Can cars be hacked? Thirty years ago, that question would’ve seemed nonsensical. Today, with computer chips embedded in every electric vehicle (EV) and charging stations storing user data, EV security isn’t guaranteed. All smart devices — from coffee pots to baby monitors — are hackable, and electric vehicle security has emerged as an unsavory but necessary topic in the broader conversation about EVs.
How to Hack an EV
Any car with a computer chip and remote connectivity is potentially hackable. How do threat actors bypass electric vehicle security measures? The leading way cars can be hacked is through connectivity features — like Wi-Fi, cellular networks and Bluetooth — allowing remote control and vehicle communication. Remotely starting a vehicle requires a wireless connection to a car’s critical safety features. If drivers can control a vehicle remotely, so can hackers.
Crucially, a vehicle’s Controller Area Network — which links critical components like brakes and engines — is sometimes accessible through a cellular or satellite connection. Wirelessly connecting all safety systems using the same software means a single exploit could affect countless vehicles simultaneously.
Researchers from cybersecurity firm Kaspersky looked at 69 third-party applications used to control cars and found that 58 percent use vehicle owners’ information without obtaining consent. Unofficial apps put vehicle owners at risk of data breaches that could lead to stolen credit card numbers, home addresses, or other personal information. They could also give hackers access to vehicle systems.
Another way cars can be hacked is through software vulnerabilities. Electric vehicles use complex software systems to control braking, steering, acceleration and other crucial functions. Software vulnerabilities or weak security measures let threat actors take control of the vehicle’s functions.
EVs use telematics systems to provide remote services, collect data and monitor vehicle performance. If these systems are unsecured, hackers can exploit them to gain unauthorized access to a vehicle. Many countries currently have a software developer shortage. In South Korea, a major player in the EV sector, nearly 70 percent of companies have noticed the lack of software professionals and many consider it a top-priority issue. It makes fixing vehicular software flaws that could lead to breaches a lot harder.
Some EVs utilize OTA updates to patch their software, as an alternative to physical recalls. These remote updates offer convenience for drivers and allow for continuous improvements. However, they can also be targets for hackers.
One EV security issue traditional vehicles don’t have is the use of car chargers. The United States currently has around 57,500 public charging stations, and most electric chargers are IoT-connected devices.
Public chargers often require an app or radio frequency identification card, which stores a user’s location data, IP address and other network usage information. Although charging station data doesn’t allow hackers to access the car itself, they can use it to hack electric vehicle owners’ personal accounts. Home car chargers that let users remotely monitor their vehicles using an app can also give hackers access to home internet networks.
The vehicles found to be most vulnerable to hacking, according to a Consumer Watchdog report, include:
- Nissan Rogue
- Chevy Equinox
- Chevy Silverado
- Tesla models
- Honda CRV
- Honda Civic
- Toyota Camry
- Toyota Corolla
- Toyota Rav 4
- Ford F-150
- Dodge Ram 1500
Although not all electric vehicles, these cars and trucks have connectivity features that leave them vulnerable to hacking.
In one hacking contest, a team of researchers accessed a Tesla’s infotainment system and performed actions on the car — such as opening the trunk – from a remote location. Tesla has been working closely with white-hat hackers to improve its electric vehicle security, but the recent contest showed the famous electric car has multiple security vulnerabilities.
How to Improve EV Security
Aside from not using third-party apps that connect to their cars, there are unfortunately few steps EV owners can take to prevent vehicle hacking. Unlike with smartphones or computers, the onus for avoiding hacks rests mainly on manufacturers and charging network companies. Here’s how they can improve EV security.
Firewalls. In addition to a car’s physical firewall — the panel separating the engine from the passenger compartment — IoT-connected vehicles need firewalls embedded in their code. This network security system controls incoming and outgoing network traffic, preventing cyberattacks on critical systems.
Software Updates. Software updates are as important for cars as for computers — perhaps even more because more is at stake. Updates can include new safety features and patch parts of the code that would otherwise be vulnerable to hacking.
Penetration Testing. Car manufacturers use penetration testing to look for security flaws in new and existing vehicles. In one famous demonstration, white-hat pen testers hijacked a Wired writer’s Jeep Cherokee to control the radio, air conditioning, windshield wiper and transmission, causing the SUV to stall on the highway. They disclosed their findings to Chrysler so it could fix the dangerous security loopholes.
Secure Charging Stations. Charging stations in remote areas are more vulnerable to hackers. Facility owners should implement IoT-connected cameras to monitor car chargers. In busy locations, station attendants can keep an eye on things or even recharge people’s cars for them, much like at a traditional gas station.