Why e-mobility is the ‘Wild West’ of cyber security
We’ll send you a myFT Daily Digest email rounding up the latest Electric vehicles news every morning.
While the rapid growth of e-mobility has created new ways of travelling, it also presents cyber criminals with fresh targets to exploit.
Much like any other networked machine, everything across the e-mobility spectrum — from charging points to electric vehicles and e-scooters — can have security vulnerabilities. Since e-mobility is still perceived as a young industry, the level of investment in cyber security for each product varies by individual manufacturer and supplier.
“E-mobility is [still] a bit of a ‘Wild West’ when it comes to cyber security,” says Andy Barratt, UK managing director of Coalfire, a cyber security consultancy. “The most forward-thinking outfits, like electric vehicle manufacturer Rivian, have established dedicated security divisions.”
Most vulnerabilities in modern vehicles can be found around battery management and the main digital interface. Malware on a USB could also attempt to control a specific area of the car, with hackers then aiming to exert even more control, by gaining access to the car’s overall network.
For autonomous cars, the threat is greater as they would be connected to one another, and also to networked roadway systems. “A nation state or serious organised crime group could induce a range of vehicles to crash at high speeds. Attackers wishing to harm critical national infrastructure without direct loss of life could force all traffic to attempt to go through certain areas, creating large localised traffic jams,” says Vic Harkness at F-Secure Consulting, a security consultancy.
The risks with e-mobility vehicles are heightened because cyber security researchers do not have as much experience in dealing with them. “The cyber security industry is quite mature in detecting and stopping threats on things like Windows devices, Macs and Android phones,” says Andrew Tsonchev, director of technology at Darktrace, a cyber security group. “With autonomous cars, there’s quite a worrying opportunity there; they tend to talk to the internet, they’re very complex, there’s lots of ways to compromise them.”
Mr Tsonchev does not believe that e-scooters are as much of a threat as they are only equipped with Bluetooth connectivity rather than Wi-Fi. However, he says they could be used indirectly to launch an attack on something more valuable — perhaps by gaining access to the user’s phone for additional data. An attacker could also request payment before unlocking a connected car or e-scooter, in a form of ransomware.
“The more worrying scenario is someone [launching an attack] mid-operation of these devices — for example, where someone’s car malfunctions and veers off the road because they’re being targeted by a cyber attack — this is a very real risk,” says Mr Tsonchev.
Several experts have called for the introduction of security by design — the concept whereby security is not an afterthought but is baked into products from the outset. “[E-mobility] is new technology and they’re working on iterating on current technology,” says Mark Adams, a former principal security engineer at Lyft. “Security by design is still in its early stages — but you’ll see a lot of those in the autonomous vehicle industry are starting to grow out their security teams, and taking it seriously.”
There are also privacy fears. Rental e-bikes, for instance, have real-time GPS location data, and also require users to log in with information such as their social media account or credit card data. “This is an incredibly dangerous data set for criminals to get their hands on. This is why the wider infrastructure built around these smart devices is also of great concern in terms of how it can be compromised,” he says.
There are many layers to security and multiple points of entry for attackers in these vehicles, making it essential that manufacturers prioritise security and co-operate with each other, says Mr Tsonchev. “If a vendor discovers a vulnerability within one of their systems, a framework should be in place whereby this information can be shared with other vendors,” says Ms Harkness.