New report highlights potential cybersecurity risks with electric, automated vehicles

As more electric, automated and connected vehicles hit global roads in the coming years, a new report by Deloitte Canada details how cybersecurity risks could emerge for Canadian drivers.

The report roadmaps how the development and implementation of cybersecurity measures should be applied to advanced transportation technologies, which are becoming increasingly capable of storing personal information about drivers and passengers, and of being controlled and accessed by remote devices.

“Modern vehicles are super-computers on wheels,” said Stephen Meagher, director of cybersecurity and IOT and risk advisory at Deloitte, in a phone interview with CTVNews.ca Wednesday.

“There are hundreds if not thousands of developers of parts manufacturers -- from small chip manufacturers and firmware development all the way to control units and mobile applications that can connect to vehicles,” he explained.

Meagher said that evolving and multifaceted technology ultimately increases what is called “the attack surface area.” This is described as systematic vulnerabilities, or cybersecurity gaps that widen the likelihood of a device being compromised.

For instance, “vehicles now come with mobile applications -- whether that be for direct control and access of the vehicle or control of several vehicles,” he said.

This mobile access, he explained, can introduce risks far beyond data privacy breaches.

The report identifies an incident last year when 25 automated vehicles that were owned by a transportation company were hacked and remotely accessed.

“The teenaged hacker was able to determine each vehicle’s exact location, whether it was occupied by a driver, and, most significantly, run commands on it remotely,” the report explained.

Other cyber risks that Deloitte’s report identifies include GPS tracking and stalking, targeted malware, and control of vehicle acceleration and braking.

With vast advancements in automated transportation tech, the report warns that hackers could become more capable of operating cars remotely.

According to the report, in 2021, 84 per cent of cyberattacks on vehicles were carried out remotely. Over 50 per cent of cybersecurity-related automotive incidents “ever reported” had occured in the last two years, according to the company’s research.

Deloitte’s report also states that the “rise in automotive cyber incidents is predicted to keep growing.”

The reason cited for this growth is the increasing amalgamation of hardware and software components. “In many instances, responsibility can fall on multiple stakeholders within the automotive supply chain,” it reads.

Meagher suggests that a shared responsibility of all part manufacturers is required to mitigate cybersecurity risks.

“Our approach to this is that, whether you be a fleet owner, a manufacturer, or a government [determining the] regulation of data privacy in a country, it’s the responsibility of all of those parties to make sure that, holistically, we have a good cybersecurity stance to make this market move forward,” Meagher said.

Meagher said that vehicle manufacturers, fleet owners, and city jurisdictions need to start considering how they can better ensure the safety of their drivers – namely, by better understanding each individual part that makes up a vehicle, and collectively evaluating the risk each part brings forward.

“Because they’re not inherently part of the normal instructure for the automotive supply chain, there have been several shortcomings in the security and development of those applications,” he said. “We need to ensure that the multiple components of a vehicle are secure to and from each other."

LEGAL TERRAIN OF CYBERSECURITY

Some of this “shared responsibility” can eventually fall upon cybersecurity legislation, said Helene Deschamps Marquis, partner and national leader of data privacy and cybersecurity at Deloitte Legal Canada. However, no laws of this nature currently extend to automated vehicles.

Some preventative measures, she said, can lead the way.

Marquis, who specializes in cybersecurity breaches and privacy compliance laws, spoke to CTVNews.ca in a phone interview Wednesday about a philosophy called, “Privacy by Design” -- an approach to technology legislation that promotes embedding privacy design and cybersecurity measures within the architecture of IT systems and business practices. The approach differs from adding ambiguous consent options that can easily be overlooked by a user.

In June of this year, the Digital Charter Implementation Act, 2022 -- Bill C-27 -- was introduced by Canada’s federal government, pledging (if passed) to enforce “privacy by design” measures, which would be upheld within automation and artificial intelligence technology industries.

“These measures,” Marquis said, “would extend to transportation.” .

But when it comes to car manufacturers, “privacy by design” will also depend on the type of information that is gathered, she explained. This information is what widens the “attack surface area” of a vehicle.

“The reality of these autonomous vehicles is not clear yet. It’s not clear how they’re going to use the data. It’s not clear how they’re going to use AI [to collect it].”

Future legislation, she explained, will depend on how [the technology] develops, and how each manufacturer deals with [the risks].”

At the end of the phone interview, Marquis pointed out that human error is not the real threat here.

“AI needs to be ethical,” she said. “And we need to know how it makes decisions.”