SOUTHFIELD, MI – While automotive cybersecurity still is in its infancy, experts in the field say in the future owners may be responsible for securing their vehicle from hacks, not manufacturers.
“When the capability exists for the manufacturer to control (security software updates), and do those updates over the air like Tesla is doing, (responsibility and liability) may shift over time,” Bruce Coventry, chairman of automotive security software firm TowerSec tells WardsAuto here during a Society of Automotive Analysts meeting on the issue of cybersecurity.
Lawyer James Giszczak, chair-Data Privacy and Cybersecurity for McDonald Hopkins, says if in-car data protection is available in the future, and vehicle owners don’t take advantage of it, they may be personally liable.
A movement to shift liability for hacking to consumers already is under way in the banking industry, says Tom Winterhalter, supervisory special agent-FBI Detroit Div. Cyber Squad.
While banking and credit-card companies have been paying out settlements for data breaches, they’ve started to fight back as breaches become more frequent and their monetary losses grow.
“A lot of the organizations we’ve dealt with are deciding, ‘You know what, we’re going to litigate. We’re going to say it was your responsibility to secure your information,’” Winterhalter says.
Giszczak bemoans the seeming lack of action from automakers on the topic of automotive cybersecurity, calling out the “not exactly stellar” answers offered by automakers questioned recently by Sen. Ed Markey, D-MA, on the topic of vehicle hacking.
Coventry says TowerSec is finding more internal resources being directed at the issue than when he first started meeting with automakers three years ago.
Still, he acknowledges “not one car being sold today has cybersecurity protection, not one, and yet we’re talking about it every day.”
TowerSec, founded in 2012 by uniting what Coventry classifies as the best minds in automotive and Israeli cybersecurity, has two software solutions for automotive, one embedded for new vehicles that would last their lifetime and another for the roughly 300 million existing vehicles on the road. It counts itself among a half-dozen firms offering in-car security software solutions.
A University of Washington study in 2011 found vehicles are particularly susceptible to hackers due to multiple access points, including tire-pressure-monitoring, telematics and keyless-entry systems, airbag control modules, onboard diagnostics, engine and transmission control units and the radio.
While it can do remote patching as done recently by Tesla after a Model S hack, TowerSec’s strategy is to stay ahead of any potential threat on a vehicle by monitoring the controller-area-network bus.
“Every message that runs back and forth to every device in your vehicle has to travel on that CAN BUS architecture,” Coventry notes, adding TowerSec has developed so-called “watchdog algorithms” to ward off potentially nefarious intrusions.
He doesn’t disclose any pending deals with automakers or suppliers, but says TowerSec has been working with large fleet companies that don’t want a truck’s location or cargo specifics being broadcast.
Clothing Retailer Lawsuit Could Impact Autos
Meanwhile, the class-action lawsuit pending against Ford, General Motors and Toyota for alleged lack of cybersecurity in their vehicles could be impacted by a suit against clothing retailer Neiman Marcus, says Giszczak.
In a class-action lawsuit, 350,000 Neiman Marcus credit cardholders allege a data breach could result in future injury.
While injury had to be a concrete notion in the past, a 7th Circuit Court of Appeals decision in June reversed an earlier decision by a lower court.
“I think that case will get decided first, and that’s going to dramatically impact how the courts look at that injury aspect and what is an injury,” Giszczak says.
If cardholders can claim injury for a data breach, he says, vehicle owners claiming injury may be more than plausible, because they purchased a product they expected was secure.
“You may look at it as ‘I wouldn’t have bought x car, I would have purchased y car, maybe I wouldn’t have purchased any,’” he continues. “To the extent we’re seeing this with credit-card lawsuits if there’s injury there the potential for injury is much greater in this context.”
The suit filed against Ford, GM and Toyota by a Dallas law firm seeks unspecified monetary damages and stems from a February report on CBS’s 60 Minutes showing a hacker controlling the brakes of a Chevy Impala through GM’s OnStar system.
While automakers called the hacking threat exaggerated, the day after the report Markey’s office released findings showing “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
Markey’s report found only two of 16 automakers able to diagnose and respond to a hack in real-time.