Starting around 2025, the world’s cyberspace bad actors will suddenly have a gigantic and fast-expanding new arena in which to operate—some 50 million electric vehicles that by then are expected to be plying roads everywhere, with hundreds of millions more to come in subsequent years. All of them will be connected to the internet through dozens of onboard nodes, making them ripe for hacking.
This long-predicted cyber shooting gallery for state-backed and private hackers and ransomware criminals appears to be shaping up as a bonanza for commercial crime fighters—startups and established companies, mainly in the U.S. and Israel, a longtime generator of security businesses, that claim they can prevent dangerous breaches of EVs and charging stations.
The EV cybersecurity boom reflects a larger trend: Over the last 18 or so months, investors have poured more than $11.5 billion into cybersecurity firms globally, producing six unicorns in 2020 and nine more in the first quarter this year, according to Crunchbase, most of them in the U.S. McKinsey last year forecast that revenue for auto cybersecurity alone would reach $9.5 billion by 2030.
The rise of EV cybersecurity is a critical dimension—and an underappreciated underside—to the surge of vulnerable EV apps that I wrote about last week. Authorities have recorded relatively few EV cyberattacks anywhere so far. But the anticipation of a deluge of such breaches—reinforced by fast-approaching regulatory deadlines forcing automakers to prepare for them—is driving substantial funding from major automakers including General Motors, BMW and Volkswagen.
“It’s almost inevitable that these kinds of vehicles will be targeted by the bad guys,” said Michael Daniel, president of the Cyber Threat Alliance, an association of cybersecurity companies, and a former cybersecurity coordinator in the Obama administration. “Holding a fleet of vehicles hostage is a way to make money. From a nation-state perspective, holding a transportation system at risk is a considerable source of leverage.”
Through the years, corporate cyberattacks have attracted attention—but not a public outcry and insistence that they stop. With EVs, this dynamic will dramatically shift. “It’s one thing if your spreadsheet crashes and quite another if it’s your Tesla,” Daniel said.
Bizarre EV Code
For the last dozen years, the EV industry has largely escaped the hacking maelstrom that has engulfed the rest of technology and other bigger sectors. Analysts have long made high-level forecasts that EVs are doomed to be major cyber targets, but hackers have only occasionally gone after connected vehicles generally, like a 2019 case in which a gang stole 100 Mercedes autos from Chicago car-rental app Car2Go.
The core of what will single out EVs for cyberattack by the middle of the decade starts with the mischief contained in their electronic guts: In This Is How They Tell Me the World Ends, New York Times reporter Nicole Perlroth wrote that the electronics governing high-end vehicles like EVs contain far more lines of software code than those for a Boeing 787, an F-35 Lightning or the Space Shuttle. The code often consists of large building blocks not written by the automakers or even trusted suppliers, but by members of the open-source tech community, with much insertion of superfluous add-ons, themselves vulnerable to shrewd hackers. Adam Boulton, chief technology officer at BlackBerry Technology Solutions, said his team has found gratuitous Word files, spreadsheets, design documents and other personal bric-a-brac bizarrely pasted into automobile software code. “In automotive, there is no verification of the source code,” Boulton told me.
What also sets EVs apart is their outsize overlap with other technologies: Smartphone in hand, EV drivers connect with public charging stations, whose payment systems are linked to banking intermediaries. They also connect with their automated home via the array of devices known as the internet of things. In the future, EVs will be linked to public infrastructure such as smart traffic systems and vehicle-to-grid charging, so the inherent vulnerabilities described above will spread further. “You use your phone to open the garage door,” said Yoav Levy, co-founder of Upstream Security, an Israeli cybersecurity startup. “You use it to open the car, summon the car, start the car. The car can control the home.”
New Rules Against Bad Actors
Regulators view this picture as a growing potential catastrophe. So it is that automakers soon will be required to observe rules meant to protect EVs and future automated vehicles from bad actors commandeering or disabling them, draining or locking up their lithium-ion batteries and stealing their data. A United Nations agency enacted the rules last year, and 54 countries including Japan, South Korea and the nations of the European Union embraced them. Though the U.S. is not a signatory, American automakers are also likely to observe the rules, since they sell so many vehicles in those markets already. In stages starting next July and running through 2024, the manufacturers, in order to sell in any of the countries, are required to secure the EV and other connected vehicles they produce, as well as vet their suppliers. Last week, Nikkei Asia reported that some 90 Japanese automakers and suppliers, including Toyota and Nissan, had banded together in a consortium to monitor vehicle security as a group.
The regulations have been a primary accelerant for the auto cybersecurity industry. Tal Cohen, an Israeli investor who runs a tech incubator, said the country has more than two dozen such startups. Slava Bronfman, CEO of Tel Aviv–based Cybellum, which touts Audi, Nissan and Jaguar Land Rover as clients, said he uses a strategy of creating a “cyber digital twin” of every component in an EV. A computer continuously checks the software against the twin. If something new pops up in the EV that doesn’t match the twin, Cybellum notifies the automaker and can send a patch over the air. Levy of Upstream Security, whose investors include Hyundai, Volvo and Renault Nissan Mitsubishi, said his company’s approach is to monitor vehicles for known malware and software flaws— “zero days,” in the industry parlance—that yet-unknown malware could exploit.
VW and GM both describe strategies to isolate electronic systems within the vehicle. If, for instance, an attacker breaches the EV’s infotainment system, they would not be able to get to the brake system. Alfred Adams, GM’s chief product cybersecurity officer, told me that this is one of several overlapping layers of defense the company employs.
But the systems are not fail-safe. BlackBerry, which since the collapse of its smartphone business has rebranded itself as an automotive and medical system cybersecurity company, sells its QNX and Jarvis 2.0 software as unique and pioneering methods of verifying the precise software code across an EV’s electronics. BlackBerry’s systems now monitor about 195 million connected vehicles, up from 175 million a year earlier, and the company in June estimated that its current customers will pay $490 million over the lifetime of their QNX contracts. But BlackBerry stumbled Wednesday, when the federal Cybersecurity and Infrastructure Security Agency reported that some of the company’s software released in 2012 and earlier contained malicious code that could cause a denial of service response. BlackBerry initially told CISA that the malware had not breached its QNX system, Politico reported. That suggests QNX and Jarvis do not recognize the hazards embedded in everything they are examining. In a statement, BlackBerry said it had notified its customers of the flaw and provided a patch to correct it.
Cyberwar activities appear likely to continue expanding for years and probably decades to come, and that means the cybersecurity industry will see definitive growth as well. Cyberattacks require little in the way of capital investment but carry high potential gain if they are successful. As attackers constantly invent new malware and find new vulnerabilities, that will lead to built-in obsolescence for EV systems. It means the defenses built around them will require periodic replacement, which will create more business for security experts. “Cybersecurity is always changing,” Cybellum’s Bronfman told me. “If you check your car today and it’s safe, it means nothing for tomorrow.”
An exclusive premium service covering the nascent battery and electric vehicle revolutions.
Steve LeVine is editor of The Electric. Previously, he worked at Axios, Quartz and Medium, and before that The Wall Street Journal and The New York Times. He is the author of The Powerhouse: America, China and the Great Battery War, and is on Twitter @stevelevine