32 March/April 2025 | E-Mobility Engineering Nick Flaherty uncovers new ways to make e-mobility software safer Sense of security A competition in Japan has discovered 49 vulnerabilities in automotive software, of which the developers were unaware. In the Pwn2Own Automotive 2025, researchers targeted EV-charging electronic control units (ECUs), where a flaw allowed the manipulation of charging parameters in the powertrain ECU, risking battery thermal runaway. As this had not been noticed before, it is called a ‘zero day’ vulnerability. Another team achieved full vehicle control by compromising the central gateway ECU, which routes communications between critical systems. Other approaches included shellshock attacks, during which harmful commands could be triggered remotely, and unknown app execution, which could lead to data breaches, unauthorised access and degraded system performance. Risks exist across the e-mobility ecosystem. For example, a breach in 2024 of a car maker’s customer portal exposed not only user data, but also indirect access to telematics ECUs in connected vehicles. Attackers exploited weak authentication of the application programming interface (API) to send unauthorised commands to a vehicle head unit, potentially altering ECU configurations (for example, disabling alarms or geofencing). This incident underscored the risks of insufficiently secured backend systems interfacing with in-vehicle ECUs, prompting the company to isolate critical ECU communication channels from customer-facing APIs. Similarly, weak encryption of a firmware delivery of an update showed malicious actors could intercept and modify ECU update packages, injecting code to disable collision-avoidance systems. All this highlights the ongoing challenges when developing secure systems for e-mobility. If a system is not secure it cannot be considered safe. Standard bearers Developers are now learning from the first implementations of security systems to refine and improve their designs. Modern vehicles come with more than 100 electronic control units (ECUs), which run millions of lines of code written in the C programming language. For software-defined vehicles, the number will be even higher as the computational power required to run them scales up, creating a huge attack surface for vulnerabilities. The database of Common Vulnerabilities and Exposures (CVE) includes an automotive product security platform allowing unauthorised access to the host system that could lead to remote code execution (CVE-2023-42419); a vulnerability in the Tesla Model 3 web interface that allows a denial-of-service attack, which prevented the user from seeing the speedometer, or using the turn signal, climate control or navigation features (CVE-2022-10558). Cybersecurity is key to vehicle resilience (Image courtesy of Horiba MIRA)
RkJQdWJsaXNoZXIy MjI2Mzk4