Blasting the heat with a remote sensor before you even get into your vehicle on a brisk winter morning is a welcome convenience. So are the comforts of lane assistance, voice command, Bluetooth and Wi-Fi.
But experts warn modern, connected vehicles, which are heavily packed with microchips and sophisticated software, can offer an open door to hackers.
These cars are vulnerable to hackers stealing sensitive information or even manipulating systems such as steering wheels and brakes, said Robert Falzon, head of engineering for Markham, Ont.-based cybersecurity solutions company Checkpoint Canada.
鈥淐ars are tracking how fast you鈥檙e going, where you鈥檙e going, what your altitude is 鈥 and all the different pieces of information are being calculated 鈥 It鈥檚 all computerized,鈥 he said.
鈥淯nfortunately, security is not always the primary thought when these (features) are developed.鈥
A global automotive cybersecurity report by Upstream shows remote attacks 鈥 which rely on Wi-Fi, Bluetooth and connected networks 鈥 have consistently outnumbered physical attacks, accounting for 85 per cent of all breaches between 2010 and 2021.
That proportion grew to 97 per cent of all attacks in 2022, the report said.
There鈥檚 a growing concern about privacy breaches among connected cars, experts added.
鈥淟et鈥檚 say someone is driving on the highway and the doors get locked, the car speeds up and the (driver) gets a message asking for bitcoin or they鈥檒l crash the vehicle,鈥 said AJ Khan, founder of Vehiqilla Inc., a Windsor, Ont.-based company offering cybersecurity services for fleet cars.
鈥淭hat scenario is possible right now.鈥
Khan added any car that can connect to the internet, whether gas-powered or electric, could be at risk of hacking.
But electric vehicles are particularly vulnerable to cybersecurity thefts.
Researchers at Concordia University in Montreal found significant weaknesses in their 2022 study of public and private EV charging stations across Canada 鈥 all of them connect to the internet. The study showed breaches could affect drivers, power stations and the power grid they are connected to.
鈥淭he reason why there are a lot of vulnerabilities is because vendors and operators are rushing to deploy the infrastructure to meet the demand,鈥 said Chadi Assi, information systems engineering professor and research chair at Concordia University.
鈥淎s a result, cybersecurity was an afterthought and it was not part of the design of the infrastructure,鈥 he added.
Assi explained an EV owner usually connects with the charging station through an easily accessible mobile app. But many of these third-party apps had security holes, the Concordia study found.
In 2022, the number of automotive application programs-related attacks accounted for 12 per cent of total incidents, despite advanced cybersecurity, the Upstream report shows. The trend was up by 380 per cent compared with 2021.
One such vulnerability, Assi said, is that the protocol used for communication between the cloud management system 鈥 which processes payments, among other important functions 鈥 and the charging stations may not be encrypted.
鈥淚f you鈥檙e making payments (at a charging station), those and any private information you put can be transmitted in plain text,鈥 he said, making sensitive information susceptible to theft.
If a charging station is compromised, Assi said, a customer鈥檚 private information could be leaked, such as the time and location of the vehicle. Hackers can also disrupt the charging process and damage the battery 鈥 the most expensive part of an electric vehicle.
Electric vehicle charging station-related breaches accounted for four per cent of cyberattacks on connected cars in 2022, the Upstream report said.
鈥淎nother critical aspect of cybersecurity in this ecosystem is the power utility itself,鈥 Assi said.
If a hacker synchronizes multiple charging stations and turns the charging of cars on and off, the power grid could be destabilized, he explained.
Assi said these shortcomings were flagged to manufacturers last year.
An August 2021 global standard was established to guide automakers in managing cybersecurity, risks including electronic control units, software and various vulnerable points of attack such as Wi-Fi and Bluetooth.
Manufacturers are working to strengthen cybersecurity in vehicles, Khan said.
But even the cat-and-mouse race to outdo hackers fails when intruders manage to find one weak spot 鈥 which may allow them access to other connected vehicles.
鈥淎uto cybersecurity is a very new field,鈥 Khan said, adding the risk will persist with the ever-changing software potentially bringing newer vulnerabilities.
Still, the biggest challenge lies in the lack of awareness among consumers.
Khan said the auto industry is in a transitionary period.
Consumers will take time to adjust from 鈥渧ehicles which never had connectivity or software to the (modern) vehicles with software that our lives have come to depend on,鈥 he said.
Khan suggested consumers ask car dealerships about the vehicle software and privacy protection from third-party apps.
鈥淲hen you go to purchase a vehicle, you ask about safety features such as seatbelts and airbags,鈥 he said. 鈥淪imilarly, ask about cybersecurity which is basically a health and safety issue.鈥
Another best practice is to be aware of the software used in the vehicle and how it would impact its security if a third-party app is downloaded. Experts suggested drivers should also update vehicle software regularly to avoid cybersecurity attacks.
When selling a vehicle or using a fleet car, customers should be careful when connecting their phones because they may leave behind their data remnants.
Other best practices include avoiding connecting to public Wi-Fi and to not keep car keys close to the front door since thieves can use devices that capture a key fob鈥檚 radio signal and extend the range to remotely start and steal vehicles.
Tim Burrows, producer of Canada Talks Electric Cars, has been driving electric vehicles for 10 years and says he never found himself thinking about cybersecurity until lately.
鈥淣ow that the software is actually 鈥榙riving the car鈥, I find myself thinking more often about the potential for bad actors to hack into the network and damage or control the semi-autonomous operation of the vehicle,鈥 he said.
While he is aware that risk exists, it is not something he is deeply concerned about, he said.
鈥淚 suspect it might become a higher value 鈥榯arget鈥 for those wishing to cause harm,鈥 Burrows said. 鈥淧erhaps my attitude will change when autonomous vehicles go mainstream.鈥
This report by The Canadian Press was first published Oct. 8, 2023.
Ritika Dubey, The Canadian Press