Dan Milmo Global technology editor 

‘Source of data’: are electric cars vulnerable to cyber spies and hackers?

British defence firms have reportedly warned staff not to connect their phones to Chinese-made EVs
  
  

A charging demonstration at the BYD booth at the Shanghai International Automobile Show: closeup of a dark grey SUV with cable plugged in.
Electric cars have myriad ways of generating data that is of interest to hostile states, one expert says. Photograph: Ying Tang/NurPhoto/Rex/Shutterstock

Mobile phones and desktop computers are longstanding targets for cyber spies – but how vulnerable are electric cars?

On Monday the i newspaper claimed that British defence firms working for the UK government have warned staff against connecting or pairing their phones with Chinese-made electric cars, due to fears that Beijing could extract sensitive data from the devices.

Here we look at whether there are problems with electric cars and security.

Could an electric car snoop on you?

Security experts spoken to by the Guardian say electric cars – the most advanced road vehicles on the market – could be exploited by hackers.

Rafe Pilling, the director of threat intelligence at the cybersecurity firm Secureworks, says electric cars have myriad ways of generating data that is of interest to hostile states, given the microphones, cameras and wifi connectivity they contain.

“There are lots of opportunities to collect data and therefore lots of opportunities to compromise a vehicle like that,” he says.

He adds that wifi or cellular connectivity, which allows a manufacturer to update a car’s operating software – known as an “over the air” capability – could allow data to be exfiltrated.

“A modern vehicle that has over the air update capabilities – which is crawling with computers, various radios, Lidar sensors and external cameras – could well be repurposed as a surveillance platform,” he says.

A mobile phone connected to the car, whether via a charging cable or Bluetooth, is another source of data, he says.

Should all car drivers be concerned?

Experts say car owners in sensitive industries or in political and government positions should exercise discretion.

“If you are an engineer who is working on a sixth-generation fighter jet and you have a work phone that you are connecting to your personal vehicle, you need to be aware that by connecting these devices you could be allowing access to data on your mobile,” says Joseph Jarnecki​​​​, a research fellow at the Royal United Services Institute thinktank.

Nate Drier, a tech lead at the cybersecurity firm Sophos, says concerned drivers or passengers can click the “don’t trust” option when they connect their phone charger with the car – but they then lose out on all the benefits that ensue, from using music streaming apps to messaging.

“I would assume most people are allowing that connection to happen so they can have all the benefits of the features on that phone,” he says.

Pilling adds that hire car users should take note as well.

“In general, it’s a bad idea to sync your phone or device with a vehicle that isn’t yours, as you can leave copies of contacts and other sensitive data in the car entertainment and navigation system and most people forget to wipe this after they leave a hire car,” he says. 

Why are Chinese vehicles the focus of concern?

China is a major manufacturer of electric vehicles (EVs) through brands including BYD and XPeng. This, allied with the Chinese state’s use of cyber-espionage, makes those cars a source of potential concern. China’s National Intelligence Law of 2017, for instance, states that all organisations and citizens shall “support, assist and cooperate” with national intelligence efforts.

“Chinese law obliges Chinese companies to cooperate with state security, so one has to assume that if a car is capable of spying on you it may be misused to do so,” says Prof Alan Woodward, a computer security expert at the University of Surrey. There is “no evidence” in the public domain to point to use of Chinese vehicles in such a way, he adds.

However, experts also wonder if China would risk causing serious damage to a key export sector such as EVs by making it a vector for intelligence gathering. Mobile phones, smart watches and other wearable devices are more likely targets for espionage.

What does the UK government say?

A government spokesperson would not comment on specific security measures, but said: “Protecting national security is our top priority and we have strict procedures in place to ensure that government sites and information are appropriately protected.”

A more detailed statement was made last month by the defence minister Lord Coaker, who said the Ministry of Defence (MoD) was “working with other government departments to understand and mitigate any potential threats to national security from vehicles”. He said the work related to all types of vehicle and “not just those manufactured in China”.

Referring to an i report that the MoD had banned EVs with Chinese components from sensitive sites and military training bases, he said there were “no centrally mandated policy restrictions on the movement of Chinese manufactured vehicles”.

However, he said individual defence organisations – a reference to public and private entities – may have stricter EV requirements on certain sites.

BYD has been contacted for comment. XPeng said it was “committed to continuously adhering to and complying with the applicable UK and EU privacy laws and regulations”.

The SMMT, the trade body for UK carmakers and traders, told the i: “All manufacturers with cars on sale in the UK must adhere to relevant regulations on data privacy, and EVs are no different.

“The industry is committed to upholding a high level of customer data protection, including proportionate use of data, including apps and paired mobile phones, which can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists.”

 

Leave a Comment

Required fields are marked *

*

CAPTCHA

*