3rd Party Risk Management , Critical Infrastructure Security , Governance & Risk Management

Chinese Connected Car Tech Banned by Biden Administration

The U.S. federal government is telling the automotive industry to stop buying Chinese-manufactured hardware and software powering onboard telematics and automated driving systems, warning that the potential for nation-state hacking and espionage poses a national security risk.

See Also: 2024 Report: Mapping Cyber Risks from the Outside

In an export control rule set for publication Thursday in the Federal Register, the Department of Commerce said prohibitions on imports of software powering automated driving systems will take effect in 2027, while a prohibition against Chinese-made hardware for vehicle connectivity systems will take effect in 2030. The rule also prohibits the sale of Chinese-made cars that incorporate those technologies, starting in 2027.

China is the world's largest auto exporter, but the U.S. market for Chinese-brand cars is negligible, particularly after the first Trump administration imposed import duties of 27.5%, a percentage the Biden administration increased in September to 100% when it comes to Chinese electric vehicles.

Automotive parts is a different matter - China ranks in the top three of U.S. automotive part suppliers, at one point surpassing Canada in volume. The Alliance for Automotive Innovation, a lobbying group for major manufacturers including GM, Toyota and Volkswagen, unsuccessfully pressed regulators for at least an additional year before the restrictions fall into place.

The rule excludes vehicles that weigh more than 10,000 pounds - a threshold that exempts commercial vehicles such as buses, which the Bureau of Industry and Security said will be the subject of future regulation. The rule also pertains to Russian-manufactured autos and parts.

"Cars today aren't just steel on wheels - they're computers. They have cameras, microphones, GPS tracking and other technologies that are connected to the internet," said Commerce Secretary Gina Raimondo. "This is a targeted approach to ensure we keep PRC and Russian-manufactured technologies off American roads and protect our nation's connected vehicle supply chains."

Security researchers have highlighted modern autos' susceptibility to hacking, including in a 2024 report finding that hackers could use fault injection on a vehicle connectivity system processor to simulate a jailbreak and install malware. Vehicle connectivity systems encompass components that integrate radio frequency communication into a car's operation. A primary element is the telematics control unit, which gathers data from onboard sensors including location, speed and battery charge and packages them for delivery to the manufacture.

Researchers were also able to obtain access to user data and manipulate the telematics.

Regulators said they are also concerned over malicious manipulation of automated driving systems, the artificial intelligence systems that lets cars drive themselves. Even car manufactures likely don't know how the system was trained or how it makes its decisions, a fact clearing the way for poisoned data injection or preprogrammed failures. Attackers could create phantom objects or manipulate the software to capture data in sensitive areas, regulators said.

Through access to automotive hardware and software alike, adversaries could obtain a clear picture of military or first responder fleet size and capabilities, as well as organization response times and procedures.

Although whether to proceed will be up to a different set of officials come the Jan. 20 inauguration of the second Trump administration, BIS earlier this month said it also intends to restrict Chinese imports of unmanned aerial vehicles.