The White House announced last week a plan to ban the sale or import of connected vehicles containing hardware and software elements that could be produced in China or Russia, citing national security concerns.
American authorities are concerned that connected vehicles produced by China, including buses and trucks, have components that could potentially turn them into „Trojan horses” for sabotage.
This is the second announcement in the last six months made by the U.S. government on this issue, as noted by France 24.
In May, Washington imposed a 100% import tax on electric vehicles from China, a decision justified by the Biden administration as a measure to protect American auto industry jobs against the increasingly aggressive Chinese industry subsidized by Beijing.
Although the new ban targets both Beijing and Moscow, the Chinese auto industry is actually the main focus. China and the United States hold the largest electric vehicle manufacturing companies in the world. A minor share of the production of hardware and software for connected vehicles, which enable external connectivity and autonomous driving options, comes from Russia.
What Happens When a Car Becomes a "Trojan Horse"
"Malicious access to these systems could allow adversaries to access and collect our most sensitive data and remotely manipulate vehicles on American roads," the Department of Commerce stated in a press release.
"Connected vehicles and the technology they use bring new vulnerabilities and threats, especially in the case of vehicles or components developed in the People's Republic of China and other countries of interest," said Jake Sullivan, U.S. National Security Advisor, in a press conference on Sunday.
Sullivan referenced the Chinese hacker group Volt Typhoon, which U.S. intelligence officials stated in February had targeted communication, energy, transportation, water, and wastewater systems in the United States.
According to U.S. information, the risk was that such groups could introduce latent codes into critical networks that could then be activated to sabotage infrastructure remotely in case of increased tensions between the U.S. and China.
Connected vehicles use a relatively new infrastructure network, but "the risk of connected cars being targeted by hacks has been known for about ten years," says Jean-Christophe Vitu, from a cybersecurity firm in the U.S.
However, most examples of cyber-attacked vehicles so far do not indicate the use of international espionage tools. "Currently, we essentially have cases of hacking to bypass vehicle security systems just to steal them," adds Vitu.
Nevertheless, the danger is not merely theoretical. "There have been demonstrations where connected vehicles are controlled remotely," recalls Sébastien Viou, cybersecurity director for the French company Stormshield.
Connected vehicles also offer multiple entry points for hackers – mainly through the software targeted by the latest U.S. ban. "Each connected vehicle, for example, has a modem or SIM card that was not made by the company that built the vehicle, allowing it to connect to a network and transmit data to servers," explains Matthieu Dierick, a cybersecurity expert at F5, a U.S. security company.
Vulnerability at this level could allow a hacker to intercept transmitted data. An attacker could also target the "multiplexer, which is a kind of control tower for the use of the vehicle's electronic and connected interfaces, such as GPS or radio," adds Vitu.
According to the expert, the amount of personal data collected by these vehicles and their manufacturers "is enormous." Gaining access could reveal, for example, the exact route taken by a high-profile individual, if they received a call during transit and the driver was using a hands-free kit.
Compromised connected vehicles can also be physically manipulated. Although there is no known real case outside cybersecurity conference demonstrations, "a connected car can be sabotaged to force it to stop, for example," or to force the "remote shutdown of the assisted driving system or acceleration of the vehicle," Viou believes.
A Show of America's Strength
Currently, there are very few connected vehicles with Chinese-made parts in North America, and hacking a connected vehicle requires the skills of an advanced hacker.
"If you target a specific vehicle, you may need to do preliminary information gathering to find out which brand produced the different software components you want to activate or deactivate remotely," explains Dierick. "With all the current geopolitical tensions, it's a matter of digital control. It's essential to have complete control over all the software used and trust the companies that produced it, and its configuration could take time," he adds.
However, eliminating all risk elements from connected vehicles in the U.S. would mean "implementing a production chain using only software made in North America or Europe," emphasizes Dierick.
The White House press release states that the U.S. aims to impose the ban on high-risk software and hardware components made in China by 2030.
However, the focus on connected vehicles seems limited if Washington aims to eliminate the potential for large-scale cyberattacks. "The risk of vulnerability to a remote attack exists, regardless of the origin of the software," Viou emphasizes. Just because a part of an electric car is manufactured by Huawei in China, rather than a Western company, does not mean it is more or less susceptible to hacking attempts by Chinese or Russian cybercriminals.
Realistically, controlling the production chain is primarily a way to reduce the risk of introducing a 'backdoor' into connected vehicles, says Viou, referring to a hidden method of bypassing normal authentication or encryption, often used for secure remote access.
Americans Want to Close Any "Backdoors" to the Chinese
How can we ensure 100% that there are no Chinese-made components in all connected vehicles?
With supply chains so complex, is it feasible for a subcontractor to assemble a part of a spare part in a car factory in Guangdong? - asks France 24.
"It's very difficult to be sure," replies Vitu. Ultimately, "the connected car may not be the top priority when it comes to closing the digital backdoors that Chinese spies can slip through. There are, for example, several mobile phones with Chinese components in circulation," Dierick points out.
Sébastien Viou believes that the new ban in the U.S. could also be "a way to provide an advantage to American electronic component manufacturers," "especially after the Chips and Science Act" – an initiative by the Biden administration in 2022 aimed at boosting the production of new technologies in the U.S.
With just over a month until the U.S. presidential elections, the ban likely also represents a moment of political opportunism, a gesture to illustrate that the Democratic Party is not afraid of Chinese power, as noted by France 24.
China, in turn, has strongly opposed the U.S. ban, stating that this measure "violates the principles of market economy and fair competition and is a typical protectionist act."
In fact, it is yet another episode in the tense relationship between the two economic powers dominating the electric vehicle production sector.
T.D.