"On July 21, 2015, Wired Magazine published an article in which security researchers demonstrated the ability to remotely hack into a 2014 Jeep Cherokee while it was driving on a highway in St. Louis,"the lawsuit states. "They were able to gain access to the vehicle through security vulnerabilities in the uConnect system. Once they were 'inside,' the researchers were able to rewrite encoded chips in the uConnect hardware which allowed them to access and issue commands."
The lawsuit is seeking a court order forcing Fiat Chrysler to physically disconnect the uConnect system from the controller area network, or CAN bus network, that links it to the rest of the vehicles electronics. The plaintiffs claim this is the only way to ensure those other systems are protected from hacking. The complaint also names Harmon International Industries, the maker of the infotainment system, as a defendant.
According to the plaintiffs, hackers could even use uConnect to shut down cars while on the highway, both through the 3G network, which cannot be disconnected, and through the radio, a separate hacking risk that is currently under investigation by the National Highway Traffic Safety Administration. That investigation is looking into an estimated 2.8 million additional vehicles with uConnect from other manufacturers on top of the ones Fiat Chrysler recalled.
The lawsuit contends that Fiat Chrysler was aware of the hacking vulnerability almost 18 months prior the recall, and waiting for the recall to be issued constituted a breach of the company' responsibilities under the Transportation Recall Enhancement, Accountability and Documentation Act. Further, that wait means Fiat Chrysler cannot be trusted to expeditiously address vulnerabilities found in the future, the complaint states.
"It' clear the defendant chose to finally update the software only because the flaw was being made public by the security researchers,"the lawsuit states. However, the plaintiffs contend that simply updating the software on affected cars is a complicated process that will not guarantee future safety. Therefore, Fiat Chrysler is liable for fraud for its characterization of the recall as a software issue rather than an inherent vulnerability resulting from the link between uConnect and the other systems, the plaintiffs assert.
"Defendants' claims that this update makes these vehicles safe are untrue,"the plaintiffs contend. "By inaccurately describing the problem, the defendants are perpetrating a fraud on class members and giving them a false sense of security."
In addition to the physical disconnect which the customers want overseen by a court order, their state and federal law claims seek financial reimbursement for every customer affected by the recall for the dollar value effect the vulnerability created in their cars, arguing that in addition to the risk of physical harm, it depreciates the value of their vehicles.
The plaintiffs are represented by Michael Gras and Christopher Cueto of the Law Office of Christopher Cueto Ltd. The case is Flynn et al v. FCA US LLC et al, case number 3:15-cv-00855 in the U.S. District Court for the Southern District of Illinois.