► New cars will have to guard against cyber threats
► Big implications for car owners possible
► Manufacturers face fines for non-compliance
New European Union rules regarding the cyber security of cars come into effect in July 2024 and are causing a number of manufacturers to discontinue popular models.
Porsche announced that sales of combustion-engined Porsche Macan models will end in EU countries early in 2024, despite remaining on sale elsewhere in the world until the end of 2025. The Volkswagen e-Up and Renault Zoe are also being discontinued. All three cars are over ten years old and, though they’ve been updated many times, meeting the new cyber security regulations would require an entirely new electronic architecture that can’t be shoehorned in.
Known as UNECE WP.29, the measures are part of the wider General Safety Regulations 2 package that comes into force on 1 July 2024. It requires that all new cars sold in the EU – and the UK – be fitted with 20 safety technologies including automatic emergency braking, speed limit recognition and an emergency lane keeping system.
WP.29 is an opt-in within GSR2 that the UK hasn’t yet signed up to, thus petrol Macan models will remain on sale here throughout 2024. But the vast majority of cars sold in the UK meet EU standards by default and it’s likely only a matter of time before WP.29 is adopted in UK law.
The cyber threats facing cars
The regulations stipulate that all cars sold in the EU must be hardened against 70 potential cyber security risks – a number likely to increase over time. Those threats can be roughly grouped into hacking and physical system breaches, both intentional and accidental. They cover the entire life of a car as well, from the design office to the scrap yard.
Cars face many security risks. WP.29 is particularly concerned with hacking of car manufacturers’ ‘back-end’ computer systems and servers, corrupted over the air updates being sent to cars, and theft of vehicle users’ personal data. Hacks and breaches could also result in withdrawal of service for a particular system and intellectual property theft.
It may finally address keyless car thefts, in which a car’s key fob is remotely cloned, as well. Range Rovers have proven particularly vulnerable, to the extent that many insurers now refuse to cover the cars in London, where the problem is most prevalent. As car insurance is a legal requirement in the UK, Jaguar Land Rover has had to resort to offering its own insurance product to affected owners.
Manufacturers have to submit an exhaustive cyber security risk assessment and risk management plan as part of the type approval process. Certification of the so-called cyber security management system lasts three years, at which point manufacturers will have to go through the whole process again. Any changes to the car’s hardware or software have to be certified, as well.
Failure to comply with the regulations can result in a fine of €30,000 for every non-compliant vehicle sold.
How the regulations could affect car owners
Aside from a few rather ancient models being withdrawn from sale, it’s not yet clear how car manufacturers will meet their obligations under WP.29 and how that will affect car owners. But we can extrapolate some possibilities from the wording of the regulations.
Among the concerns expressed is the possibility of USB and remote devices being used to corrupt a car’s systems or steal user data. That could cause issues for connecting phones and other devices. It’s possible that an approvals process will be built into a car’s infotainment system that assesses the security of each device before allowing it to connect. In addition, each user may be required to set up a personal profile that includes their devices.
Of course, most cars have multiple users over the course of their life and WP.29 seeks to ensure that there is no possibility of those users accessing each other’s data. It’s possible that each user will have to log into the car with a pin number, or some other form of ID. If could also complicate the process of selling or hiring a car because there could be an onus on someone to delete previous users’ information.
The concerns around third-party devices accessing a car’s systems could have a knock-on effect in car maintenance. Garages may have to show that they have their own cyber security measures in place to be allowed to work on hardened cars, and there could be issues around having the right diagnostic equipment.
The regulations don’t exclude the possibility of carrying out aftermarket modifications but do state that any mods must be restricted to a designated area within the car’s computer systems. That could restrict the kind of modifications that can be carried out. For instance, ECUs may be locked out to prevent IP theft and monkeying around with things like a car’s emission control systems.
Potential implications for older cars
Manufacturers remain responsible for their car’s protection from cyber security threats in what’s called the post-production phase. That’s from the day production of a model ends until the day the very last example is scrapped.
While most cars become very rare in the decades after they’re discontinued, there are very few that become completely extinct throughout the world. It’s entirely possible that manufacturers won’t be keen on supporting their cars effectively in perpetuity.
We could, therefore, see manufactures buying back and scrapping old cars so they don’t have to keep supporting them, once the paperwork submitted for WP.29 certification expires 10 years after the end of production. Over the air updates might make the process easier, as the manufacturers could be able to see how many examples of a particular model are left and where they are.
Having said all that, we won’t know for sure how meeting the WP.29 regulations will work in practice until they come into force on 1 July 2024. And even then, the long-term implications won’t become clear for some years yet. We’ll keep tabs on the situation, though.