In 2022, Norwegian engineer Tor Indstøy purchased a $69,000 Chinese electric SUV, the NIO ES8, for testing purposes. He discovered that ninety percent of the communication data was sent back to China.
According to Bloomberg, Indstøy is the Vice President of Risk Management and Threat Intelligence at Telenor ASA, a major telecommunications service provider in Norway. His purchase of the Chinese electric vehicle was not for mere driving, but for his hobbyist research.
Together with some friends, he founded Project Lion Cage to analyze the operation of this SUV and publish the results.
The project was launched in July 2023. Since then, his team has released updates on various related developments.
In April 2024, Indstøy opened this project to the security community.
Experts say that there is limited public data so far about the specific privacy and security risks posed by Chinese-made electric vehicles. Electric vehicles use a large number of chips to control everything from tire pressure to navigation and battery management, with each chip capable of collecting data. An electric vehicle can contain 2,000 to 3,000 chips, roughly twice as many as a gasoline-powered vehicle.
Research on electric vehicles is also more challenging than on gasoline-powered vehicles. Renaud Feil, founder and CEO of the Paris-based cybersecurity consultancy Synacktiv, stated that the common tools used by cybersecurity researchers, which extract data from computers and servers, do not apply to electric vehicles. The company gained industry acclaim for hacking into Tesla during an annual competition sponsored by Tesla.
Feil mentioned that researchers often have to start from scratch, using specialized procedures to extract data from the various systems of electric vehicles, and need to remain vigilant about unusual protocols while trying to understand how all parts work together.
Indstøy stated that his team has not yet discovered any groundbreaking information about the NIO ES8 vehicle, but they have identified some areas worth attention. One such area is the way data flows in and out of the vehicle. Researchers found that about 90% of communication, including a range of data from simple car voice commands to the physical location of the vehicle, is being sent to China, as well as to other destinations like Germany, the United States, the Netherlands, Switzerland, and elsewhere.
Another concerning potential issue is the ambiguity of some communication. For instance, researchers found that the vehicle continuously downloads unencrypted files from NIO’s official address, but so far, they have not determined the purpose of these downloads.
Lastly, there is concern about the camera embedded in the rearview mirror. The user manual suggests it is part of a “driver drowsiness detection” system, but Indstøy noted that this indicates the car owner may not be fully aware of the data being collected by the vehicle.
“We want to showcase the practical implications of buying Chinese cars from a security and risk perspective,” Indstøy said.
China is the world’s largest electric vehicle market. A study by the International Energy Agency found that nearly 60% of the 14 million new electric vehicles registered globally last year came from China, with Europe and the United States accounting for 25% and 10%, respectively.
Chinese-manufactured electric vehicles have limited presence in the United States, partly due to the tariffs imposed by the Trump administration on Chinese cars, which have been retained by his successor, Biden.
On Tuesday, the Biden administration announced a 100% increase in tariffs on Chinese electric vehicles. In February this year, Biden stated that there would be an investigation into the potential data and security risks of Chinese electric vehicles.