President Biden’s administration has announced a proposed ban on the import and sale of connected vehicles built by companies with a Chinese or Russian nexus. The White House believes that the ban is necessary to defend the country’s security from the potential threats the vehicles pose.
The ban includes popular vehicle connectivity systems (VCS), such as Bluetooth, satellite, cellular, and Wi-Fi modules as well as automated driving systems (ADS), all of which enable vehicles to drive autonomously. The fear is that these technologies, while convenient for the driver, could also be used for surveillance, sabotage, and to disrupt critical infrastructure.
The ban, if passed, would forbid VCS and ADS software imports for 2027 vehicles and hardware imports for 2030 vehicles, however, exemptions may be granted for small-scale producers to limit industry disruption.
Source: Bleeping Computer
Analysis
Given the bevy of malicious actions a threat actor would be capable of if they obtained access to a connected vehicle, it’s no surprise that the U.S. has proposed this ban. A connected vehicle would be an ideal target for threat actors, from both an espionage perspective and for those looking to cause harm to their occupants, other drivers, and property. Furthermore, both Russia and China have demonstrated they have the capability of conducting supply chain attacks in software which could be adapted to vehicle technology with minimal effort.
The list of actions threat actors could take with a compromised connected car is nearly endless. For example, they could eavesdrop on conversations, gain access to geographical information, such as travel patterns, and obtain imagery of sensitive sites the vehicle may have access to from its cameras. Even worse, threat actors could take physical control of the vehicle, potentially harming the occupants or damaging critical infrastructure.
In early 2024, a hacker team participating in the Automotive Pwn2Own competition successfully hacked a Tesla Model 3, which allowed the team to execute arbitrary code within Chrome's renderer sandbox on the vehicle’s infotainment system. From there, the team could potentially escape the sandbox and pivot to compromise other functions of the vehicle as well. Fortunately, Tesla rolled out updates to their vehicles to address this issue shortly after it was discovered.
It's important to remember that state-sponsored cyber actors wouldn’t be the only threat actors interested in compromising connected vehicles. Ransomware actors would likely be highly motivated to target vehicles as they could potentially disable vehicles and/or threaten to leak sensitive conversations or interactions that may have taken place in the vehicle unless a ransom is paid.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in emerging technologies like connected vehicles.
Field Effect strongly recommends owners of connected vehicles ensure their software is up to date by enabling automatic updates.
Related Articles