Fiat Chrysler and Harman International, the maker of the Uconnect dashboard computer, have been slammed with a class-action lawsuit after two security researchers successfully exploited a vulnerability in uConnect to hijack a 2014 Jeep. As reported in The State of Security's July 24th security roundup, researchers Chris Valasek and Charlie Miller last month exploited a vulnerability in Uconnect's cellular connection that allowed them to learn a 2014 jeep's IP address. From there, they were able to move into the car's head unit, which is responsible for the vehicle's entertainment system, and rewrite its firmware so that they could begin sending commands from the car's CAN bus, an internal computer network, to the vehicle's physical components. This access enabled the researchers to turn on the windshield wipers and radio, disable the vehicle's brakes, and remotely drive the car into the ditch.
Since Wired first reported on the hacking demonstration last month, Chrysler has recalled 1.4 million Jeeps to receive emergency software patches for the security vulnerability. The U.S. Senate has also since introduced a bill that would require vehicles to meet certain standards intended to protect them against hacks and safeguard drivers' privacy. Now three Chrysler Jeep owners--Brian Flynn and George and Kelly Brown--have filed a class-action lawsuit against Chrysler and Harman in response to the Uconnect vulnerability. As many as one million participants are eligible to join this particular lawsuit. The three plaintiffs allege in their complaint that Valasek and Miller had alerted Chrysler to certain architectural vulnerabilities of vehicles as early as August of last year. Chrysler allegedly mailed all affected owners a USB with a security update for their vehicles after the researchers' work went public last month. However, the plaintiffs assert that this does not excuse Chrysler and Harman for knowingly selling defective vehicles to customers for several months after they were first made aware of the vulnerability in 2014. Brian Flynn and George and Kelly Brown also insist that Chrysler's patches do not address the underlying issue.
"The Class Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure Uconnect system through the CAN bus," their complaint reads. "Uconnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit."
No estimates are currently known for the total cost of damages the plaintiffs will seek against Chrysler and Harman. It remains to be seen whether additional class-action lawsuits against the automaker are also forthcoming.