First published by Automotive World
While connected cars make life more convenient, journeys greener and roads safer, vehicle manufacturers face challenges in keeping personal data safe, avoiding driver distraction and preventing cyber attacks.
Cyber security experts have shown considerable interest in connected car vulnerabilities and, in three recently reported cases, OEMs do not appear to have been adequately prepared: Fiat Chrysler Automobiles recalled 1.4 million vehicles in the US over a vulnerability in dashboard computers that allowed hackers to disable the vehicle; white hat hackers broke into General Motor’s OnStar system; and white hat hackers plugged into a Tesla Model S to implant malware into the car’s central computer.
These incidents are likely to be the thin end of the wedge – hacking will become more prevalent if the predicted growth of the connected car market transpires (EY estimates that 104 million cars will have some form of connectivity by 2025).
FCA’s recall may have been an (understandable) reaction to criticism from the US National Highway Traffic Safety Administration (NHTSA) over the “timeliness and effectiveness” of FCA’s handling of previous vehicle recalls. That said, reports suggest that FCA initially considered the flaw not to be a safety defect and waited 18 months to notify the vulnerability to the NHTSA. Either way, FCA’s action did not deter class-action plaintiffs in Illinois and Missouri from seeking damages for diminished vehicle values caused by the hacking threat. While it is hard to envisage the losses actually suffered where software patches have been applied, one should not gainsay the ingenuity of US plaintiff lawyers.
It is therefore vital that OEMs implement effective systems to identify defects and, upon discovery, immediately to notify the relevant authorities, customers and dealers and, if appropriate, to effect a product recall. While a full blown recall may be costly and give rise to reputational damage, those concerns must be balanced against the potential civil and criminal liabilities and heightened reputational damage where appropriate action is not taken.
The FCA and Tesla vehicles suffered from security flaws which enabled hackers to gain remote control of safety-critical vehicle systems, and therefore cause risk of personal injury or death. It is debatable whether the flaws caused a significant risk since no personal injuries or deaths resulted but, even in those circumstances, the tendency to recall among carmakers would – and should – be strong.
OEMs are well-advised to collaborate with cyber security experts as software vulnerability can lead to serious safety issues and, potentially, loss of market confidence. While the FCA recall was the first automotive recall prompted by cyber security threats, those threats will undoubtedly increase and demand ever faster and more sophisticated responses.