Daybreak - The switch to EVs is great for the environment. And hackers too.
Episode Date: April 29, 2024More people switching to Electric Vehicles (EVs) is not just great for our environment, it's great for hackers too. As EVs become more popular, hackers are constantly looking for opportunitie...s to exploit the widening network of digitally connected vehicles. Between 2018 to 2021, incidents related to breach of cybersecurity in the auto industry rose by more than 200%. And it is only going to get worse in the coming years.In India though, it is not much of a concern yet due to the low penetration of EVs so far. But it won’t remain that way for long without proper safeguards in place.The Digital Personal Data Protection (DPDP) Act 2023 is a step in the right direction, but it is not enough.Tune in.Daybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.
Transcript
Discussion (0)
Hi, this is Rohan Dharma Kumar.
If you've heard any of the Ken's podcast, you've probably heard me.
My interruptions, my analogies and my contrarian takes on most topics.
And you might rightly be wondering why am I interrupting this episode too.
It's for a special announcement.
For the last few months, I and Sita Raman Ganeshan, my colleague and the Ken's deputy editor,
have been working on an ambitious new podcast.
It's called Intermission.
We want to tell the secret source stories of India's greatest companies.
Stories of how they were born, how they fought to survive, how they build their organizations and culture,
how they manage to innovate and thrive over decades, and most importantly, how they're poised today.
To do that, Sita and I have been reading books, poring over reports, going through financial statements,
digging up archives, and talking to dozens of people.
And if that wasn't enough, we also decided to throw in video into the mix.
Yes, you heard that right.
Intermission has also had to find its footing in the world of multi-camera shoots in professional studios, laborious editing, and extensive post-production.
Sita and I are still reeling from the intensity of our first studio recording.
Intermission launches on March 23rd.
To get alert, as soon as we release our first studio recording, we'll release our first video.
episode, please follow intermission on Spotify and Apple Podcast or subscribe to the Ken's
YouTube channel. You can find all of the links at the ken.com slash I am. With that, back to your
episode. Remember this incident from a few years ago? It was 2019, I think. A 19 year old security
research student managed to access the digital car keys of more than 25 Teslas around the world.
He opened the car's windows, unlocked the doors, and even disabled the car's security mode.
Scary stuff, right?
The idea behind the attack was to highlight the growing concerns about safety and security as the world moves towards electric vehicles.
Modern EVs function through technologies that create massive amounts of data.
A simple example of this is the software that helps these EVs regulate their batteries.
It helps the driver to look for charging stations and control the power flow.
EVs also receive updates through the cloud to automatically improve the operation and performance of the vehicle.
Now, this is of course a global concern.
Cybersecurity related incidents in the automotive industry rose by 225% between 2018 and 2021.
And it is only expected to get worse as more and more people can.
neck to the EV grid.
So what is the situation like in India?
EV penetration in India is as low as 1% across all kinds of EVs right now.
Naturally, the number of EV-related cyber attacks are not high enough to ring any alarm
bells yet, because it can get out of control.
Even Union Transport Minister Netany Gadgari acknowledged this fact in the parliament.
So is there any kind of a safeguard EV user?
have in India?
Welcome to Daybreak, a business podcast from the Ken.
I'm your host, Nickda Sharma, and I don't chase the news cycle.
Instead, thrice a week on Mondays, Wednesdays and Fridays,
I will come to you with one business story that is worth understanding and worth your time.
I want to begin with an incident that occurred in April last year.
In a series of posts on Twitter, Balwan Singh, a man from Gohati,
said that his son had met with an accident a few weeks earlier.
The son had recently bought an Ola electric scooter, and Singh blamed the scooter for the accident.
He wrote about it in detail.
He said that his son was driving the scooter and when a speedbreaker came on the way, he tried to slow down.
But instead, the scooter accelerated and that is how he crashed.
The tweet also had a bunch of photos that showed how bad the injuries were.
He had to go through multiple surgeries.
So how did Ola Electric respond to this whole thing?
He said that they took the scooter away, but they did not tell him much else.
A few days later, Singh went on to Twitter again, and he demanded Ola Electric to share what they had found in their internal investigation.
He even asked for all the data logs which were recorded by all the telemetry in Ola Electric's scooter.
Almost a week later, Ola Electric finally responded, and their response was far from what you'd expect.
Let me read out a small portion of it for you.
We did a thorough investigation of the accident and the data clearly shows that the rider was
over-speeding throughout the night and that he braked in panic thereby losing control of
the vehicle.
There is nothing wrong with the vehicle.
Our operating system tracks various vehicle sensor data which we receive real-time in our cloud.
The below graph shows speed data for this incident for a 30-minute duration till the accident
time.
I'm sorry, I cannot show you the graph, but you get the point.
Okay.
Now, if Ola had real proof of this, fair enough, they shared the report with Singh, just
like he'd asked for, right?
Except they shared it with the whole wide world, not just Singh.
It was released in public.
And the problem with this move, like my colleague Praveen, noted in his newsletter the NutGraph,
was this.
Ola could have been like, hey, we looked at the data and we did not find a problem.
It could have ended there.
Instead, they got into a room with a bunch of content writers, lawyers, and a visual.
designer to publicly make the case in RGB color that their customer was an irresponsible maniac.
The statement obviously raised questions about data collection, privacy, hypermode and even
OLA Electric's data visualization decisions.
Coming up next, let us try and get a better sense of how EVs are susceptible to cyber attacks.
My colleague Nathan Nadeh spoke to Ashish Olaz, a cybersecurity research fellow at Cloud Security
And he told him that it is only natural.
Because in his own words, EVs are bound to be more data driven than today's transport
because they have a more complex system, the battery monitoring system or BMS operating it.
What Ulaas was basically saying was that your EV is not just a vehicle.
It is a computer on wheels and like all computers, its life force is data.
Data that can be collected sometimes without your awareness and
it can be exploited. He explained it to us with a great example. Imagine a dot board. The dots
are cyber attacks. The size of an attack surface is directly dependent on two factors, connectivity
and data linkages. So the more connectivity and linkages your EVE has, the bigger the size
of the dot board, which means the greater the chance of a hit or a cyber attack. So now comes
the big question. What are the systems in place to protect us against this?
Stay tuned to find out.
The answer, at least partially for now,
lies in the Digital Personal Data Protection Act of 2023 or the DPDP Act.
It may not be perfect right now,
but at least it has some features in place that offer us protection.
The Act changes important things in the dynamic between the EV and its users.
Under Section 13, the data principle, which is the EVI user,
has the right to approach the Data Protection Board.
If they're not satisfied, then they can approach the telecom dispute settlement and appellate
tribunal.
And depending on the nature, type and extent of the data breach, companies or data fiduciaries
can be fined as much as 250 crore rupees.
But if the complaint is found to be false or frivolous, the data principle or the individual
user can also be fined as much as 10,000 rupees.
Nathan spoke to Prateek Wagerie, the policy director at Internet Freedom Foundation,
who told us how before the DPP Act,
there was no clear framework for resolving such grievances.
But Amin Johor, who works with Widhi's Centre for Legal Policy,
pointed us to something that we should remember about this act.
He said that even though the Act is in effect right now,
institutions like the Data Protection Board are yet to be created.
Plus, rules under the law, which will actually make it effective, need to be framed.
The whole process is expected to be.
complete in the next year or year and a half.
Meanwhile, companies like Ola Electric can appoint data protection officers and get in line with
this act.
Daybreak is produced from the newsroom of the Ken, India's first subscriber-focused business
news platform.
What you're listening to is just a small sample of our subscriber-only offerings.
A full subscription unlocks daily long-form feature stories, newsletters, subscriber-only apps,
and podcast extras.
Head to the ken.com and click on the red subscribe button on the top of the website.
I am Snitha Sharma, your host and today's episode was edited by my colleague Rajiv Sien.