Wednesday, July 08, 2026 | 10:20 PM ISTहिंदी में पढें
Business Standard
Notification Icon
userprofile IconSearch

Connected vehicles demand stronger cybersecurity and common standards

The ban on three Chinese-origin EV apps has exposed cybersecurity risks in connected vehicles, underscoring the need for robust standards like AIS189 and stronger digital safeguards

e-rickshaw,e rickshaw, electric rickshaw
premium

Obtaining cybersecurity approval will be a prerequisite for putting new vehicles on the road. | Source: Vahan

Business Standard Editorial Comment

Listen to This Article

A recent hacking incident, which resulted in the ban of three Chinese-origin smartphone apps, has highlighted cybersecurity concerns centred on the automobile industry. The apps — BAT-BMS, Lossigy, and Epoch-i-ion — were designed for electric-vehicle (EV) battery management, but they can be misused to remotely disable the vehicles. Following the incident, the Union government, as reported by this newspaper, has asked automobile and parts makers to audit the software and devices in connected cars and EVs. Connected vehicles are those connected to the internet directly or via Bluetooth to smartphones. Automobiles without cyber firewalls present critical security vulnerabilities, and hackers have demonstrated such bugs for at least a decade. There is a global annual cybersecurity event, Pwn2Own Automotive, which focuses on demonstrating vulnerabilities in vehicles. In January, security researchers earned $516,500 after demonstrating 37 “zero-day” vulnerabilities in different vehicles on the first day of Pwn2Own Automotive 2026. (A zero-day is a previously undiscovered bug.)
 
Connected cars can be tracked and hijacked by hacking infotainment systems, wireless keys, or Cloud servers of manufacturers. Even sensors that track things like tyre pressure can be exploited. A recent draft notification by the Ministry of Road Transport and Highways proposed a phased rollout of cybersecurity standards for connected vehicles starting October 1, this year. The cybersecurity framework of AIS189 (Automotive Industry Standard 189) is modelled on the UN R155 regulation, which the European Union introduced in 2022. China and South Korea have introduced similar frameworks recently. Under AIS189, any new vehicle must meet specified cybersecurity standards.
 
Obtaining cybersecurity approval will be a prerequisite for putting new vehicles on the road. By October next year, AIS189 compliance will be mandatory for new models. By October 2028, it will apply to all passenger vehicles. This may require over-the-air updates and comprehensive overhauls of the electronic architecture of older models. Remote auto services are quite common. Many vehicles offer remote app functions to control heating, ventilation, and air conditioning, and EVs have remote battery-management functionality. Bluetooth vulnerability may allow anyone within range (10-15 metres) to take control of the vehicle. While the government advisory focuses on connected vehicles, every modern vehicle presents cybersecurity concerns. All use a multitude of sensors to collect diagnostic data, and they have hands-free mics and external cameras.
 
It is pragmatic to think of a modern vehicle as a mobile computer. Apart from enabling manufacturers to monitor diagnostic data and improve service and overhaul standards, the data stored in memory reveals a lot about the driver’s travel habits and presents significant privacy concerns. One complication in setting up digital firewalls is the lack of standardisation for connected vehicles. Many manufacturers create proprietary connected vehicle ecosystems, developed in-house or with technology partners. Auditing these systems is difficult compared to common smartphones or personal computers because they may have widely different software. Consumer-facing digital auto services in India have developed technology with various service providers. Each of these systems may present vulnerabilities, and plugging gaps could be difficult. Vehicular cybersecurity could likely become a race among regulators, security experts, and bad actors. Thus, implementing AIS189 would be a beginning.