The attack in March on Ferrari’s customer database by hackers who then demanded a ransom from the Italian supercar company is the latest high-profile report of cybercrime carried out against an automaker. It’s a problem that promises to get worse with the growth of EVs and the EV charging networks.
The number of publicly reported automotive cyberattacks is on the rise. Isreali firm Upstream Security says the number of automotive application programming interface attacks jumped 380% in 2022 over 2021. This came despite automakers using advanced cybersecurity protections.
Ferrari told customers after the incident it is not paying the ransom to the hackers. “Due to Ferrari’s reputation as one of the world’s most expensive car manufacturers, cybercriminals find it a great target for stealing personal information about its owners…the potential exposure of a customer contact list presents an opportunity for cyberattackers to launch targeted phishing attacks using customized, malicious emails.”
With the growth of electric vehicles, the charging infrastructure is also gradually becoming a critical component of the transportation system. However, the same technology that allows for seamless charging and monitoring of charging stations, experts warn, also opens up new vulnerabilities for cyberattacks. A successful attack on the developing charging infrastructure could cause widespread disruptions, impacting not only individual vehicle owners but also transportation companies and public transit systems as a whole.
In March 2021, for example, a Ukrainian hacking group successfully gained access to the network of Russia’s largest EV charging network, known as Polyushko Pole. The group claims to have stolen 900GB of data from the network, including financial and passport information, driver’s license numbers and home addresses.
Hackers from Ukraine targeting Moscow in September 2022 infiltrated the Yandex Taxi app and sent several dozen cabs to the same spot at the same time, tying up traffic for three hours. That was a comparatively minor event, but one meant to prove a point to Vladimir Putin’s Russia, creating mischief in retaliation for the invasion of Ukraine.
In 2017, a security researcher accessed BMW ConnectedDrive, which allows drivers to control various functions of their car remotely, including the door locks, heating and cooling systems, and entertainment features.
Electric vehicles are far more software-based than internal-combustion-engine (ICE) vehicles and therefore are even more vulnerable to cyberhacks. Along with the connection between a charger and the vehicle to recharge the battery, the connection is also transmitting huge amounts of data.
Automakers and suppliers are investing more resources in vehicle cybersecurity as there is mounting concern about the issue from both consumers and regulators. Upstream Security has just located a new facility in downtown Ann Arbor, MI, to be closer to both its customers and software engineering talent, says Shira Sarid-Hausirer, vice president of marketing. Upstream has received investment from BMW, Hyundai and Volvo in addition to venture-capital groups, Salesforce.com and others.
EV Charging Networks Are Ripe Targets
According to Upstream, just 4% of the recorded hacking incidents occur on EV charging networks, which may seem small, but not when you consider the actual number of public chargers. In April 2022, the public charging network on the U.K.’s Isle of Wight was hacked so that the charger screens displayed pornographic images. Such a hack is viewed as a training exercise for hackers warming up to do greater mischief.
“There is huge potential for hackers in EV charging networks because of the amount of data that can be accessed if they do it successfully,” says Sarid-Hausirer. “It is possible that a hacker could do great harm to the grid as a whole by infiltrating a charging network.
“You can’t prevent hacking, but you can make it as difficult as possible, and you can design cyberdefenses to minimize the damage,” she says.
Tesla Motors CEO Elon Musk has frequently discussed the importance of cybersecurity in Tesla’s vehicles. The EV maker not only updates cyberdefenses regularly through over-the-air updates, but also offers generous “bug bounties” to hackers who find holes in its cyberdefense.
In December 2022, a “white hat” hacker named Sam Curry uncovered security vulnerabilities in several makes of new cars via their Sirius/XM radios that allowed him to remotely locate, unlock, start, flash and honk the horns of the vehicles. Millions of affected cars were vulnerable before Curry discovered the liabilities and a patch was devised.
The advance of autonomous-driving technology will compound the vulnerability of the vehicle fleet as the percentage of EVs climbs and the era of the software-based car takes off.
A main vulnerability of autonomous-driving technology is the communication system between the car and the outside world. This communication happens through various channels such as Wi-Fi, Bluetooth and cellular networks. Hackers will look for holes in these systems and send malicious commands to a car’s control system, potentially creating massive traffic pile-ups.
Hackers also can exploit weaknesses in the software to gain access to sensitive data stored in the car’s computers, such as GPS data, driving history and personal data. Sensors, cameras and lidar sensors are hackable as well.
Hackable vehicles are definitely on the radar of regulators and anti-terror law enforcement. While global security bodies have made it much more difficult to take over an airplane, the FBI, for one, is concerned that vehicles equipped for autonomous driving can be turned into weapons, as well as being vulnerable to hackers who could cause havoc on highways and busy urban streets.
"One of (the issues with autonomous cars) is the danger that there could be ways to confuse or distort the algorithms to cause physical harm," FBI Director Chris Wray said in January. "I’m thinking about a story I heard not that long ago about the researchers who were able to trick a self-driving car’s algorithm by essentially putting a piece of black tape over a stop sign. It caused the car to accelerate, about 50 miles an hour or something.
"It’s a simple example, but it shows some of the harms we have to guard against," Wray said.
And that’s just using black tape. The breadth of what hackers can do using their laptops and software engineering skills is obviously far greater.