Electric vehicles (EVs) have rapidly digitized over the last decade, morphing into a complex web of software and hardware. The array of new technology under the hood spans lidar sensors, radars, driver assistance systems, and in-vehicle networks. The average EV now runs 150 embedded electrical control units and 100 million lines of code.
These innovations are being integrated to improve vehicle performance and increase driver safety. However, while physical safety has benefitted, connected cars present many emerging security-related threats. As a result, cybersecurity is one of the top concerns of automotive manufacturers. Security impacts their bottom line in the form of cyberattacks, resulting in $2 billion in system downtime costs in the first half of 2023 alone.
Software introduces new threat vectors
As EVs become more intelligent and additional software is embedded, their vulnerabilities increase as cybercriminals gain a larger attack surface to exploit.
In 2023, researchers identified numerous security weak spots that impacted 16 automakers. The flaws affected 20 different API endpoints, and if hackers had exploited them, they could have taken control of the vehicles, tracked locations, and accessed systems containing personally identifiable information (PII) of employees and customers.
Let’s explore some critical vulnerabilities that cybercriminals may target as EVs become increasingly connected and autonomous.
1. Over-the-Air (OTA) updates and malware-infected apps: Wireless code updates, often done via Wi-Fi and cellular connections, can introduce vulnerabilities that hackers use to insert malware into vehicle software. They may inject malicious code, modify vehicle firmware, or potentially alter system functionality. As a result, over-the-air (OTA) updates should be secured with end-to-end encryption, authentication, and verification protocols.
2. Networked attacks: Networked attacks exploit wireless, backend networks, and vehicle-to-everything (V2X) communications. If successful, this tactic can impact electric car systems and disrupt traffic. Securing messages transmitted by V2X communication channels remains a critical problem for the EV and the broader automotive industry.
3. Connectivity and control systems: By intercepting and altering signals, bad actors can take over the EV’s controller area network. If successful, hackers can affect braking and powertrain components, potentially causing sudden stops or acceleration.
4. Infotainment systems: Infotainment systems in cars connect to the internet and other devices via Bluetooth, cellular, USB, and Wi-Fi, creating potential entry points for bad actors. These systems contain personal information such as credit card details and location data, making them attractive targets for cybercriminals. Automakers can mitigate this risk by implementing strict access controls, deploying secure communication protocols, and using software and firmware to patch vulnerabilities.
5. Charging infrastructure: EV chargers are ripe targets for adversaries to install malware that can compromise a car’s safety and functionality. Hackers can tap into these public systems remotely or physically. In addition, EV supply equipment may be susceptible to malware attacks, threatening the integrity of the charging infrastructure and causing widespread disruptions in the power distribution system. Once compromised, bad actors can alter charging speeds, disrupt availability, or switch between alternating and direct currents.
Prioritizing cybersecurity
Each point of connectivity is now a pathway hackers are eager to exploit. However, despite widespread awareness of the risks, security is not a focus for EV manufacturers at the start of the vehicle design cycle.
Automakers must rethink this approach and identify and address vulnerabilities as early as possible. Every element requires testing, from sensors to software to telematics to charging infrastructure, to avoid costly delays and mitigate the risk of a successful cyberattack.
Once a vehicle is on the road, security testing can’t grind to a halt either. Every software or system update requires the same rigorous evaluation to ensure it doesn’t introduce vulnerabilities. For example, each app must be tested before being integrated into a vehicle’s software system, and embedded firewalls should be integrated with firmware to provide reliable end-to-end encryption.
EV manufacturers must prioritize security and collaborate with all stakeholders to rigorously test for security vulnerabilities to ensure a safe driving experience. This will ensure that the technology transformation within the EV industry doesn’t provide an entry ramp for hackers to glide through and exploit.
You may also like:
Filed Under: Software