As long as there have been cars, there have been risks associated with getting behind the wheel. As technology has evolved however, so too have the risks. Modern dangers go well beyond the physical perils a driver may encounter in their travels; hacking and other cybersecurity threats are real and pose a growing concern for owners and manufacturers of connected vehicles, EVs among them.

In spite of these risks, new vehicles rolling off the assembly line feature more connected devices and services than ever before, providing a potential platform for bad actors to exploit vulnerabilities and hijack data. How, then, can the industry reconcile the growing use of connected systems while simultaneously mitigating their exposure? In this article, we’ll explore the potential cybersecurity risks related to connected vehicles and what automakers are doing to keep them safe.

Electric Vehicles and Cyber Threats

Of all the various systems connected to the Internet, of all the millions of connected computers and systems the world over, what possible reason could a bad actor have in targeting a connected vehicle? A well guarded person may be able to come up with a few reasons, but there are some less obvious reasons why a criminal would seek out a connected EV that may elude the layperson.

Perhaps the most obvious reason for a bad actor to target a connected vehicle, is to take remote control of the vehicle itself. It should come as no surprise that if a determined and skilled individual were to successfully take control of a vehicle, they could wreak all kinds of havoc. Though such an attack is perhaps not likely to happen with any statistical relevance, researchers have demonstrated that such an attack, which could give the assailant control of a vehicle's acceleration, braking, and steering controls,  is indeed possible, thanks in part to a vulnerability that is exploited in a cellular system. This exploit allows access to the vehicle’s infotainment system -  the graphical interface found in most modern vehicles. Among other things, the infotainment system presents maintenance data to the user such as oil levels and tire pressure, data that is gathered from the vehicle’s various electronic control units (ECUs) courtesy of the Control Area Network.

A bad actor may wish to use a vehicle to create a safety hazard, either for the vehicle’s occupants, or for the general public, causing disruptions to traffic or property damage. These hazards may be the result of an “indirect” attack such as a sudden and drastic increase in the volume of the radio or distracting the driver with a barrage of warnings that display on the infotainment system itself.  Attacks may also occur in a more direct fashion, such as altering the position of the steering wheel while the vehicle is in motion.

A bad actor may target a vehicle in order to surveil the occupants, tracking their movements and habits. A driver’s contact list can be accessed and stolen, and the on-board microphones (used for issuing voice commands or making phone calls) can be exploited to listen in on personal conversations. This information can subsequently be used to harass, blackmail, or harm the vehicle’s owner.

Lastly, a bad actor may actively target autonomous vehicles that they can exploit in order to transfer illicit goods, making such activities much less risky for the perpetrator. As more and more connected vehicles are sold, it increases the reliance on digital technologies thereby creating additional points of entry for malicious activities.

Charging stations themselves can become gateways for bad actors. Hackers could very well choose to install malicious software on charging stations that could then be transferred to any number of vehicles. In some cases, vehicles themselves may not even be the primary target for the malware; instead, criminals may choose to configure their malicious software to attack the Electric Vehicle Supply Equipment, putting into jeopardy the charging station network or causing widespread disruptions.    

How are Automakers Adapting to Comply with Evolving Standards?

When taken on its own, the information above does not paint a pretty picture for the automotive industry as a whole. Fortunately, said industry has not been idle in the face of these cyber security challenges. For example, automakers are constantly defining new processes and adopting new technologies to stay one step ahead of those who would look to exploit a vehicle’s vulnerabilities. 
Trusted organizations like the International Standards Organization (ISO) and SAE International have put together a collaborative standard related to automotive cybersecurity engineering that properly lays out the process for integrating robust cybersecurity measures into a vehicle’s design.

In Europe, manufacturers are mandated to obtain a certificate of compliance for the cybersecurity management system, a direct result of the cybersecurity regulations enacted by the United Nations Economic Commission for Europe.

Though connected vehicles often rely on over-the-air software updates to update and patch a vehicle’s software, automakers make this process safe by leveraging features like a secure boot, a security mechanism that verifies the integrity and authenticity of software before it is executed. Many automakers, like Ford, make it a point to address the cybersecurity concerns of their customers  right on their website, touting built-in firewalls, the use of cryptology solutions to prohibit unauthorized access, and “code signed” updates. Threat modeling is also used to review the system for potential security vulnerabilities.

Instilling Consumer Trust

As with any new or emerging technologies, consumer trust is vital to the continued growth of the electric vehicle market. When faced with a new product, it doesn’t take long for people to identify and fixate on any issues that could be perceived as a risk to themselves, their loved ones, or their property.

To ensure consumers have trust in the safety and reliability of electric and connected vehicles, automakers must strive to not only adhere to the established cybersecurity standards, but also commit to self-evaluating their systems to identify and patch vulnerabilities before they can be exploited,, research and establish new methodologies and processes to ensure cybersecurity remains a core consideration of any new feature or vehicle, and investing in the development of new secure technologies. This approach will not only ensure that consumer confidence remains high, it will also ensure that connected vehicles will never succumb to widespread malfeasance.

Threats Persist, But Progress in Cybersecurity will Prevail

While hackers and other bad actors will always present a  risk to connected vehicles and systems, the auto industry is committed to developing new methods and technologies to thwart any unauthorized attempt to access a vehicle’s data or the seizure of its controls. In some respects, the world is a dangerous place. With that being said, there are many opportunities out there for individuals with the right skill sets to right the intended wrongs of hackers and other criminals.

If you’re interested in learning more about EVs and how to properly service and maintain them, speak to a Program Consultant about enrolling into George Brown College’s EV Technician Program.