Lawsuit Claims Major Automakers Have Failed To Guard Against Hackers

Lucas123 writes: A Dallas-based law firm has filed a class-action lawsuit in the U.S. District Court for the Northern District of California claiming Ford, GM and Toyota all ignored basic electronic security measures that leave vehicles open to hackers who can take control of critical functions and endanger the safety of the driver and passengers. The suit, filed on behalf of three vehicle owners and "all others similarly situated" is seeking unspecified damages and an injunction that would force automakers to install proper firewalls or encryption in vehicle computer bus systems, which connect dozens of electronic control units. "Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," attorney Marc Stanley said. The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes." A study released last month by Sen. Edward Markey (D-Mass.) also claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.

Overblown Hyperbole

[brunes69]

In a 2013 study that was funded by the Defense Advanced Research Projects Agency (DARPA), two researchers demonstrated their ability to connect a laptop to two different vehiclesâ(TM) computer systems using a cable, send commands to different ECUs through the CAN, and thereby control the engine, brakes, steering and other critical vehicle components

So you're telling me that if you have direct physical access to a car's ECU, you can issue commands to it? No shit sherlock. That is THE WHOLE POINT of the CAN bus. The only alternative would be to close down the bus and only allow "authorized" accessories to be connected to it - hello sky-high diagnostic fees and goodbye to useful bluetooth OBD connectors.

Call me when this can be done wirelessly. Oh and yes I did read the "What the companies failed to note is that the DARPA study built on prior research that demonstrated that one could remotely and wirelessly access a vehicleâ(TM)s CAN bus through Bluetooth connections, OnStar systems, malware in a synced Android smartphone, or a malicious file on a CD in the stereo" blurb - which still failed to materialize an actual working example of exploiting a CAN wirelessly.

Re:Overblown Hyperbole

[bws111]

No, he is saying that there should be an actual danger before you yell the sky is falling.

What are the actual odds of an accident being caused by a hacker? What are the actual odds of an accident being caused by a software bug in security code?

Re:Classless action.

There will be no recall fix if they attempt to encrypt the CAN bus. Most of the processors on the bus are not powerful enough for software encryption. They have hardware CAN modules.
A typical Dodge has from 17 to 22 CAN nodes on three CAN buses. Each node is, of course, a processor. Just how powerful does the sunroof controller have to be, anyway? Many of the processors on the bus have 128-256K flash program memory and 34 to 96k ram.
Never gonna happen.

Re:Classless action.

[BLKMGK]

Sorry, but this is a complete bullshit lawsuit. Most of the hacks have required physical access to the CAN bus or have required modifications to the entertainment system to remove the firewalls in place - yes they have them on some I'm familiar with. A few jackasses have put out scary "hacks" and now this is the crap that we get to deal with? The CAN bus shouldn't be encrypted as not only will this drive cost up but it will also prevent some of the good stuff going on like replacement ECU in the performance industry and diagnostic tools for the home user.

Sorry, but this is complete and utter garbage and I hope it's tossed out damned fast.