A cyberattack on a US vehicle breathalyser company has left drivers across the United States stranded and unable to start their vehicles. The company, Intoxalock, says on its website that it is "currently experiencing downtime" after a cyberattack on March 14. The fallout raises uncomfortable questions about how we've built critical safety systems on fragile digital foundations.
Intoxalock sells breathalyser devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car. The company's technology is used in 46 states, its website says, and it claims to provide services to 150,000 drivers every year. These devices are court-mandated for people convicted of drink-driving offences; they're not optional.
Here's what you need to know about how the outage created such a cascading failure. Intoxalock's ignition interlock devices require users to blow clean before starting their vehicles, then demand periodic recalibration every 30 to 120 days via company servers. When the servers went down, vehicles that had not been recently calibrated stopped starting altogether. The devices still worked as breathalysers; what broke was the calibration system that allows cars to start.
Intoxalock says hackers are flooding its servers to stop them from functioning, and that the nationwide outage has affected installations, removals, calibrations and account access. Intoxalock would not say what kind of cyberattack it was experiencing, such as ransomware or if there was a data breach, or whether it had received any communications from the hackers, including any ransom demands. The company says despite the attack, user data is secure, but it did not say if there was a ransom demand.
The impact has been especially severe for people with limited transport options. According to local news reports across Maine, drivers are experiencing lockouts and some have been unable to start their vehicles. One auto shop in Middleboro told WCVB 5 in Boston that it has had cars parked in its lot all week due to the cyberattack. In rural areas without public transport, the crisis is acute.
One Maine resident summed up the problem starkly. "Anybody that's locked out has remained locked out. There's people that haven't been able to drive since Saturday, if that's their only vehicle," he said. Another noted that people in the countryside without public transport options were "totally up the creek" — unable to reach work, medical appointments, or essential services.
Intoxalock has offered partial relief: The company will waive fees tied to the incident and allow a 10-day extension while systems are restored. The company has offered towing reimbursement to drivers who have been stranded as a result of the breach. But Intoxalock did not provide an estimated timeline for its recovery.
From an Australian perspective, this incident should prompt some serious reflection about how we design compliance systems. We're increasingly reliant on cloud-dependent devices for everything from safety tech to vehicle management. When a single company's server infrastructure fails, entire fleets of vehicles become bricks.
The deeper issue isn't Intoxalock's failure to prevent the attack. It's the architectural problem: a mission-critical safety device that's legally mandated should have fallback systems. If calibration can't be verified through normal channels, there should be offline mechanisms or grace periods that don't punish compliant drivers for a vendor's security failure.
As Australia continues to upgrade its vehicle safety infrastructure and implement new compliance systems, we should be asking hard questions about resilience. What happens when cloud services fail? What safeguards protect drivers who are following court orders but can't access the verification systems they depend on? A good safety device keeps people safe. A poorly designed one can trap them.