The White House announced a plan this week to ban the sale or import of connected vehicles containing “specific pieces of hardware and software” that could be made in China or Russia, citing national security fears. While the threat of cyberattacks on connected vehicles is very real, the timing of the US announcement is unusual.
US authorities have said they fear that vehicles containing the components, including trucks and buses, could become Trojan horses for Chinese sabotage.
It’s the second announcement targeting electric vehicles in six months from the US government.
Washington imposed a 100% border tax on electric vehicles from China in May, an action the White House said was aimed at protecting North American jobs from the Chinese automobile industry, which is supported by state subsidies.
Although the new ban announced on Monday will hit both Moscow and Beijing, the Chinese automobile industry is again the main target.
China and the US are home to the world’s largest electric vehicle companies. Only a small portion of the targeted hardware and software that “allow for external connectivity and autonomous driving capabilities in connected vehicles” is made in Russia.
Trojan cars?
If approved by Congress, the new US bans would come into effect in 2027 for software and in 2030 for hardware.
“Malicious access to these systems could allow adversaries to access and collect our most sensitive data and remotely manipulate cars on American roads,” according to a statement from the Department of Commerce.
“Connected vehicles and the technology they use bring new vulnerabilities and threats, especially in the case of vehicles or components developed in the P.R.C. (People’s Republic of China) and other countries of concern,” said Jake Sullivan, US national security adviser, during a press conference on Sunday.
Sullivan made reference to the Chinese hacker group Volt Typhoon, which US intelligence officials said in February had targeted communications, energy, transportation, water and wastewater systems in the United States.
The risk, according to US intelligence, was that such groups could insert dormant codes into critical networks that could then be activated to remotely sabotage infrastructure if tensions were to rise between the US and China.
Connected vehicles use a relatively new infrastructure network, but “the risk of connected cars being the target of hacks has been known of for about 10 years”, says Jean-Christophe Vitu, vice president of engineering solutions for CyberArk, a US cybersecurity firm.
Data, sabotage
But so far, most examples of vehicles being hacked do not indicate they are tools of international espionage. “For the moment, we essentially have cases of hacking in order to bypass vehicles’ security systems in order to steal them,” Vitu says.
But the danger is not just theoretical. “There have been demonstrations of connected vehicles being controlled remotely,” says Sébastien Viou, director of cybersecurity for French company Stormshield.
Connected vehicles also offer multiple entry points for hackers – largely via the software targeted by the latest US ban.
“Every connected vehicle has, for example, a modem or a SIM card that has not been made by the company that constructed the vehicle that allows it to connect to a network and transmit data to servers,” says Matthieu Dierick, an expert in cybersecurity at F5, an US security company.
Vulnerability at this level could allow a hacker to intercept the data being transmitted.
A cyberspy could also target “the multiplexer, which is a kind of control tower for using the vehicle's electronic and connected interfaces, such as GPS or radio”, adds Vitu.
Vitu also points out that “the amount of personal data collected by these vehicles and their manufacturers is enormous”.
Gaining access could reveal, for example, the exact road route being taken by a high-profile individual if they received a call while in transit and the driver was using equipment such as a hands-free kit.
Compromised connected vehicles can also be manipulated physically.
Although this is not yet known to have happened outside of demonstrations at cybersecurity conferences, Viou says, “a connected car can be sabotaged in order to force it to stop, for example”, or to force “remote shutdown of the assisted driving system or vehicle acceleration”.
A question of control
There are currently very few connected vehicles with Chinese-made parts in North America, and hacking a connected vehicle requires the skills of an advanced cybercriminal.
“If you are targeting a specific vehicle, it could be necessary to do preliminary intelligence-gathering to work out which brand made the different pieces of software that you want to activate or stop remotely,” says Dierick.
Although the current threat in the US may be small, “it is not too early to take an interest,” Dierick adds. “With all the current geopolitical tensions, it’s a question of digital control. It is essential to have complete control over all software in use and trust in the companies that manufactured it and [setting that up] could take time.”
But removing all elements of risk from connected vehicles on US soil would mean “putting in place a production chain using only software made in North America or Europe”, says Dierick.
The White House press release says it aims to impose the ban on high-risk software and hardware components made in China by 2030.
Yet the focus on connected vehicles seems narrow if the US aims to eradicate the potential for a largescale cyberattack. “The risk of vulnerability to a remote attack exists, whatever the origin of the software,” Viou says.
Just because part of an electric car is made by Huawei in China rather than by a company in the West does not mean it is more or less susceptible to hacking attempts by Chinese or Russian cybercriminals.
Realistically, controlling the production chain “is, above all, a way to reduce the risk of introducing a ‘backdoor’ into connected vehicles”, Viou says, a reference to a covert method of bypassing normal authentication or encryption that is often used for securing remote access.
Even so, is it possible to ensure that there are no components made in China in any connected vehicle? Within complex supply chains, isn’t it feasible that a subcontractor might assemble part of a spare part in a Guangdong car factory? “It's very difficult to be sure,” Vitu says.
Ultimately, “the connected car is possibly not the top priority when it comes to closing the digital doors through which Chinese spies can enter. There are, for example, more cell phones with Chinese components in circulation,” says Dierick.
The new US ban could also be a way “to give an advantage to American manufacturers of electronic components”, Viou said, “Especially after the Chips and Science Act” – a 2022 Biden administration initiative aimed at boosting US manufacturing of new technologies.
With just over a month to go before the US presidential election, the ban is also perhaps a moment of political opportunism, a gesture to illustrate that the Democratic Party is not cowed by Chinese power.
China, in turn, said on Tuesday that it “firmly opposes” the US ban, stating that it “violates the principles of market economy and fair competition, and is a typical protectionist act”.
This article was adapted from the original in French.
