Is Your New Car a Threat to National Security?

Putting sensor-packed Chinese cars on Western roads could be a privacy issue. Just ask Tesla.
Image may contain An all seeing eye overlooking car manufacturing
ILLUSTRATION: ABBR. PROJECTS

China's Electric Dream

Starting this week, Teslas won’t be welcome in the Chinese resort town of Beidaihe. The electric cars are strictly banned on the streets of the coastal city for the next two months, as senior Communist leadership descends on the city for a secret conclave.

It’s not the first time, either. The city of Chengdu barred Teslas in advance of a June visit from President Xi Jinping, Reuters reported, while some military sites have similarly forbade Elon Musk’s flagship product. While no official reason was released, the bans seem to be out of concern that the vehicles’ impressive array of sensors and cameras may offer a line of sight into meetings of Beijing’s senior leadership.

It’s a curious move. China is, increasingly, one of the most connected countries in the world—Chinese industry has even tried to brand Chengdu as the “5G Joy City,” where locals are encouraged to stream their daily lives.

Tesla may be one of the most popular electric vehicle brands in China, with upwards of a half-million vehicles on the roads, but it is not itself Chinese. The firm has acquiesced to Beijing’s data localization demands, setting up a dedicated data center in China, but it cannot shake the characterization that it is a foreign company—and, therefore, a national security threat.

It’s not a concern unique to Xi’s government. As Chinese automakers gear up for a big push into the West, anxieties are already mounting as to how those vehicles could phone their robust trove of data home.

The future of transport is certain to be electric and autonomous vehicles. They could also be the future of espionage.

National anxiety about the surveillance powers of new modes of transportation is hardly novel.

In 1913, the French army seized the German-made Z-4 airship after it flew off course in thick fog and landed on French soil. Paris ordered that “any photographs of French fortified places taken en route would also be seized,” The New York Times reported at the time.

Through the Cold War, both sides of the Iron Curtain addressed the question of expanding aerial surveillance capabilities by signing the Open Skies Treaty—opting to provide clear rules on how and when both NATO and Warsaw Pact countries would spy on each other from the skies, even regulating the flight path for these surveillance missions, instead of attempting to stop them outright.

Consumer vehicles are just a recent addition to the national security equation. But thanks to the globalized economy and modern product development, they are perhaps the trickiest challenge yet.

As it stands, Teslas are arguably the most connected and widespread of a new generation of vehicles. Not only do they hoover up a massive amount of data on the driver—from call logs to on-board browser history to average speed and route history—but their outward-facing sensors and cameras can relay a considerable amount of information about the surrounding world.

David Colombo, a 19-year-old German programmer, proved earlier this year that accessing incredibly sensitive data on Tesla users wasn’t just possible—it was fairly easy. Using a third-party application with access to Tesla’s API, Colombo got into the systems of more than two dozen Teslas around the world, controlling their locks, windows, and sound systems and downloading a huge bundle of information.

“I was able to see a large amount of data. Including where the Tesla has been, where it charged, current location, where it usually parks, when it was driving, the speed of the trips, the navigation requests, history of software updates, even a history of weather around the Tesla and just so much more,” Colombo wrote in a Medium post published in January that detailed his exploits.

While the specific vulnerabilities Colombo took advantage of have been patched, his hack demonstrates a huge flaw at the core of these smart vehicles: Sharing data is not a bug; it’s a feature.

The amount of data Tesla collects and uses is just the tip of the iceberg. We have yet to see fully autonomous vehicles or the much-vaunted “smart cities,” which could see 5G-enabled roads and traffic lights.

In the near future, cars will not only collect information about their driver and passengers, but the vehicles, pedestrians, and city around them. Some of that data will be necessary for the car to function properly—to reduce collisions, better plan routes, and improve the vehicles themselves.

“The United States and Europe have been asleep at the wheel,” says Tu Le, managing director of Sino Auto Insights. The US, Canada, and Europe may continue to be the world leaders in producing traditional vehicles, but that lead won’t hold for long. Whether it’s cobalt mining, lithium battery innovation, 5G-enabled technology, or large data analytics, Le says China has been several steps ahead of its Western competitors.

“All those seemingly unrelated things are converging into this smart EV,” Le says.

Of course, not all of Beijing’s success came honestly. Chinese nationals have been accused of pilfering intellectual property from American companies to bolster China’s growing industry. Le says that sort of espionage certainly helps, but it’s not the main reason for Beijing’s exploding growth in the automotive sector.

China’s capability in handling eye-watering volumes of data, for example, is well-documented. Beijing’s facial recognition programs rely on a ubiquitous network of surveillance cameras, its proprietary GPS system enables real-time tracking of the Muslim minority in Xinjiang, its expansive online surveillance system feeds into its dystopian social credit score. “One country is used to managing terabytes of data on a daily basis,” Le says—and, at least when it comes to the auto industry, it’s not the United States.

And that data isn’t just Chinese. Massive investments from Beijing are bringing its brand of “smart city” to Bishkek, Kyrgyzstan; Venezuela; and countries across Africa. Chinese autonomous vehicle pilot projects like Pony.ai are even on the roads in California.

China has learned that diverse data, taking into account a wide difference in weather, people, and technology, improves algorithms. If China gets better at exploiting that data, it could need less of it. So even anonymized, general data being relayed from a fleet of Chinese-made cars in North America could reveal individual patterns and habits but also paint a complex picture of an entire neighborhood or city—be it the daily routine of an urban military base or the schedule of a powerful cabinet minister. In banning Teslas from certain areas, China is seemingly already controlling for that threat domestically.

Colombo’s white-hat hacking exposes how targeting just one car could lead to a security nightmare. “What if a threat actor such as an international terrorist organization gains the capability to hack the vehicles in a government motorcade?” Colombo wrote on Medium.

It has already happened. The German government believes Russia was behind a 2020 hack of its military transportation authority, which manages logistics for various government officials. The amount of information available from such hacks is only going to grow. “The worst-case scenario?” Le says. “The electric vehicle becomes a missile.”

It’s perhaps China’s clear focus on the automotive industry’s future that has led it to clamp down now.

While banning Tesla from cities near high-level government meetings is likely done on an ad hoc basis, Beijing has adopted stringent requirements for companies looking to operate in China.

Rules published in 2021 essentially prohibit automotive companies from transmitting data from outside China’s borders, particularly video and geolocation data. The regulations require that a company report to the Chinese government what type of data it collects on its drivers.

While keeping that data in China significantly heightens the likelihood that it could be used by state security services, Tesla quickly acquiesced to the new rules last year, opening a dedicated data center on mainland China to satisfy the regulations.

In the past, Beijing’s restrictions in the automotive sector have been more about protectionism than national security. Until 2021, foreign automakers had to find a Chinese partner in order to open shop in the country—axing such a requirement is a sign that Beijing is bullish about the future of its own industry.

The West, meanwhile, has been sluggish in adopting local data and privacy protections.

As it stands, Le says, Chinese electric vehicles are roughly three years away from hitting American streets in a major way. “They’re already in our backyard, and we haven’t done anything yet,” he argues.

It’s not just about regulating Chinese vehicles once they arrive, either. As Colombo’s hack showed, domestic vehicle manufacturers need to step up their security game as well. Many manufacturers push software and firmware updates for various aspects of their vehicles over the air.

“Think about the danger when an update is sent to hundreds of thousands of cars wirelessly,” wrote Alexander Poizner, CEO of UK-based cybersecurity firm Parabellyx, in a 2021 blog post. He posed a hypothetical: “What if China used malware to disrupt traffic in Taiwan as a prelude to a military attack?”

Insufficient regulation has led to a total lack of consistency, as Poizner noted: “There is no single standard around cybersecurity for either autonomous vehicles or the infrastructure to support these across the automotive industry.” But cybersecurity standards aren’t the only area where the US is coming up short.

“Policymakers are struggling at the highest level,” says Marjory Blumenthal, senior fellow and the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace, a global think tank based in Washington, DC.

Nevertheless, Washington’s instincts may be quite similar to Beijing’s. In the past, the United States and its allies have opted to simply ban Chinese products from sensitive areas—from the country’s unsuccessful TikTok ban to its considerably more effective effort to exclude Huawei technology from 5G infrastructure. America’s allies have followed suit in blocking Huawei from the backbone of their next-generation mobile systems, including Australia, Canada, and the United Kingdom.

In 2018, the Trump administration moved to slap tariffs on the Chinese automotive sector, arguing that the foreign competition threatened to undermine America’s domestic industry, thus harming a research-and-development pipeline into the US military. “It is imperative that related R&D remain within the United States, be conducted by American-owned firms, and that the United States Government take measures to secure the long-term viability of domestic R&D in the automotive sector,” reads a 2019 Commerce Department report. (The tariffs were later abandoned.)

Such a protectionist move would likely kneecap major Western automakers, which are currently vying for new market share in China. Beijing has made it clear that any protectionism in the West would be met with retaliatory measures.

There are certainly concerns that curtailing how vehicle data can be collected, analyzed, and transferred could limit research and development of automotive companies looking to keep up with their Chinese competitors, Blumenthal says. Canada and the European Union do have more expansive and consistent privacy laws that offer a clearer road map for companies headquartered there, unlike the United States. “The data questions are less well explored in this country, given that we don’t have a monolithic privacy regime,” Blumenthal adds.

As companies hustle to build out these new systems, Blumenthal says, they will be collecting a huge volume of information. “That then raises the question of how much is stored? Where is it stored? For how long is it stored?” she says. Governments need to regulate these areas, she adds, and worry less about China’s panopticon model.

There may be grand claims about what China hopes to do with its unparalleled heap of data, but Blumenthal says she’s not convinced that China’s system will be better simply because it captures more data. “I’m not ready to buy that.”

As the technology matures, she says, companies may figure out how to reduce the noise in that data, collecting only what is necessary to improve safety, make routes more efficient, and inform innovation.

Creativity in determining how those algorithms work may ultimately mean more than the data feeding into it, she says.

Le says there’s a desperate need for clarity—rules about what data can be freely exploited, what data needs to be anonymized, and what needs to be held within a country’s borders. “We’re over-relying on the tech industry to say, ‘Oh, we’ll keep it safe for you,’” he says.

“We might look back in 10 years and see it’s the frog-boiling scenario,” Blumenthal says of the auto industry’s increasingly sophisticated data collection. Or, she adds, “we’ll have a scenario where people are adapting to all the behavioral monitoring in the world.”

But there’s a note of optimism. While legislative fixes to address vehicle data collection have wallowed in Congress, Blumenthal points to the National Highway Traffic Safety Administration’s efforts to modernize its policies to keep up with the times. “As they do that, it might be reasonable to assume that they could add privacy there,” she says.

China may be a walled garden for this technology, but the West has a history of determining the rules of the road collectively. “There is a framework of international standard-setting—and in the last two to three years you’ve seen an increase in standard-setting,” Blumenthal says.

How the world handles the data at the heart of these smart vehicles will ultimately determine the urgency of security concerns. Clear, consistent rules across the major economies could allay espionage fears and decrease the likelihood that competitors will set out to hack each others’ vehicles. Strong encryption, privacy protections, and other data regulations could help prevent the weaponization of drivers’ personal vehicles.

With the right constraints in place, the data collected by these vehicles could limit espionage and national security threats while significantly reducing crash fatalities and speeding up research and development.

Cooperation with Beijing could accelerate that process. Bitter competition could slow it all down.