Electric vehicles act as 'mobile computers' that place data and safety at risk

Mobile computers

Electric vehicles are more than just cars that run on electric batteries instead of gas; today they may be described as computers capable of functioning like cars or, as Sintrones, a supplier of vehicle computing systems characterized them, mobile computers.

Modern vehicles are intricate machines that can be compared to mobile computers. The majority of modern vehicles possess at least one computer system, with many possessing several. . . . 

McKinsey and Company was more detailed in its description of the “car as computer,” connected to the internet, and capable of optimizing its own operation and maintenance:

Today’s car has the computing power of 20 personal computers, features about 100 million lines of programming code, and processes up to 25 gigabytes of data an hour. Yet while automotive digital technology has traditionally focused on optimizing the vehicle’s internal functions, attention is now turning to developing the car’s ability to connect with the outside world and enhance the in-car experience. This is the connected car—a vehicle able to optimize its own operation and maintenance as well as the convenience and comfort of passengers using onboard sensors and Internet connectivity.

As such, electric cars, like computers, have many inherent vulnerabilities that leave them exploitable by bad actors, even without the drunk and impaired driver “kill switch” mandate coming into effect in the U.S. in 2026. Unlike the computer on your desk, however, if your “mobile computer” is hacked it can put your life, as well as your data, at risk.

Cyber security threats

Boye Tranum and Peter Hellström highlighted cyber security issues unique to electric vehicles in their article published by the UK's Royal United Services Institute (RUSI). Security ramifications, they said, are not fully considered.

From a cyber security perspective, the transition is not one from internal combustion energy to battery electric. It’s one from vehicles with digital extras to fully digitally transformed, fully interconnected vehicles. Dozens of computers and hundreds of sensors operate and optimise brakes, electric flow, charging and many other functions within just one vehicle, always communicating with one another, and connecting via 4G and soon 5G networks to infrastructure, third-party services, and other vehicles.

. . .  the technology and systems being developed and applied don’t always fully consider the security ramifications.

One example would be a control system that ‘sees’ the position of other cars, enabling vehicles to travel in clusters to save energy when they share a travel path. But this means sharing data vividly, and it creates a hefty attack vector. If the data is not anonymised, this could be used to track a person and their behaviour.

"Kill switches" bad for business and the economy

In fact, Tranum and Hellström believe that states and car manufacturers would never install kill switches of their own accord since they would damage the automobile industry and the general economy.

Particularly, the question of a kill switch, in which an attacker could use a back door to shut down a vehicle completely, has recently made headlines. This is possible if a vehicle is connected to the outside world. And once access to one system in a vehicle has been obtained, there is potential to hack into the others.

But looking at this from a risk perspective, what would be the reason for a kill switch or other dramatic hacks on the OT [operational technology] of EVs? States and car manufacturers care about the economy and good business, and if a kill switch was ever used or even discovered, that business and part of the economy would be severely damaged.

They are concerned that purposeful disruption of power grids would be used to disable multiple cars and create havoc, rather than acting to disable a single car. 

From a societal perspective, if an attacker wants to cause widespread disruption, what’s the best way to do this? Is it to shut down individual EVs, or to target wider energy infrastructure, from wind farms to power stations and the grid? If widespread disruption is the attacker’s aim, then energy infrastructure would be their primary target.

They also believe that individuals' data is at risk and could be hacked when they recharge their cars: 

An EV may not even need to be hacked to present a risk. The integrity of data may be the bigger issue. A service station – likely operated by mechanics, not cyber or data specialists – may access systems and download data when servicing a vehicle. There isn’t always transparency about how organisations treat the data, whether it’s the service station, the manufacturer, a component supplier, or an online service provider. 

Supply chain vulnerabilities 

Another issue with electric vehicles, they posit, is that most of the electronics come from a small number of Asian manufacturers, so any vulnerabilities in a product will have a great effect:

EVs today typically use components from a small number of vendors in Southeast Asia, creating the conditions for any vulnerabilities to have a serious domino effect should they be introduced. There are already moves by the US and Europe to bring home supply chains, which could increase the number of local suppliers and somewhat reduce the risk. But we should remember that supply chains based anywhere can introduce vulnerabilities.

Bonanza for hackers; dangerous for everyone else

The video below demonstrates some of the ways the software of an electric vehicle can be penetrated by hackers, enabling the tracking of a vehicle's location, the monitoring of conversations in the car, and overriding the navigation system.

Titled “Back-connect to the Connected Car. Search for Vulnerabilities in the VW Electric Car," the video shows the presentation made by NavInfo Europe security team members Yuriy Serdyuk and Alexey Kondikov on December 7, 2022 at the Black Hat Europe 2022 conference in London. Serdyuk and Kondikov demonstrated the serious vulnerabilities and security issues they found in the European electric Volkswagen ID3, which can also create problems with other VW models. 

Our discovered vulnerabilities and security problems in car architecture are also applicable for such Volkswagen models like ID4, ID5 and affect hundreds of thousands of electric cars on the roads.We will demonstrate how hackers can receive root access in Infotainment and Gateway modules in the cars, install backdoors and what hackers can do remotely with hacked cars.

NavInfo made the full abstract and materials available to the public. Here are a few of the slides:

Note the comment at the bottom of this “main components” slide which explains that the diagram is actually a simplified version of a much more complex reality.

What they found is shocking, as described in the below slide on the car's vulnerabilities.

 

This security risks slide shows that no one and nothing is secure if the car is hacked:

Screenshots from NavInfo's presentation:

The narrator of the video described the results of a hack:

We retrieve the current location, as well as the previous locations from the car. (@28:30).

The researchers next show how they can alter the navigation script with wrong instructions.

With remote access, we can control the voice of the navigation system of the car. (@29:58).

Hackers are also able to obtain data on friends and family, putting them at risk as well.

We show how we retrieve contact information from a mobile device and the car. (@31:00) 

Watch as they demonstrate what they've managed to achieve and how they can remotely access a car's location and record and download what is heard through the car's microphone, change the script of the navigation system, copy all phone contacts from Bluetooth-connected devices, and more.

 

 

Multiple hacking tests have exposes EV vulnerabilities with concerning results

  • Tokyo hackers won multiple cash prizes in a hacking contest for hacking Teslas. 
  • A 19-year-old researcher remotely hacked into more than 25 Teslas and gave the manufacturer time to repair the defects before revealing what he found. 
  • The subtitle of a January 2023 Security Week article revealed that “A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.”

Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches. 

  • Just a month ago, in March 2024, “white-hat” hackers easily carjacked a Tesla. “Security researchers used a $169 Flipper Zero device and a Wi-Fi development board to obtain a driver's credentials, break into a Tesla Model 3 and drive away.” 

In the video below, YouTuber Mysk shows how phishing and social engineering can easily enable a thief to steal a Tesla. Tesla doesn't protect its owners against stolen credentials, according to Mysk, who wrote: 

The major problem with the design is that Tesla only requires an account's email and password as well as being physically near the Tesla vehicle to activate a phone key. With an activated phone key a user, or an attacker, has full control of the vehicle. The flow doesn't require the user to be inside the car or to use another physical factor for authentication, such as a Tesla key card or scanning a QR code that the Tesla's touchscreen displays. 

 

 

Hackers look for credit card numbers and other personal information 

An article by Patrick George for The Atlantic explored reasons why electric vehicles would be hacked. One reason he cited was for credit card information. Credit cards of car owners who pay for add-on features, such as heated seats, may be hacked for their credit card information:

The bigger threat, experts told me, is remote software hacks from malicious actors. Each time a car gets a new touchscreen app or subscription feature, it provides a potential way in for hackers who are after your credit-card information, personal data, and more. 

 Cars may especially be a target of hacks because of the massive amounts of personal and location data that they now collect. “Cars are the worst product category we have ever reviewed for privacy,” a recent report from the nonprofit Mozilla Foundation concluded. Depending on what exactly gets breached, a car hacker could see where your home or office is or where you go to spend your money, or even have a window into much more personal matters, such as whether you drove to an abortion clinic.

Will mobile computers in the U.S. be more hackable in 2026?

If the above have been vulnerabilities and security concerns until now, how much more will hackers be able to accomplish when all new electric vehicles sold in the U.S. will have to have an open system or at least one back door and technology to disable their operation, in order to comply with the drunk and impaired driver “kill switch” mandate? 

Related articles: