Connected Cars and Spying

Commentary by James Andrew Lewis

Published October 1, 2024

The fundamental truth is that anything that connects to the internet provides an opportunity for the collection and exploitation of user information by a sophisticated and hostile opponent. And "sophisticated and hostile opponent" practically defines China.

It is like there are two Chinas-the China that makes deals to limit fentanyl precursors and the China that bumps into ships and puts malicious code on electrical networks and gas pipelines in the United States. This new "Notice of Proposed Rulemaking" follows two decades of intense Chinese cyber espionage, aimed at acquiring technology and now expanded to influence operations and pre-positioning software to prepare for potential armed conflict. China, of course, would have similar complaints about the United States.

To paraphrase a popular trope about intelligence activities, your mission, should you choose to accept it, is to decide if the United States and other countries should accept the risk of espionage and disruption in exchange for trade and economic benefits. Some may be tempted. Others may say there is no real risk. But the risk from cars connected to China is undeniable.

Here's how it works. The new U.S. Department of Commerce action will address two categories of technology: vehicle connection systems (e.g., Wi-Fi and telephones) and automated driving systems. These are the categories that the Department of Commerce identified as having the most risk. Ultimately, there will be prohibitions on these technologies if they are made in China, and this could also affect European carmakers that use Chinese components for communications modules. The successful Chinese effort to put malware on U.S. critical infrastructure networks appears to have been a decisive factor in taking this action.

One possible risk with automated driving systems is that Chinese entities could remotely take control of a car and cause it to crash or stall. There have been fears about networked cars for a decade (and some years ago, hacking a car was a standard show-and-tell feature at Black Hat hacker conferences), but it has never happened and is operationally complex. It might be attractive to a hostile power to make all connected cars suddenly stop at the onset of a crisis, but this seems a bit random.

Using the car's connectivity system-that lets one make calls, send texts, and help navigate the car for spying-is much more probable. Conversations inside the car could be recorded and exfiltrated to another location. Some cars will connect to the power grid to recharge, providing access to a critical utility. Consider the precedent of incidents with virtual assistants that accidentally recorded users' activity at home. China has numerous avenues to leverage this data effectively. One approach would be to create a list of all owners of the technology and sort through it for interesting or useful ones. Another would be to simply record and store everything and use sophisticated software to later identify what is interesting. The choice is really about how much each option costs, not whether it is feasible.

Using connected cars for spying is just an extension of mass surveillance of communications, something at which China and others excel. Those who remember Snowden should find this extension easy to imagine, as China's wide-ranging domestic communications surveillance is indicative of both its capabilities and intent. For instance, China once wired an entire gigantic building (the Headquarters of the African Union), demonstrating that scale and audacity are not barriers. Countries will face internal debates over the guardrails for accessing the information generated by connected cars, but these discussions will not affect foreign espionage.

By now, it is well known that China's laws require companies to cooperate with its intelligence services. China itself first banned connected Tesla cars from sensitive areas, a move later withdrawn after high-level lobbying and after assurances from the Chinese auto industry association that Tesla was compliant with China's data collection regulations. However, other Chinese bans on connected cars like Teslas entering sensitive areas appear to remain in force. The new rule by the United States could easily trigger a similar response from China toward foreign cars.

This sort of connection-collection problem will only increase as more connected devices (also known as the Internet of Things) enter into use and offer expanded new opportunities for espionage and disruption. Things as innocuous as internet-connected fish tanks have been hacked by criminals; cars are simply the next step for well-resourced states. Better privacy rules and cybersecurity requirements address part of the issue, but not the problem of sophisticated foreign adversaries. For the foreseeable future, bans are likely the only effective way to reduce risk.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects