Are U.S.’s cybersecurity concerns over Chinese EVs justified?

The Biden administration has raised concerns that Chinese electric vehicles (EVs) could pose national security risks due to the potential misuse of the software these vehicles rely on

Modern electric vehicles (EVs) are technological marvels, combining innovation and convenience. Connected tech allows drivers to personalise their driving experience while ensuring better security through advanced algorithms. But as with all technology, the potential for misuse brings about serious concerns.

EVs increasingly rely on connected technologies to enable features such as Advanced Driver Assistance Systems (ADAS), autopilot, auto-park, geo-fencing, and even charging. However, this heavy reliance on software and its vulnerabilities has drawn attention from U.S. officials, particularly concerning Chinese vehicle imports.

In February 2024, the Biden administration launched an investigation into Chinese connected vehicles, many of which rely on these technologies, warning that they could pose national security risks. These vehicles, the administration pointed out, “collect large amounts of sensitive data on their drivers and passengers and regularly use their cameras and sensors to record detailed information on U.S. infrastructure.”

How strong is the global presence of Chinese EVs?

To understand why the U.S. is considering a potential ban on Chinese connected car technology, consider the current global EV market dynamics.

Compared to American brands like Tesla and Rivian, Chinese EV makers have a lead in the global sales. In 2024, Chinese EV manufacturers are expected to generate a collective revenue of $376.4 billion, while the global market is projected to reach $786.2 billion, according to Statista. Chinese EVs account for around 60% of global EV sales, according to the International Energy Agency.

Major players in the Chinese EV market include names such as BYD (Build Your Dreams), Geely, Xiaomi, NIO, Li Auto, and SAIC Motor. These companies owe much of their success to substantial government support, including tax breaks and subsidies—particularly in the case of BYD.

Is Chinese connected car technology a cause for concern?

One major concern is the lack of robust cybersecurity in the EV software, which poses significant risks. EVs rely on software to manage virtually every aspect of their functioning—from car performance and locking/unlocking systems to collision prevention. While these features enhance driver safety, they also present serious risks if compromised. Hackers could exploit software vulnerabilities to gain control of vehicle systems, potentially causing collisions or immobilising entire fleets.

There is also a dearth of robust legislation around the collection, storage, transmission, and use of data by automakers.

Is there is a threat to user safety?

Poor cybersecurity in EVs makes them easy targets for hackers. Beyond controlling the vehicle, hackers could access sensitive information, including financial data stored on the vehicle’s onboard computer. Furthermore, EVs are often integrated with other smart devices—like smartphones and home systems—through IoT platforms. A breach in one system could lead to a broader compromise, granting hackers access to users’ personal data, home security systems, or even real-time location.

An attack on an EV’s software could allow hackers to move laterally through connected systems. For instance, breaching an EV could potentially expose a user’s local Wi-Fi network or smart home systems, creating a ripple effect of security vulnerabilities.

Is there a threat to critical infrastructure?

EVs are also unique in their connection to power grids for charging, which presents another significant vulnerability. Power grids operate on a delicate balance of energy distribution, and a coordinated cyberattack on EV charging stations could destabilise entire grids. This could cripple energy supplies to major urban centres.

Such attacks are not hypothetical. In 2022, hackers disabled EV charging stations outside Moscow, displaying pro-Ukraine messages in a politically motivated cyberattack. This incident highlighted the potential for nation-state threat actors to target infrastructure by manipulating connected vehicles.

What about attacks by nation states?

Some nation states further exacerbate the problem. Countries like Russia and China are known for their advanced cyber capabilities and motivations. In the case of EVs, nation state actors could exploit software vulnerabilities to infiltrate broader networks, target fleets of vehicles, or compromise critical infrastructure.

A notorious example of nation state cyber activity is the NOBELIUM group, a Russia-linked hacking collective, which executed a supply chain attack by exploiting software vulnerabilities. This attack demonstrated how sophisticated actors could infiltrate tech systems, granting them access to sensitive information by targeting high-profile individuals and companies.

The combination of cybersecurity weaknesses in EVs, coupled with the capabilities of nation-state actors, underscores the significant risks involved in allowing foreign-built connected car technology to operate in critical markets like the U.S. The concerns raised by the Biden administration are far from unfounded—EV software security is a critical issue that requires urgent attention on a global scale.

Published - October 12, 2024 01:29 pm IST