Think about this: You're on your way home when, suddenly, your steering wheel starts turning on its own. The brakes don't respond. Your doors jam, and a dashboard message commands the payment of Bitcoin to regain control.

It sounds like science fiction?- It's closer to reality than we’d think.

Electric vehicle (EV) expansion is accelerating at a record pace with EV sales globally set to exceed 40 million units annually by 2027. Although this transformation promises cleaner, smarter, and more connected transport, it reveals a new battlefield in cybersecurity. New EVs are not just cars, but they are high-tech, networked computers on wheels vulnerable to increasingly more sophisticated cyberthreats that can turn  clean vehicles into cyber weapons.

The Highly Connected Environment of Autonomous Vehicles and New Attack Surfaces

Autonomous vehicles have many advanced systems, including electronic control units (ECUs), AI perception units, and V2X communications. All these are new vulnerabilities.

Researchers at Keen Security Lab in 2019 demonstrated a hair-raising real-world attack with an exploit on Tesla's lane-keeping feature. They got the car to drive into other lanes with tiny, carefully positioned stickers along the road, something that has been referred to as lane manipulation. Adversarial perturbations, patterns which are undetectable to humans but incorrectly classified by AI, have been demonstrated to cause unsafe vehicle motion or false detection of obstacles.

AVs rely on sensors like Light Detection and Ranging (LiDAR) for mapping the environment. Phantom objects and real obstacle-concealing LiDAR spoofing attacks were demonstrated to be possible in 2020 by researchers. With precisely designed lasers that impersonate LiDAR pulses, AVs are fooled into perceiving phantom dangers, which can lead to emergency braking or the omission of real threats. GNSS (GPS) spoofing and jamming is also a continuous threat. GPS spoofing was used to crash a US-Israeli drone in Iran as per MIT Technology Review, 2019. In the case of AVs, this could be dangerous navigation errors leading to dangerous zones.

Automotive Ransomware: The New Kid on the Block

Ransomware has long been used to victimize IT infrastructure, holding files or devices hostage for ransom. Today, the vehicles themselves are in their crosshairs. Picture it: Hackers remotely locking an EV's doors, disabling the engine, or taking over the steering wheel, until ransom is paid.

The 2015 Jeep Cherokee hack was one of the most astounding car hacks. Researchers Charlie Miller and Chris Valasek were able to remotely take over the vehicle via its cell-connected infotainment center, jamming the brakes, modifying steering, and disconnecting power from the engine on a public road miles away. What was shown was that connectivity modules were not isolated from safety-related vehicle controls.

More recently, the Pwn2Own competition also has faced challenges against Tesla cars; there, security researchers have been successful in remotely demonstrating exploits to take control of or obtain sensitive information from Tesla systems, further evidencing the changing threat landscape of automotive cybersecurity.

In 2022, David Colombo, a 19-year-old German IT security specialist, hacked into more than 25 Tesla vehicles in 13 countries by exploiting flaws in TeslaMate, a third-party logging app.

The Silent Threat: Charging Stations as Attack Vectors

EV charging infrastructure is a highly underrated but crucial cybersecurity risk. Public and private charging points are networked devices that charge, meter, and can remotely manage charge sessions. Unfortunately, these have limited cybersecurity controls, and thus they are exposed to attack by malware like ransomware, data tampering, or service disruption.

In 2018, hackers used one of the world's most widely used charging networks' vulnerabilities to alter billing information and disable charging capabilities. Hacked charging stations were also entry points to infect EVs with malware or perform Distributed Denial-of-Service (DDoS) attacks against the electrical grid. Distributed attacks would overload electrical infrastructure with so much traffic that it could cause blackouts, a highly likely scenario illustrated by the 2015 BlackEnergy malware attack on Ukraine's grid.

Closing the Gap: Safeguarding the EV Ecosystem

Keeping these interconnected threats at bay requires multi-layered protection:

• Secure Vehicle Security Architecture: Original Equipment Manufacturers (OEMs) must employ secure communication protocols, encrypt data, and compartmentalize safety-critical systems according to industry standards such as ISO/SAE 21434.
• Secure Over-The-Air Updates: Over-the-air (OTA) software updates need to be cryptographically signed and authenticated to prevent unauthorized firmware installations.
• Charging Station Hardening: Network segregation, intrusion prevention, and regular security audits should be embraced by operators.
• Partnership and Regulation: Governments should have up-to-date cybersecurity policy and dynamic partnership with industry stakeholders (US DHS, 2024).
• Incident Containment and User Education: EV user awareness of cyber-attacks and having quick response plans in place should be undertaken.

The Reality Check

Don't be scared off from electric vehicles by this, electric vehicles are the future of our planet and generally safe. We simply need to enter this EV era with our eyes wide open.

The days of cars as mechanical implements are behind us. New cars are high-tech computers on wheels, and like any computer, they can be taken over. Some already have been. The question is, will we be ready for more.

Education is the key to protection. By learning about these risks and holding manufacturers to higher standards of safety, we can ensure our clean electric future is safe, too.