First a Jeep gets hacked, now the class-action suit

JeepOne of the hottest security stories of the year was the (frankly terrifying) demonstration by Charlie Miller and Chris Valasek, where they remotely hijacked a Jeep being driven by a journalist at 70mph down a busy highway.

Wired went public with the story, hours after Miller warned owners of vulnerable Jeeps (and other vulnerable vehicles manufactured by Fiat Chrysler) to download and install a security update for the vulnerable Uconnect access system that the researchers were able to exploit.

Hacked Jeep dashboard

Of course, a tweet from a security researcher and a rash of car-hacking headlines wasn’t really the best way for Fiat Chrysler to get car owners to update their vulnerable vehicles, and a few days later they announced a voluntary safety recall of 1.4 million vehicles.

Sign up to our free newsletter.
Security news, advice, and tips.

That was last month.

This month, Fiat Chrysler and Uconnect manufacturer Harman International have been hit by a lawsuit accusing them of fraud, negligence, unjust enrichment and breach of warranty.

Three aggrieved Jeep owners – Brian Flynn and George and Kelly Brown – have launched a class-action suit against the companies, alleging that the researchers notified manufacturers of architectural security issues as early as August 2014, but vehicles continued to be sold to unsuspecting drivers.

Class action

The plaintiffs acknowledge that no-one has come to any harm because of the security vulnerability, but they believe that they are the victims of fraud because their defective vehicles are now worth less than they imagined.

Part of the complaint reads:

“The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system through the CAN bus. uConnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”

We’ll have to wait and see what the outcome of this lawsuit, which was only filed on Tuesday, might be. But one thing is for sure – here is yet another reason to take any vulnerabilities reported to your business by security researchers very seriously indeed.

For more details, check out the article on Wired.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.