11 december, 2024
Security concerns regarding Chinese connected cars: A short overview
Fredrik Sandberg/TT
The rise of electric vehicles (EVs) and smart car technology is increasingly raising concerns over cybersecurity and data privacy. Large-scale data collection, hacking vulnerabilities and the possibility of controlling privately owned vehicles are security concerns that all connected cars have in common. With the worsening of relations between China and the West, and especially increasing geopolitical rivalry between China and the US, Chinese manufacturers have come under particular scrutiny and the problem has acquired a national security dimension.
Security vulnerabilities of connected cars
Modern cars, because of their high degree of connectivity, present a number of cybersecurity risks. The main security risks concern data collection, hacking vulnerabilities, and manufacturers’ ultimate control over vehicles sold.
First, a large number of features in a modern vehicle typically interfaces with the internet. The car’s software is updated wirelessly and its functionality can be altered using functions that are disabled or enabled through the internet. Cars also collect large amounts of data and transmit them to the manufacturer. According to one estimate, a typical modern car can generate 1400 gigabytes of data per hour – though most of this is deleted quickly and only a small fraction is sent to the manufacturer. Many cars collect data automatically, even from systems that are not actively being used – this has been shown to be the case for certain Chinese EVs. The type of data collected can include user profiles, including biometric information, and geographic data. Driving behavior—such as acceleration, speed, and steering patterns—can be recorded alongside more personal information like voice commands and data from synced smartphones. This data can then potentially be shared with various entities apart from the manufacturer, including affiliates, insurance companies, and even government agencies.
Second, connected cars are susceptible to hacking. If exploited, weaknesses in vehicle cybersecurity could allow malicious actors to control crucial vehicle functions remotely. In some models, nearly all functionalities can theoretically be operated wirelessly, including acceleration, braking and steering. If a hacker were to find a vulnerability in the software, the consequences could be catastrophic.
A final concern is that by design, the manufacturer retains a high degree of ultimate control over connected vehicles. A real-world example of this was demonstrated when Russia looted Ukrainian agricultural machinery in the early stages of the Ukraine war—John Deere, the manufacturer, then stepped in and remotely disabled the equipment.
Risks with Chinese manufacturers and components
In principle, these three vulnerabilities exist in all connected vehicles. But the problem of highly connected electrical vehicles acquires a national security dimension when there is exposure to countries considered high-risk. Today, many countries, including in Europe, identify China as a security concern, and there is a reasonable fear of relations between China and the West deteriorating further. In this connection, Chinese EVs in particular are increasingly seen as a security concern in the West.
The most pressing issue is probably that the constant collection of data which is sent back to China might allow the Chinese government to use EVs abroad for intelligence gathering, including for spying on individuals and mapping patterns of movement and physical locations, as well as using collected data for training military-grade AI and other applications. More than individual data is at risk, as large-scale data collection could also reveal crucial information about collective behavior, patterns of traffic and the flow of goods in a target society. In this context it is generally assumed that the Chinese government, through its National Intelligence Law and other means, can compel Chinese automakers to hand over sensitive data. But there is also the concern of employing the vehicles for active sabotage and attacks in a situation of increasing China-West conflict. Gina Raimondo, the US Secretary of Commerce, voiced these concerns in May 2024 when she said that “You can imagine the most catastrophic outcome theoretically if you had a couple million cars on the road and the software were disabled.” For its part, China has already taken steps to restrict Tesla cars from entering sensitive government-related areas in China, due to concerns over data collection. These restrictions demonstrate that China is aware of the risks posed by connected vehicles and their data collection capabilities.
Some have pointed out that national security risks with Chinese technologies exist even at the component level. It has been asserted that the main security issues with Chinese EVs are associated with the cellular IoT modules (CIMs) that enable internet connectivity within vehicles. These modules, which are ubiquitous in many everyday items, allow vehicles to access over-the-air software updates and are critical for the operation of most connected vehicle systems. China’s market position in this field is increasingly resembling a monopoly, with companies like Quectel and Fibocom leading the global market. By the end of 2022, Chinese firms accounted for 64 percent of global CIM sales, a market share that corresponds to 75 percent of IoT connections .
According to the critics who see CIMs as the main digital vulnerability, like the UK analyst Charles Parton, to eliminate all security risks connected to Chinese intelligence gathering one would need to “ban any Chinese module in any vehicle.” They warn that any vehicle equipped with a Chinese-made CIM could, in theory, have its data “sucked up” by the Chinese Communist Party, and that these modules could be manipulated to disable vehicles remotely. However, it should be noted that there is no direct public evidence of the Chinese government extracting data from CIMs at present. In general, Chinese companies would have to be prepared to risk significant legal and reputational liabilities that any espionage or sabotage would entail if discovered. The willingness to bear such risks should by no means be taken for granted, neither from China’s companies or government.
Regulatory responses in the United States and the European Union
In response to these risks, governments, primarily the United States, have started to investigate potential data and cybersecurity threats posed by Chinese electric vehicles and other connected cars. In February 2024, the US Commerce Department announced an investigation into the risks. In May 2024, the Biden administration announced 100 percent tariffs on Chinese-made electric cars. The primary justification for this measure was to protect American manufacturers from unfair trade practices, but the US is now clearly reacting to more far-reaching concerns over Chinese technology, as seen by recent proposals aimed at Chinese hardware and software components.
The US Department of Commerce proposed in September 2024 to prohibit the sale and import of connected vehicles containing hardware and software “with a sufficient nexus” to China (as well as Russia), in order to prevent “malicious access”. If implemented, this rule would affect the European car sector as well, as it would need to move away from Chinese suppliers in order to keep access to the US market. The restrictions on Chinese software, according to the rule, would take effect in 2027, while hardware restrictions would be applied from 2030. The hardware rule would include CIMs. Such measures would provide an advantage to any European manufacturers who are less reliant on Chinese technology, but create challenges for brands that have significant operations in China or, like Sweden-based Volvo Cars, Chinese owners. The Canadian government is now also considering measures against Chinese connected vehicle technology, while the issue is being debated in Australia and the UK.
Things have been moving slower in Europe. The EU imposed new tariffs on Chinese EVs in July 2024, increasing them to a range from 27.4 percent to 47.6 percent, depending on the manufacturer, but these tariffs were motivated by concerns of unfair trade practices rather than security fears. In December 2023, the European Commission announced that it prioritized looking into the cybersecurity aspects of connected and automated vehicles, including EVs. In September 2024, it was reported that the Commission’s security assessments might lead to an “ICT supply-chain toolbox” resembling the existing 5G security toolbox, but there are as yet no concrete proposals on the table.
Policy recommendations for the EU
How to address these security concerns is ultimately a political question, and much depends on the long-term development of relations between China and the EU and the perceived level of threat from China. But existing security vulnerabilities suggest that there should be at least a minimum of protection to prevent Chinese intelligence gathering and malicious influence against European citizens and governments:
-
The EU should launch its own investigation of security risks with Chinese EVs.
-
Following the pattern of the partial restrictions of Teslas in China, Chinese vehicles should be prohibited for personnel working in politically sensitive or security-related areas, even in their private capacity. The use of Chinese CIMs should also be prohibited in the national security sector, where this is not already the case.
-
The EU could consider requiring Chinese manufacturers to store data collected from cars sold in the EU within the Union, with the threat of corporate fines if vehicle data is found to be transferred back to China. This would mirror the corresponding requirement on personal information and important data in China’s own Cybersecurity Law.
Kinas strävan efter global diskursmakt