Potential vulnerabilities in automotive computer systems fuel fears of future liability risks and product recalls

Two American hackers partially funded by the US-government’s own Defense Advanced Research Projects Agency have demonstrated their ability to connect to a car’s computer then remotely control the vehicle’s acceleration, braking and steering.

With the hackers, Charlie Miller and Chris Valasek, planning to release their findings at a hacker convention being held in Las Vegas this week, the automotive industry is under pressure to guarantee the safety and integrity of the technology it employs.

JLT’s managing director of professional and executive risks Asia, Ali Chaudhry, said automotive manufacturers could face product-liability exposures if their vehicles were involved in accidents that caused injury or damage and were ultimately found to be ‘defective’. “If the problem does not go as far as causing injury or damage, then there the cars could be recalled simply because there is potential for someone to hack them and cause accidents,” Chaudhry told StrategicRISK. “Issues then arise whether these costs rest with the motor manufacturers or whether they try and pass these costs back down the line to their suppliers.”

Hong Kong-based Chaudhry said that this could create liability risks for the designers of the equipment or the software. “[There could be] some interesting problems in ascertaining whether it’s a defective product or a professional service/design problem,” he said.

Problem ports
The hack was achieved by connecting to computers in a Ford Escape and Toyota Prius through their onboard diagnostics ports, which are designed to be used by mechanics to identify faults. This has prompted both Ford and Toyota to point out that this required a physical presence inside the vehicles, partial disassembly of the instrument panels, and a hard-wired connection, all of which would be obvious to a driver.

Ford’s communications manager, technology, research and innovation, Craig Daitch, said that this particular attack was not performed remotely, but as a “highly aggressive direct physical manipulation of the vehicle over an extended period of time, which would not be a risk to customers”. “The security system on Ford vehicles is unique from other manufacturers and this type of attack could not be performed remotely without direct access to the vehicle,” he said.

Securing systems
The media and external affairs manager at Toyota Australia, Beck Angel, said the company’s focus, and that of the entire automotive industry, was to prevent hacking into a vehicle’s by-wire control system from a remote/wireless device outside of the vehicle. “Toyota has developed very strict and effective firewall technology against such remote and wireless services,” Angel said. “We strenuously test our systems and have a considerable investment in state-of-the-art facilities to subject them to the most severe radio and electro-magnet environments. We believe our electronic-control systems are robust and secure, and we will continue to rigorously test and improve them.”

Nevertheless, Chaudhry advised that care would need to be taken by manufacturers to ensure that the potentially grey areas between defective products or defective design were clearly insured. “Certainly there are insurance programs that can deal with these issues, but the differences need to be understood and structuring cover accordingly is important,” he said.