Your car is a computer on wheels — and its code can be hacked

We aren’t joking when we talk about cars as big fat data generating computer centers on wheels. If you go on Glassdoor, there’s even an interview question, “How many lines of code does a Tesla have?”

I’m not entirely sure, but even a decade ago , premium cars contained 100 microprocessor-based electronic control units (ECUs), which collectively executed over 100 million lines of code. Then there’s telematics, driver-assist software, and infotainment system, to name but a few other components that require code.

What I do know is that as cars’ digital and autonomous capabilities increase, the integrity of that code will matter even more — especially its security.

Every car comes with many components, and each of these might have a different codebase, which, if poorly tested or secured, is vulnerable to bugs, errors, or malicious code. But what if we could secure cars before they leave the factory floor?

I recently spoke to Matt Wyckhouse, founder and CEO of Finite State , to find out how the heck automakers secure all that code.  He also owns a Tesla so he’s personally invested in car security.

It’s common to build security into the entire development lifecycle. However, Finite State pushes security “as far to the right as possible.” This ensures that the code of the final build is secure, to ensure nothing changes between testing and the car going to its customers.

What are some of the most common security flaws?

Poorly written code is vulnerable to security risks or malicious activity. Those millions of lines of code within a car’s microprocessors all have their own origin. For example, embedded system firmware, including the firmware used in connected vehicles, is composed of 80-95% third-party and open-source components.

And, once you start using software from other parties who may not share your security vigilance, the risk increases. Some common examples:

Log4J vulnerability

An example of the recent Log4j vulnerability — a zero-day vulnerability in the Apache Log4j Java-based logging library.

The main developer might have pulled in the Log4j software as part of their development practice. Or it might be wrapped in a third, fourth, or fifth party component built in Java that lands in the final software.

This jeopardizes the security of any auto server using the library. The data is collected and stored in different places over time. This increases the risk of impact on the vehicle software.

In January, cybersecurity researcher David Colombo gained remote entry to over 25 Teslas due to a security flaw discovered in third-party software used by Tesla drivers.

It didn’t enable him to ‘drive’ the cars. But he could lock and unlock windows and doors, disable the cars’ security systems, honk the horns, and turn the cars’ radios on and off.

The security problem of hardcoded credentials

Another example is hardcoded credentials . This is where plain text passwords and secret data are placed in source code. It provides a backdoor for product testing and debugging.

Left in the final code, an attacker can read and modify configuration files and change user access. If the same password is in use as a default across multiple devices, then you have an even bigger problem.

In 2019, hardcoded credentials left in the MyCar mobile app made it possible for attackers to access consumer data and gain unauthorized physical access to a target’s vehicle.

So, how do you secure software against vulnerabilities and attacks?

Finite State’s work starts at the testing phase, focusing on the final binary copy and builds. They work backwards, automating the reverse engineering of code, disassembling, decompiling, and testing for weaknesses and vulnerabilities. They then share these with the client’s security team.

Wyckhouse explained that end testing enables them to see how a software artifact has changed over time:

When we think of cybersecurity and mobility really, we’re only just beginning. But according to Wyckhouse, automakers are continually investing in security, not only to comply with industry standards but also to gain reputational and competitive advantages over rivals who repeatedly suffer from security breaches.

Still, not a week goes by without yet another report of an attack or a vulnerability found by white-hat researchers. And as car automation increases, the risks only get greater.

70% of EU’s charging stations are found in just 3 countries

A new data analysis by the European Automobile Manufacturers’ Association (ACEA) found that the there’s a risk of a “two-track Europe”developing during the switch to electric vehicles.

According to the research, the unbalanced distribution of charging points across the EU is too clear to go unnoticed.

Specifically, 70% of all charging stations in the bloc are concentrated in just three countries: the Netherlands (66,665), France (45,751), and Germany (44,538).

Interestingly, together these countries make up only 23% of the EU’s total surface area. This means that the remaining 77% is left with a mere 30% of charging infrastructure, scattered around .

Let’s take a look at the following map, which presents the distribution of charging points across the Union:

It becomes instantly clear that the majority of charging stations are located in Western Europe, as shown by the light blue and green colors.

And, here’s a list by the ACEA that reveals in numbers just how big the imbalance is:

We can notice that the sharp division in charging infrastructure is mainly observed between the richer Western European countries and the lower-income member states in Central, and mainly Eastern and Southern Europe.

Sadly, that’s not really shocking… but rather an expected outcome of the wider economic divide within the EU.

It seems that countries with a lower GDP simply don’t have the means to secure the charging infrastructure required for the switch to electrification.

Given that the transition to electric vehicles can be fully realized only when there is adequate charging accessibility, this uneven comparison between the “big” and the “small” member states shows an unsettling trend: going green isn’t an option for everyone…

The adoption, however, of a sustainable transportation model shouldn’t be a privilege, but a right. If not, then we can expect e-mobility to further enhance the socio-economic divide within the Union and to reinforce a “first” and “second-class” Europe.

Therefore, if the European Commission is serious about its proposal to ban the sale of new “traditional vehicles” by 2035 , it also needs to consider providing the necessary funds that would allow all of its member states to support the charging infrastructure needed for the shift to electrification.

Do EVs excite your electrons? Do ebikes get your wheels spinning? Do self-driving cars get you all charged up?

Then you need the weekly SHIFT newsletter in your life. Click here to sign up .

Triumph unveils its SLEEK electric motorcycle — but curb your enthusiasm

Unlike the cloak of mystery that usually accompanies bike development, Triumph has been very transparent with its electric vehicle : the TE-1 prototype demonstrator.

Having successfully completed the first two phases of the project (partner collaboration and powertrain prototype), the British motorcycle maker has now finalized phase three — the prototype REVEAL.

Feast your eyes on this sleek machine:

While the TE-1 prototype carries the Triumph name, it’s not all Triumph’s own work.

Sure, the company took care of the bodywork, the cockpit, and transmission, and braking systems, but it relied on its partners for the essentials.

Williams Advanced Engineering took on the development of the battery pack, and Integral Powertrain developed the electric motor. Notably, the motor weighs only 10kg and is capable of putting out a peak of about 130kW (174.3hp) for brief periods and a continuous maximum of around 90kW (120.7hp) — that’s pretty impressive.

And it gets even better: the powertrain has an integrated inverter, which can support more than 500kW of power (equivalent to 670hp!) — indicating the project’s aim to further increase performance output in the future.

The fourth partner, WMG, University of Warwick , has run the final pre-live trial simulation, ensuring the bike can deliver the intended performance and durability outcomes.

According to Triumph, during phase three, the bike has exceeded “current benchmarks and targets set by the UK Automotive Council for 2025.”

And even though it looks like an ultra-sleek and powerful machine, don’t expect to ride it anytime soon.

The TE-1 isn’t intended to be a direct prototype for a production model. Instead, it’s supposed to give Triumph and its partners a strong footing in electric motorcycle technology, including intellectual property and hands-on experience in developing such bikes, to carry forward into future projects.

The TE-1 is ready to enter phase four: real-life testing.

Over the next six months, the bike will undertake an extensive testing program, which will include road rolling testing and track testing.

Once phase four is complete, we’ll get to see TE-1’s final body panels and paint scheme, before it moves on to active track demonstration.

Triumph will also publish the project’s full results and the bike’s final specs, such as battery capacity and range performance.

All in all, the TE-1 looks so good, I’m kinda disappointed that we won’t get a production version. But maybe if it achieves its expected trial figures, it’ll tempt Triumph to rethink its original plan and bring this to the streets one day.

In the meantime, we can console ourselves with the reveal video:

Leave A Comment