another step in holding companies liable for software bugs. Potentially, in this case, bugs that they knew about but did not fix.
Does your insurance cover this? Is it product liability insurance or cyber insurance? It is probably not general liability insurance. Maybe none of them.
This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.
Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.
This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,
Details from this post came from The Register.