Fiat Chrysler Recall Highlights Potential Need for Regulatory Changes

Last week, Fiat Chrysler issued a recall of more than 1.4 million vehicles after security researchers from Wired Magazine exposed major security flaws that would allow potential hackers to take over a vehicle’s crucial systems remotely.

In a controlled demonstration, Charlie Miller and Chris Valasek hacked into a Jeep Cherokee as it was traveling 70 m.p.h. down a St. Louis highway. The hackers were able to take control of the vehicle’s air conditioning, entertainment system, and at one point were able to cut the Jeep’s accelerator. The hackers also revealed the capability to cut the Jeep’s brakes, as well as the ability to track a targeted vehicle’s GPS coordinates via its navigation system.

The experiment revealed vulnerabilities contained within Fiat Chrysler’s Uconnect system, the internet-connected computer feature that controls navigation, enables phone calls, and even offers a Wi-Fi hot spot in hundreds of thousands of Fiat Chrysler vehicles. According to Wired Magazine, a hacker need only know a car’s IP address in order to potentially gain access to the vehicle from anywhere in the country.

Last week’s recall illustrates how the rapidly-developing “Internet of Things” (i.e., the increasing use of interconnected devices in everyday life) can implicate not just issues of personal privacy and data security, but physical safety. It also raises serious questions of accountability for both automakers and government regulators. On July 21, 2015, Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn.), who followed Miller and Valasek’s research, introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal performance standards that would protect drivers’ privacy and secure vehicle software systems. The Security and Privacy in Your Car (SPY Car) Act would establish a rating system that would inform consumers about how well the vehicle protects drivers’ security and privacy beyond the minimum standards set forth by the Act. The SPY Car Act also contains proposed limitations on automakers’ disclosure, retention, and use of information collected by the on-board software systems featured in most modern vehicles.

Whether or not the SPY Car Act becomes law, it is not difficult to imagine that future real-world data breaches or injuries resulting from vulnerabilities in on-board computer systems could result in significant liability for car manufacturers, especially if they were to occur on a widespread scale. Accordingly, the auto industry should be cognizant of these vulnerabilities and take steps to ensure their vehicles are secured from digital attacks.

Gordon & Rees LLP’s Privacy & Data Security Group will continue to monitor and report on the implications of vehicle security breaches.