Potential vulnerabilities in automotive computer systems fuel fears of liability risks and product recalls

Hands giving motor car keys

Two US hackers, partially funded by the US government’s Defense Advanced Research Projects Agency, have demonstrated their ability to connect to a car’s computer, and then remotely control the vehicle’s acceleration, braking and steering.

Hackers Charlie Miller and Chris Valasek plan to release their findings at a hacker convention in Las Vegas this week. But the automotive industry is already under pressure to guarantee the safety and integrity of its technology.

Product liability exposure

Jardine Lloyd Thompson (JLT) managing director of professional and executive risks Asia Ali Chaudhry said automotive manufacturers could face product liability exposures if their vehicles are involved in accidents that cause injury or damage and are ultimately found to be defective.

“If the problem does not go as far as causing injury or damage, the cars could be recalled simply because there is potential for someone to hack them and cause accidents,” said Chaudhry.

“Issues then arise whether these costs rest with the motor manufacturers or whether they try and pass these costs back down the line to their suppliers.”

Hong Kong-based Chaudhry said this could create liability risks for the designers of the equipment or software. “[There could be] interesting problems in ascertaining whether it’s a defective product or a professional service/design problem,” he said.

Problem ports
The two hackers managed to connect to computers in a Ford Escape and Toyota Prius using their onboard diagnostics ports, which are designed to be used by mechanics to identify faults.

But Ford and Toyota pointed out that such an attack required a physical presence inside the vehicle, partial disassembly of the instrument panel and a hard-wired connection – all of which would be obvious to a driver.

Ford communications manager, technology, research and innovation, Craig Daitch said the attack had not been performed remotely, but as a “highly aggressive direct physical manipulation of the vehicle over an extended period of time, which would not be a risk to customers”.

“The security system on Ford vehicles is unique. This type of attack could not be performed remotely without direct access to the vehicle,” he said.

Security systems
Toyota spokeswoman Beck Angel said her company’s focus, and that of the entire automotive industry, was to prevent hacking into a vehicle by outside devices.

“Toyota has developed strict and effective firewall technology against such remote and wireless services,” Angel said. “We strenuously test our systems and invest in state-of-the-art facilities to subject them to the most severe radio and electromagnetic environments.”

Nevertheless, Chaudhry advised that manufacturers ensure the grey areas between defective products and defective design are clearly insured.

“Certainly there are insurance programs that can deal with these issues, but the differences need to be understood. Structuring cover accordingly is important,” he said.