A class-action lawsuit claiming Fiat-Chrysler knew about, but failed to fix, significant cybersecurity holes in its cars will go to trial in America later this year.
This week, the US Supreme Court refused to hear [PDF] the company's appeal to a lawsuit that was filed after security researchers revealed, back in 2015, they were able to take over a Jeep's operation because of clumsy coding in its entertainment software.
Since then the lawsuit has been rumbling through the law courts with the plaintiffs arguing Fiat-Chrysler knew about the problem for three years and failed to fix it, and the car company claiming that since none of the car owners were directly impacted by the hole that they have no right to sue.
The Jeep owners claim that they would never have bought the cars in the first place if they had known about the security risks, and claim that the cars' resale value has been significantly impacted as a result of the saga. They are seeking $50,000 per car impacted.
The case is a little unusual in that Fiat-Chrysler patched the security hole soon after it was revealed by security researchers. Chris Valasek and Charlie Miller had found they could wirelessly snatch control of engine management systems in some cars by exploiting a security hole in Fiat-Chrysler's uConnect software which connects vehicles and their internal Wi-Fi to the public internet via the cellular network, allowing people to go online while on the move.
That ability was dramatically demonstrated by the researchers when they put a tech reporter in a Jeep and then took over his car while he was driving it. The subsequent article in Wired magazine woke up millions of car owners to the potential risk that comes with modern network-connected car and resulted in Chrysler recalling 1.4 million vehicles to upgrade their software and fix the hole.
The lawsuit, filed against the US subsidiary of Fiat-Chrysler and the manufacturer of the uConnect software, followed shortly after and is being carefully watched as it could open up companies to liability for failing to secure their products, even if no customers are directly affected.
A year later, the same researchers found a way around the software update but it required physical access to the car and so consumers were less freaked out.
Since then, however, Fiat-Chrysler has repeatedly been caught up in further embarrassing cybersecurity incidents. It recalled a further 8,000 SUVs in September 2015 thanks to the software flaw and in May last year recalled an extraordinary 4.8 million vehicles in the US to fix a software bug that could lock the vehicle's cruise control. It was also investigated by the Department of Justice for different software – this time designed to cheat on emissions tests.
In short, it's not been a good few years for Fiat-Chrysler when it comes to cyber security and this week's decision by the Supreme Court not to hear its appeal is only going to add to those woes.
If the case does move forward to trial - it was due to start in March but has been moved back to October over scheduling issues - we are likely to hear much more details over what exactly the car manufacturer knew and did not know about the safety of its vehicles and what it did in response.
The two researchers who identified the original issue told reporters at Black Hat that they told the car company about the security situation but heard little back. It was only when they announced plans to give a talk on the topic that the auto maker got into gear on the issue.
Based on events so far, those details could prove extremely embarrassing for a company that expects people to trust that their hurtling metal boxes are a wonderful form of personal transport rather than a death trap waiting for a hacker.
Fiat Chrysler said it looked forward to presenting its case. "None of the more than 200,000 class members in this lawsuit have ever had their vehicles hacked, and the federal safety regulators at NHTSA have determined that FCA US has fully corrected the issues raised by the plaintiffs," it said in a statement. ®