As stated in my Oct. 8, 2024 blog, 144,500 Ford Mavericks were recalled over concerns that the rearview camera display could show a frozen image while backing up. The recalled 2022-2024 model Maverick trucks have "connected touch radios," according to a Sept. 13 recall report submitted to the National Highway Traffic Safety Administration (NHTSA).
In the report, Ford said a frozen rearview camera display image could lead to a "false representation of where the vehicle is relative to its surroundings, increasing the risk of a crash." The automaker linked the potential issue to "improper memory handling" within the connected touch radio software resulting in delayed images being displayed.
Get your subscription to Control's tri-weekly newsletter.
Nov. 14, 2024, NHTSA announced that Ford will have to pay up to $165 million for failing to comply with federal recall requirements, the nation's governmental safety agency for cars and trucks. NHTSA said Ford failed to recall defective rearview cameras in a timely manner and also failed to provide accurate and complete recall information as required under federal law.
NHTSA agreed to a consent order with Ford, which includes a civil penalty of up to $165 million — the second-largest civil penalty issued in agency history after fines related to defective Takata airbags. The agency also required Ford to start a broad look back at all its vehicle recalls over the last three years to make sure the automaker covered the right number of affected cars and trucks and if not, expand the scope of recalls to include more vehicles.
The backup camera systems are control and monitoring systems used for driver needs. Consequently, the frozen back-up camera incidents were control system cyber incidents, as memory issues caused the loss of availability and integrity of the camera systems to provide correct displays of the current conditions. However, NHTSA did not identify these as being cyber incidents.
Even though these incidents were unintentional somewhat akin to the CrowdStrike unintentional cyber incidents, the impact was similar to the Stuxnet man-in-the middle attack used to mislead the operators by replaying “good” rather than actual real-time conditions of the centrifuges in Iran. These, and other types of “subtle” control system cyber issues that do not involve internet protocol networks demonstrate that identifying control system incidents as being cyber-related often is not obvious.
