Cars are increasingly dependent on software, and like computers, they require adequate protection against cyberattacks. In 2015, the Jeep Cherokee hack was a groundbreaking cybersecurity demonstration that exposed significant vulnerabilities in connected vehicles. Charlie Miller and Chris Valasek, two well-known cybersecurity researchers, conducted this attack, which showed that a remote hacker could take complete control of a vehicle, even while it was being driven. Since then, electric vehicles, which are even more dependent on software than a traditional car, have spread worldwide, but cybersecurity around cars hasn’t evolved as fast.
Why are electric cars vulnerable to cyberattacks?
Cybersecurity for electric vehicles (EVs) is critical because these cars are increasingly connected, automated, and reliant on software. They have multiple attack surfaces, including onboard systems, charging infrastructure, wireless communication, and cloud-based services.
Source: Electric Vehicles Security and Privacy
Below, you will find a quick overview of the attack surface of EVs:
Vehicle-to-Everything (V2X) Communication
EVs communicate with traffic signals, other vehicles, and cloud services. Hackers can intercept or manipulate these messages, leading to misinformation, unsafe driving conditions, or accidents.
Onboard Software & Firmware
EVs run on complex software, including embedded operating systems, control units, and autopilot features. If not adequately secured, firmware updates over the air (OTA) can be hijacked. Unpatched software vulnerabilities can also be exploited to take control of vehicle functions.
CAN Bus Attacks
The Controller Area Network (CAN Bus) is used for internal vehicle communications. If attackers gain access (via physical ports like OBD-II or remotely via Bluetooth/WiFi), they can send malicious commands to control acceleration, braking, or steering.
Infotainment & Mobile Apps
EVs rely on mobile apps for remote control (unlocking doors, starting the car, etc.). A compromised app or API can allow hackers to access the vehicle. Furthermore, Bluetooth and Wi-Fi connectivity in infotainment systems can be exploited for unauthorized access.
Charging Infrastructure (EV Chargers & Grid)
Public charging stations (EVSE—Electric Vehicle Supply Equipment) can be compromised to steal data or infect the car’s system with malware. Fake or modified charging stations could also be used for Man-in-the-Middle (MitM) attacks, stealing credentials or injecting malicious firmware. Attackers could also manipulate the grid connection to overload or disable the car.
Cloud & Backend Systems
EVs sync with cloud platforms for navigation, diagnostics, and user profiles. Weak encryption or misconfigured cloud storage could expose personal data, location history, or driving habits.
Common cybersecurity threats to Electric Vehicles
The Jeep Cherokee experiment was only the first one to be unveiled to the public. Since then, attacks on cars have only evolved and become more vicious. For example, public charging stations have become a growing target. Since 2020, Tesla cars have also become a common target. Researchers have demonstrated remote attacks on Tesla’s autopilot, key fobs, and infotainment system.
Source: Electric Vehicles Security and Privacy
Cybersecurity threats for EVs span through a wide range of attacks, including:
- Remote Hacking – Exploiting software vulnerabilities in infotainment, apps, or Wi-Fi/Bluetooth interfaces to take control of the vehicle.
- Ransomware – Locking down an EV’s software and demanding payment to unlock it.
- Denial-of-Service (DoS) Attacks – Overloading vehicle systems or charging stations to cause disruptions.
- Man-in-the-Middle (MitM) Attacks – Intercepting or modifying communications between the EV and external networks.
- Supply Chain Attacks – Targeting third-party vendors providing software, chips, or hardware components.
The aftermath of the Jeep Cherokee attack
The Cherokee attack triggered a chain reaction in the industry:
First, Fiat Chrysler (FCA) Issued a Massive Recall. The company recalled 1.4 million vehicles to fix the vulnerability. A security patch was issued, but customers had to update their cars manually via USB.
As a result, Jeep owners sued FCA, arguing that the vehicles were not secure. The lawsuit was later dismissed, but it raised awareness about automotive cybersecurity liability. In return, the US Government Took Action, with the FBI and NHTSA (National Highway Traffic Safety Administration) issuing warnings about vehicle cybersecurity risks. The Auto-ISAC (Automotive Information Sharing and Analysis Center) was also formed to improve industry-wide cybersecurity collaboration.
The attack ultimately influenced ISO/SAE 21434, the first official standard for automotive cybersecurity. Car manufacturers started encrypting communications and segmenting networks (infotainment vs. critical vehicle controls).
Are EVs still vulnerable today?
The Jeep Cherokee hack was just the beginning. Despite security improvements, connected vehicles (EVs included) still have vulnerabilities, and researchers continue to find new exploits. Some recent attacks include:
- The 2022 Tesla Bluetooth Relay Attack: Researchers hijacked a Tesla’s Bluetooth key fob remotely and stole the car in seconds.
- The 2023 EV Charging Station Attacks: Hackers exploited OCPP vulnerabilities to shut down charging stations and steal driver data.
- The 2024 AI-Based Attacks on Autonomous Vehicles: Adversarial AI methods can trick self-driving cars into misinterpreting road signs.
How can vehicle manufacturers make EVs more secure?
Much can be done to make electric vehicles safer and more resilient to cyberattacks. First and foremost, vehicles need strong network segmentation. Infotainment systems should never have direct access to critical vehicle controls. Over-the-air (OTA) updates must be secure. They should be encrypted and require authentication to prevent firmware tampering. Automakers should also implement intrusion detection systems (IDS) that monitor the CAN bus and ECUs for unusual activity. Finally, stronger authentication and encryption should be mandatory for wireless connections (i.e., Wi-Fi, Bluetooth, cellular, etc).
Below are some free resources to better understand cybersecurity for electric vehicles.
RESOURCES:
