First a Jeep gets hacked, now the class-action suit

One of the hottest security stories of the year was the (frankly terrifying) demonstration by Charlie Miller and Chris Valasek, where they remotely hijacked a Jeep being driven by a journalist at 70mph down a busy highway.

Wired went public with the story, hours after Miller warned owners of vulnerable Jeeps (and other vulnerable vehicles manufactured by Fiat Chrysler) to download and install a security update for the vulnerable Uconnect access system that the researchers were able to exploit.

Of course, a tweet from a security researcher and a rash of car-hacking headlines wasn’t really the best way for Fiat Chrysler to get car owners to update their vulnerable vehicles, and a few days later they announced a voluntary safety recall of 1.4 million vehicles.

That was last month.

This month, Fiat Chrysler and Uconnect manufacturer Harman International have been hit by a lawsuit accusing them of fraud, negligence, unjust enrichment and breach of warranty.

Three aggrieved Jeep owners – Brian Flynn and George and Kelly Brown – have launched a class-action suit against the companies, alleging that the researchers notified manufacturers of architectural security issues as early as August 2014, but vehicles continued to be sold to unsuspecting drivers.

The plaintiffs acknowledge that no-one has come to any harm because of the security vulnerability, but they believe that they are the victims of fraud because their defective vehicles are now worth less than they imagined.

Part of the complaint reads:

“The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system through the CAN bus. uConnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”

We’ll have to wait and see what the outcome of this lawsuit, which was only filed on Tuesday, might be. But one thing is for sure – here is yet another reason to take any vulnerabilities reported to your business by security researchers very seriously indeed.

For more details, check out the article on Wired.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.