Audit EVs, connected cars for cybersecurity risks: Modi government
What's the story
The Indian government has asked auto manufacturers and component makers to conduct a thorough audit of the software and electronic systems in connected cars and electric vehicles (EVs). The advisory, issued by the Ministry of Heavy Industries, comes amid growing cybersecurity concerns. It was sent to the Society of Indian Automobile Manufacturers (SIAM) and Automotive Component Manufacturers Association of India (ACMA), Business Standard reported.
Audit timeline
No deadline set for the audit
The advisory from the Ministry of Heavy Industries urges companies to review their cybersecurity systems, but doesn't mention a deadline for completing this audit. This comes after the government had earlier asked tech giants Apple and Google to remove three apps from their stores. The apps were allegedly misused to remotely disable electric vehicles by exploiting vulnerabilities in battery management systems.
Security vulnerabilities
Remote disabling of EVs
The government's main concern is connected cars, which are becoming more common with internet-enabled features and remote access capabilities. The apps that were removed from Apple's App Store and Google's Play Store were meant to monitor battery parameters such as charge levels, temperature, and health. However, videos on social media suggested users exploited these apps to remotely disable electric vehicles by accessing their battery management systems via Bluetooth.
Ongoing risks
Underlying vulnerabilities in battery communication systems
The government believes that simply removing the apps only solves the immediate problem, not the underlying vulnerabilities in battery communication systems. If low-cost lithium battery packs are used with factory default settings, weak passwords, or without Bluetooth authentication, a person standing within 10 to 15 meters of a vehicle could connect to its battery management system and disable its discharge function. This would cause an instant power loss for the vehicle.
Future regulations
Phased rollout of cybersecurity standards for connected vehicles
Earlier this year, the Ministry of Road Transport and Highways proposed a phased rollout of cybersecurity standards for connected vehicles starting October 1, 2026. The draft framework calls on manufacturers to establish cybersecurity management and software update management systems. These include secure over-the-air updates, strong user authentication, and software integrity checks.