Cybersecurity Risks with Automated Electric Vehicles: Report

As more electric, automated and connected vehicles hit global roads in the coming years, a new report from Deloitte Canada details how cybersecurity risks could emerge for Canadian drivers.

The report outlines how the development and implementation of cybersecurity measures should be applied to advanced transportation technologies, which are becoming increasingly capable of storing personal information about drivers and passengers, and being controlled and accessed. by remote devices.

« Modern vehicles are supercomputers on wheels, » Stephen Maegher, director of cyber and strategic risk at Deloitte, said in a phone interview with CTVNews.ca on Wednesday.

« There are hundreds, if not thousands, of parts manufacturer developers – from small chipmakers and firmware development to control units and mobile apps that can connect to vehicles, » he explained. .

Maegher said scalable, multifaceted technology ultimately increases what’s known as « the attack surface. » This is described as systematic vulnerabilities or cybersecurity flaws that increase the likelihood of a device being compromised.

For example, « vehicles are now equipped with mobile apps – whether for direct vehicle control and access or multi-vehicle control, » he said.

This mobile access, he explained, can introduce risks far beyond data privacy breaches.

The report identifies an incident last year when 25 automated vehicles belonging to a transport company were hacked and accessed remotely.

“The teenage hacker was able to determine the exact location of each vehicle, whether it was occupied by a driver and, most importantly, execute commands remotely,” the report explains.

Other cyber risks identified in Deloitte’s report include GPS tracking and harassment, targeted malware, and controlling vehicle acceleration and braking.

With vast advances in automated transport technology, the report warns that hackers could become more capable of operating cars remotely.

According to the report, in 2021, 84% of cyberattacks against vehicles were carried out remotely. More than 50% of “never reported” automotive cybersecurity incidents have occurred in the past two years, according to company research.

Deloitte’s report also states that « the increase in automotive cyber incidents is expected to continue to grow. »

The reason cited for this growth is the increasing fusion of hardware and software components. « In many cases, the responsibility may lie with multiple stakeholders within the automotive supply chain, » it read.

Maegher suggests that a shared responsibility of all parts manufacturers is needed to mitigate cybersecurity risks.

“Our approach to this is that whether you are a fleet owner, manufacturer or government [determining the] data privacy regulation in a country, it is the responsibility of all those parties to make sure that overall we have a good cybersecurity posture to drive that market forward,” Maegher said.

Maegher said vehicle manufacturers, fleet owners and municipal jurisdictions need to start thinking about how they can better keep their drivers safe, namely by better understanding each individual part that makes up a vehicle and assessing collectively the risk each coin presents. .

“Because they are not inherently part of the normal automotive supply chain infrastructure, there have been several gaps in the security and development of these apps,” he said. « We have to make sure that the multiple components of a vehicle are secure in relation to each other, » he said.

LEGAL FIELD OF CYBERSECURITY

Some of that “shared responsibility” may eventually lie with cybersecurity legislation, said Helene Deschamps Marquis, partner and national data privacy and cybersecurity leader at Deloitte Legal Canada. However, no such law currently applies to automated vehicles.

Some preventative measures, she said, can show the way.

Marquis, who specializes in cybersecurity breaches and privacy laws, spoke to CTVNews.ca in a phone interview on Wednesday about a philosophy called « Privacy by Design » – an approach to technology legislation that promotes the integration of privacy design and cybersecurity measures into the architecture of IT systems and business practices. The approach differs from adding ambiguous consent options that can easily be ignored by a user.

In June of this year, the Digital Charter Implementation Act, 2022 — Bill C-27 — was introduced by the federal government of Canada, committing (if passed) to enforce “privacy by design” measures, which would be maintained under automation and artificiality. intelligence technology industries.

“These measures,” Marquis said, “would extend to transportation.” .

But when it comes to automakers, “privacy by design” will also depend on the type of information collected, she explained. This information is what expands the « attack surface » of a vehicle.

“The reality of these autonomous vehicles is not yet clear. It is unclear how they will use the data. It is unclear how they will use the AI [to collect it].”

Future legislation, she explained, will depend on how [the technology] develops, and how each manufacturer deals with [the risks].”

At the end of the phone interview, Marquis emphasized that human error is not the real threat here.

« AI should be ethical, » she said. « And we need to know how he makes decisions. »