By: Zaq Lacy


[1]        In 2015, a pair of security researchers (read that as ‘hackers’), Chris Valasek and Charlie Miller, conducted an experiment in which they remotely ‘hijacked’ an internet-connected SUV driven by a volunteer.[1] Valasek and Miller gained complete control of the vehicle’s transmission, radio, air conditioning, braking functions, and windshield wipers sprayers, as well as being able to track the vehicle’s exact location.[2] In previous experiments, they also were able to mess with braking functions, horn, seat belt, and steering.[3] However, in these earlier trials, they were directly wired into the vehicle’s onboard diagnostic interface.[4] That was already particularly eerie, but what made the 2015 trial particularly disconcerting was their ability to do it remotely.[5] They were not the first to do so; in 2011, other researchers were able to use cellular connection to locate vehicles via GPS, turn on the lights, and start the car by simply sending files via a telephone call.[6] Valasek and Miller were, however, the first to achieve nearly unlimited control over a vast majority of the systems that modern cars rely upon to function and keep the driver and passengers safe – all from the comfort of their couch.[7] It was this experiment that resulted in 1.4 million vehicles being recalled[8] and was the impetus for legislation regarding digital security standards.[9]

[2]       Scholars estimate that current luxury vehicles have up to seventy Engine Control Units (ECUs), as well as computer control systems that regulate a surprising number of functions we simply take for granted.[10] These are all integrated into the Controller Area Network (CAN), which presents hackers with a potential entry point, granting the hacker access to every system in the vehicle, from the air conditioning and the radio to the air bags and mechanical functions of the engine itself.[11] Fortunately, less than a handful malicious hacking attack are known to have occurred to date, one of which was a disgruntled dealership employee who activated the vehicle immobilization feature in around 100 vehicles, effectively disabling them all.[12] Despite that, deep concerns are being raised about cybersecurity with newer internet-connected cars, particularly where it concerns automated ‘smart’ cars.[13]

[3]       There are certainly varying levels of vehicle autonomy in the market, from features like Lane Keep and Auto Brake that still require a driver, to fully automated self-driving cars.[14] Currently, the main focus of the development of such ‘smart’ cars is ride sharing services, such as Waymo, Uber, and Cruise, rather than the private ownership market.[15] Seeking to appeal to these markets, manufacturers have integrated newer vehicles with heightened multi-layered security that is intended to make remote access more difficult.[16] Even so, this past April, a hacker known as L&M was still able to hack around 27,000 accounts of commercial fleets in India and the Philippines and shut down the engines of vehicles moving less than 12 miles per hour.[17]

[4]       This raises the particularly pointed issue of liability when it concerns driverless vehicles that are hacked when an injury occurs. Traditionally, accident liability falls upon the driver,[18] and it is generally understood that criminal and civil liability arises when a hacker takes control of a vehicle that ultimately injures someone.[19] But, what about when there is no driver and the hacker cannot be located? The question, then, is whether liability should fall to the car manufacturer on the basis of product liability for failing to adequately protect against the possibility of remote tampering, to the software developer similarly for failing to provide sufficient cybersecurity, or to the insurance of the owner/company whose vehicle was hacked.[20] Unfortunately, as fully autonomous cars have not yet gained a significant foothold in the U.S. (rollouts are not expected until 2020),[21] there has not yet been cause to explore the issue, and, to date, we are left with little guidance. With the current framework, however, it seems likely that if/when the first cases arise, a new area of law will need to develop rapidly in order to keep up.

[1] See Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway — With Me in It, (Jul. 21, 2015, 6:00 AM), [].

[2] See id.

[3] See id.

[4] See id.

[5] See id.

[6] See Scott L. Wenzel, Not Even Remotely Liable: Smart Car Hacking Liability, Ill. J.L. Tech. & Pol’y, no. 1, 2017, at 49, 55.

[7] See id. at 54.

[8] See Who Is Liable When Your Car Gets Hacked?, Botto Gilbert Lancaster Att’y at Law: Car Accidents Blog (Oct. 20, 2015)[hereinafter Botto], [].

[9] S. 680, 115th Cong. (2017).

[10] See Wenzel, supra note 5, at 52.

[11] See id. at 53.

[12] See Kevin Poulsen, Hacker Disables More than 100 Cars Remotely, (Mar. 17, 2010, 1:52 PM), [].

[13] See Fredrick Kunkle, Auto Industry Says Cybersecurity Is a Significant Concern as Cars Become More Automated, The Washington Post (Apr. 30, 2019), [].

[14] See Lindsey O’Donnell, Chris Valasek and Charlie Miller: How to Secure Autonomous Vehicles, (Aug. 10, 2018), [].

[15] See id.

[16] See  Kunkle, supra note 13.

[17] See id.

[18] See Christopher Coble, If Your Car Gets Hacked, Are You Liable for a Crash?, (Aug. 24, 2015), [].

[19] See Bradley Thayer, Car Hacking Legislation and Product Liability, Wash. Or. Law. (Sept. 24, 2015), []

[20] Gilbert Shar, Safety, Liability & Hacking of Self-Driving Connected Cars Are Big Worries for Americans, (Oct. 3, 2017), [].

[21] Wayne Cohen & Nicole Schneider, Self-Driving Cars and Liability, HG.Org, [] (last visited May 8, 2019).