Last month’s Jeep hacking scandal has already been followed by a 1.4 million vehicle recall and a well-timed Senate bill. Now Chrysler faces that other inevitable punishment: a potentially massive lawsuit.
On Tuesday three Jeep Cherokee owners filed a complaint against both Fiat Chrysler Automobiles and Harman International, the maker of the Uconnect dashboard computer in millions of Chrysler vehicles. A security flaw in that cellular-connected computer served as the entry point for security researchers Chris Valasek and Charlie Miller when they showed WIRED last month that they could wirelessly hack into a 2014 Jeep over the internet to hijack its steering, brakes and transmission. Now the small group of plaintiffs is hoping to invite anyone with those vulnerable Uconnect systems in their car or truck to join them in their litigation. If their complaint is certified by a court as a class action, the broad spectrum of affected Chrysler vehicles means it could snowball into a case with more than a million potential plaintiffs.
In their complaint against the two companies, plaintiffs Brian Flynn and George and Kelly Brown accuse Chrysler and Harman of fraud, negligence, unjust enrichment and breach of warranty. They point out that Valasek and Miller alerted Chrysler to their findings of architectural vulnerabilities in Jeep Cherokees in a paper in early 2014 that mentioned connections between the Jeep’s Internet-enabled entertainment system and its CAN Bus, the network that controls critical driving features like steering and brakes. Those connections, the plaintiffs argue, represent a serious defect in vehicles Chrysler and Harman knowingly sold to customers. “The [affected] Vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system through the CAN bus,” their complaint reads. “uConnect should be segregated from these other critical systems. There is no good reason for this current design. The risks associated with coupling these systems far outweigh any conceivable benefit.”
In a followup email, the plaintiffs’ attorney Michael Gras emphasized that the suit also seeks an injunction against the companies that would force Chrysler to stage another recall to address those architectural security claims. “There is no good reason for the same vehicle system that runs Pandora to have the capability to talk to the brakes,” Gras writes. “This is the real defect with these vehicles. Our goal with this lawsuit is to force Chrysler and Harman to conduct a proper recall where the actual issue is addressed.”
When Miller and Valasek demonstrated their full Jeep hack to WIRED last month, their attack began by exploiting a different, distinct security vulnerability in the Jeep’s Uconnect, one that also existed in 1.4 million other Chrysler vehicles ranging from Jeeps to Dodge Rams to Vipers to Chargers. Since early 2015, Miller and Valasek had worked with Chrysler to help it develop a software patch for that Uconnect issue, and the company quietly released it a week before WIRED’s story. Following the public revelation of their work, the National Highway Traffic and Safety Administration pressured Chrysler to stage an official recall, mailing a USB drive with a Uconnect security update to all affected vehicle owners.
But Tuesday’s filed lawsuit argues that neither Chrysler’s patch nor its recall solves the underlying problem: That Chrysler vehicles remain defective due to their more fundamental architectural vulnerabilities. “As long as the uConnect system is physically connected to the vehicles’ CAN bus, the potential for vulnerability exists,” the complaint reads. “The overarching defect is a design and system architecture problem in that non-secured systems are coupled with essential engine and safety controls. This is not a software issue.”
The lawsuit doesn’t go so far as claiming that anyone has actually suffered bodily or property harm as a result of Chrysler’s and Harman’s alleged defect. Rather it argues that the plaintiffs suffered from fraud based because their defective vehicles are worth less than they believed. “A vehicle purchased, leased, or retained under the reasonable assumption that it is safe is worth more than a vehicle known to be subject to the unreasonable risk of catastrophic accident because of defects,” the complaint states, adding that “plaintiffs and Class members are subjected to a continuing increased risk of severe injury or death but for the Defendants’ failure to disclose or remedy the defect.”
The plaintiffs’ attorney Gras declined to estimate the total damages the lawsuit might seek against the two corporate defendants. “It’s way too early to have any idea what kind of damages the class has suffered,” he wrote to WIRED in an email. “Right now we’re just focusing on trying to make these vehicles safe.”
Harman didn’t respond to WIRED’s request for comment either, and a Chrysler spokesperson declined to comment on the complaint.
The three Jeep owners in the Illinois lawsuit appear to be the first to sue Chrysler and Harman over its Uconnect cybersecurity scandal. But with so many potentially affected Chrysler customers, there may yet be other, separate class actions launched against the automaker.
Chrysler isn’t the first car company to face such a class action over alleged cybersecurity defects. GM, Ford, and Toyota were all hit with a similar lawsuit in March of this year, based in part on earlier car hacking research by Valasek and Miller. As more revelations of connected cars’ vulnerabilities appear, this car hacking class action likely won’t be the last, either.
Read the full complaint against Chrysler and Harman below.