Skip to content
Join our Newsletter

Connected vehicles can be at risk of hacking, consumer awareness paramount: experts

TORONTO — Blasting the heat with a remote sensor before you even get into your vehicle on a brisk winter morning is a welcome convenience. So are the comforts of lane assistance, voice command, Bluetooth and Wi-Fi.
Experts warn modern, connected vehicles, which are heavily packed with microchips and sophisticated software, offer an open door to hackers. Nissan Motor Co. General Manager Tetsuya Iijima gets his hands off of the steering wheel of a self-driving prototype vehicle during a test drive in Tokyo, Tuesday, Nov. 3, 2015. THE CANADIAN PRESS/AP-Eugene Hoshiko

TORONTO — Blasting the heat with a remote sensor before you even get into your vehicle on a brisk winter morning is a welcome convenience. So are the comforts of lane assistance, voice command, Bluetooth and Wi-Fi.

But experts warn modern, connected vehicles, which are heavily packed with microchips and sophisticated software, can offer an open door to hackers.

These cars are vulnerable to hackers stealing sensitive information or even manipulating systems such as steering wheels and brakes, said Robert Falzon, head of engineering at cybersecurity solutions company Check Point in Canada.

"Cars are tracking how fast you're going, where you're going, what your altitude is — and all the different pieces of information are being calculated ... It's all computerized," he said.

"Unfortunately, security is not always the primary thought when these (features) are developed."

A global automotive cybersecurity report by Upstream shows remote attacks -- which rely on Wi-Fi, Bluetooth and connected networks -- have consistently outnumbered physical attacks, accounting for 85 per cent of all breaches between 2010 and 2021.

That proportion grew to 97 per cent of all attacks in 2022, the report said.

There's a growing concern about privacy breaches among connected cars, experts added.

"Let's say someone is driving on the highway and the doors get locked, the car speeds up and the (driver) gets a message asking for bitcoin or they'll crash the vehicle," said AJ Khan, founder of Vehiqilla Inc., a Windsor, Ont.-based company offering cybersecurity services for fleet cars.

"That scenario is possible right now."

Khan added any car that can connect to the internet, whether gas-powered or electric, could be at risk of hacking.

But electric vehicles are particularly vulnerable to cybersecurity thefts.

Researchers at Concordia University in Montreal found significant weaknesses in their 2022 study of public and private EV charging stations across Canada — all of them connect to the internet. The study showed breaches could affect drivers, power stations and the power grid they are connected to.

"The reason why there are a lot of vulnerabilities is because vendors and operators are rushing to deploy the infrastructure to meet the demand," said Chadi Assi, information systems engineering professor and research chair at Concordia University.

"As a result, cybersecurity was an afterthought and it was not part of the design of the infrastructure," he added.

Assi explained an EV owner usually connects with the charging station through an easily accessible mobile app. But many of these third-party apps had security holes, the Concordia study found.

In 2022, the number of automotive application programs-related attacks accounted for 12 per cent of total incidents, despite advanced cybersecurity, the Upstream report shows. The trend was up by 380 per cent compared with 2021.

One such vulnerability, Assi said, is that the protocol used for communication between the cloud management system — which processes payments, among other important functions — and the charging stations may not be encrypted.

"If you're making payments (at a charging station), those and any private information you put can be transmitted in plain text," he said, making sensitive information susceptible to theft.

If a charging station is compromised, Assi said, a customer's private information could be leaked, such as the time and location of the vehicle. Hackers can also disrupt the charging process and damage the battery — the most expensive part of an electric vehicle.

Electric vehicle charging station-related breaches accounted for four per cent of cyberattacks on connected cars in 2022, the Upstream report said.

"Another critical aspect of cybersecurity in this ecosystem is the power utility itself," Assi said.

If a hacker synchronizes multiple charging stations and turns the charging of cars on and off, the power grid could be destabilized, he explained.

Assi said these shortcomings were flagged to manufacturers last year.

An August 2021 global standard was established to guide automakers in managing cybersecurity, risks including electronic control units, software and various vulnerable points of attack such as Wi-Fi and Bluetooth.

Manufacturers are working to strengthen cybersecurity in vehicles, Khan said.

But even the cat-and-mouse race to outdo hackers fails when intruders manage to find one weak spot — which may allow them access to other connected vehicles.

"Auto cybersecurity is a very new field," Khan said, adding the risk will persist with the ever-changing software potentially bringing newer vulnerabilities.

Still, the biggest challenge lies in the lack of awareness among consumers.

Khan said the auto industry is in a transitionary period.

Consumers will take time to adjust from "vehicles which never had connectivity or software to the (modern) vehicles with software that our lives have come to depend on," he said.

Khan suggested consumers ask car dealerships about the vehicle software and privacy protection from third-party apps.

"When you go to purchase a vehicle, you ask about safety features such as seatbelts and airbags," he said. "Similarly, ask about cybersecurity which is basically a health and safety issue."

Another best practice is to be aware of the software used in the vehicle and how it would impact its security if a third-party app is downloaded. Experts suggested drivers should also update vehicle software regularly to avoid cybersecurity attacks.

When selling a vehicle or using a fleet car, customers should be careful when connecting their phones because they may leave behind their data remnants.

Other best practices include avoiding connecting to public Wi-Fi and to not keep car keys close to the front door since thieves can use devices that capture a key fob's radio signal and extend the range to remotely start and steal vehicles.

Tim Burrows, producer of Canada Talks Electric Cars, has been driving electric vehicles for 10 years and says he never found himself thinking about cybersecurity until lately.

"Now that the software is actually 'driving the car', I find myself thinking more often about the potential for bad actors to hack into the network and damage or control the semi-autonomous operation of the vehicle," he said.

While he is aware that risk exists, it is not something he is deeply concerned about, he said.

"I suspect it might become a higher value 'target' for those wishing to cause harm," Burrows said. "Perhaps my attitude will change when autonomous vehicles go mainstream."

This report by The Canadian Press was first published Oct. 8, 2023.

Ritika Dubey, The Canadian Press

Note to readers: This is a corrected story. A previous version said Check Point Canada is based in Markham, Ont. In fact, Check Point Software Technologies is based in Tel Aviv, Israel, with its Canadian operations headquartered in Toronto.