Back to overview

Commercial Question

Connected cars and cyber security

updated on 06 October 2015

Question

Cyber security in the automotive industry - what's the risk?

Answer

While connected cars (ie, cars equipped with internet access) make life more convenient, journeys greener and roads safer, carmakers face challenges in keeping personal data safe, avoiding driver distraction and preventing cyber-attacks. Cyber security experts have shown considerable interest in connected car vulnerabilities and, in three recently reported cases, carmakers do not appear to be adequately prepared, as demonstrated by the fact that:

  • Fiat Chrysler Automobiles (FCA) recalled 1.4 million vehicles in the United States over a vulnerability in dashboard computers that allowed hackers to disable the vehicle;
  • white hat hackers (specialist IT security testers) broke into General Motors' OnStar system; and
  • white hat hackers plugged into a Tesla Model S to implant malware into the car's central computer.

That must be the thin end of the wedge as hacking will become more prevalent if the predicted growth of the connected car market transpires (Ernst & Young estimates that 104 million cars will have some form of connectivity by 2025).

FCA's recall may have been an (understandable) reaction to criticism from the US National Highway Traffic Safety Administration (NHTSA) over the "timeliness and effectiveness" of FCA's handling of previous vehicle recalls. That said, reports suggest that FCA initially considered the flaw not to be a safety defect and waited 18 months to notify the vulnerability to the NHTSA. Either way, FCA's action did not deter class-action plaintiffs in Illinois and Missouri from seeking damages for diminished vehicle values caused by the hacking threat. While it is hard to envisage the losses actually suffered where software patches have been applied, one should not gainsay the ingenuity of US plaintiff lawyers.

What, though, would happen if a carmaker was faced with a similar problem in the United Kingdom? The General Product Safety Regulations 2005 require manufacturers to ensure that their products are safe. The motor industry codes of practice (aligned with the regulations) provide a recognised and approved process to follow when a safety defect (“a feature of design or construction liable to cause significant risk of personal injury or death”) is identified.

It is therefore vital that carmakers implement effective systems to identify defects and, upon discovery, to immediately notify the Vehicle & Operator Services Agency, customers and dealers and, if appropriate, to effect a product recall. While a full-blown recall may be costly and could cause reputational damage, those concerns must be balanced against the potential civil and criminal liabilities and heightened reputational damage where appropriate action is not taken.

The FCA and Tesla vehicles suffered from security flaws which enabled hackers to gain remote control of safety-critical vehicle systems (and therefore cause risk of personal injury/death). It is debatable whether the flaws caused a 'significant' risk since no personal injuries/deaths resulted, but even in those circumstances, the tendency to recall among UK carmakers would (and should) be strong.

Carmakers are well-advised to collaborate with cyber security experts, as software vulnerability can lead to serious safety issues and, potentially, loss of market confidence. While the FCA recall was the first automotive recall prompted by cyber security threats, those threats will undoubtedly increase and demand ever faster and more sophisticated responses.

Ian Plumley is a partner at Clyde & Co.