EMET NEWS PRESS

What did ASIO operationally warn — and what did it not claim?

Australia’s domestic security service ASIO warned politicians and public servants not to discuss sensitive or classified information in internet-connected vehicles. The warning became public in the context of parliamentary hearings and did not refer to one specific manufacturer. The relevant category was broader: internet-connected vehicles with external data links.

ASIO Deputy Director-General Lisa Alonso Love pointed to the basic security rule that classified conversations should take place only in locations technically and organisationally designed for that purpose. A connected vehicle may open additional vectors for information collection; users must assume that other actors may obtain information through those systems.

The warning is therefore not a claim of confirmed vehicle bugging. It is an operational-security instruction. ASIO treats the connected car as an unsuitable communications space for sensitive content, not as a proven interception device. The issue is use, exposure and conversation classification — not a blanket allegation of permanent surveillance.

Which platforms and usage patterns create intelligence exposure?

The risk category includes vehicles with internet connectivity, telematics, manufacturer accounts, SIM modules, Bluetooth, Wi-Fi or smartphone interfaces, voice control, app control, remote functions or cloud synchronisation. The warning therefore does not apply only to electric vehicles.

Electric vehicles attract stronger attention because their software depth, app dependency, charging integration and telemetry architecture can be more pronounced. The structural exposure, however, affects all highly connected vehicles.

Security relevance arises primarily from institutional use patterns. This includes official cars, rental vehicles, government fleets, shuttle vehicles, agency vehicles, pool cars, vehicles used by defence contractors, critical-infrastructure operators and research organisations. Operationally critical are three actions: confidential conversations inside the vehicle, pairing official devices with unassessed infotainment systems, and repeated travel to sensitive sites.

What intelligence value does vehicle telemetry provide?

Connected vehicles generate location data, routes, navigation destinations, driving profiles, diagnostics, device identifiers, app data, contacts, calendar entries, call logs, message metadata, voice commands, cabin audio and internal or external camera data.

Australia’s cyber authority describes connected vehicles as systems that may transmit data through built-in SIM cards, Wi-Fi, Bluetooth, satellite connections or paired smartphones.

The intelligence value does not depend primarily on conversation content. Persistent telemetry enables movement analysis, location attribution, contact patterns, routines, deviations, time windows and proximity relationships. These data points support target selection, surveillance, approach assessment and infrastructure mapping.

A vehicle does not need to record classified conversations to become security-relevant. It is sufficient if it generates patterns around people, facilities and movement.

At which system points do access channels for adversarial exploitation emerge?

Access can emerge at several system points. Location persistence is central because vehicles generate recurring movement profiles. Relevance arises when routes lead to ministries, military sites, intelligence facilities, airports, ports, energy infrastructure, defence companies, research facilities and political meeting points.

Smartphone pairing is another access point. Infotainment systems often request access to contacts, calendars, call logs, messages, media, microphones and navigation data. Official devices should therefore not be paired with private, rented or unassessed vehicles.

Cabin audio adds a further attack surface. Hands-free systems, voice assistants, emergency-call systems and comfort functions create microphone access inside the vehicle. The cabin is not a technically clean conversation space.

Cloud transmission shifts the risk outside the vehicle. Vehicle data do not necessarily remain inside the car. They may be transmitted to manufacturers, fleet managers, insurers, app providers, service platforms, dealers, analytics vendors and third-country infrastructure.

Software and supply chains form the fifth vulnerability layer. Telematics modules, connectivity chips, operating systems, over-the-air updates and manufacturer back ends create external access points. The decisive factors are technical access, data retention, jurisdiction and operator control.

What does the BIS Final Rule prohibit — and which supply chains are affected?

The BIS Final Rule is the strongest regulatory indicator that connected vehicles are being treated as a national-security problem. The Bureau of Industry and Security prohibits transactions involving certain VCS hardware and covered software if these are designed, developed, manufactured or supplied by persons or companies owned by, controlled by or subject to the jurisdiction or direction of the People’s Republic of China or Russia. The rule entered into force on 17 March 2025.

The core regulation contains three prohibition axes. VCS hardware imports with relevant China or Russia links may not knowingly be brought into the United States. Manufacturers may not import or sell completed connected vehicles containing covered software from such structures. Manufacturers that are themselves under Chinese or Russian ownership, control or jurisdiction may not sell completed connected vehicles in the United States if they contain VCS hardware or covered software — regardless of whether the specific component originates in China or Russia.

The implementation schedule is staggered. Software-related prohibitions apply from model year 2027; hardware-related VCS prohibitions apply from model year 2030 or, for VCS hardware not tied to a model year, from the import date of 1 January 2029. The rule therefore does not impose symbolic distancing. It forces verifiable supply-chain cleansing.

The rule also requires Declarations of Conformity. Manufacturers and importers must certify to BIS that relevant VCS hardware and covered software do not originate from prohibited China- or Russia-linked supply chains. Vehicle connectivity is thus treated as an auditable supply-chain component, not as a secondary privacy issue.

Why does system architecture determine exploitability, not country of origin alone?

China and Russia are the adversarial risk spaces named in the U.S. regulatory approach. The focus is justified because manufacturers, software providers, telematics suppliers and platform operators can be tied into security-relevant data flows through national legal regimes, political direction or indirect access obligations.

Reducing the issue to “Chinese cars” would still be analytically wrong. The baseline risk arises from connectivity, sensors, cloud dependency, app integration, remote functions and update infrastructure. China and Russia increase the threat dimension; the technical vulnerability lies in the connected-vehicle model itself.

The precise assessment is this: geopolitical origin determines threat level and access probability. System architecture determines technical exploitability.

Which target categories are exposed to intelligence collection?

The issue concerns government fleets, armed forces, police, intelligence services, justice-sector institutions, critical infrastructure, defence industry, dual-use research, semiconductor sites, space-sector facilities, telecommunications, ports, airports and energy infrastructure.

The main risk is not spectacular remote control of vehicle steering. The more probable and operationally relevant risk is quiet data extraction: who travels where, when, how often, with which paired device, and near which sensitive site.

These data support target selection, surveillance, approach attempts, movement analysis, infrastructure mapping and situational-awareness production. Vehicle telemetry is therefore part of the digital attack surface surrounding Western institutions.

Which institutional usage scenarios create operational attack surfaces?

Vehicle use becomes security-critical when connected systems are linked to exposed persons, sensitive sites or official devices.

This includes confidential calls by government officials in connected official cars, pairing an official phone with a rental vehicle, repeated travel by military personnel to military sites in highly connected vehicles, fleets with unassessed telematics operated by critical-infrastructure providers, defence-industry vehicles using manufacturer clouds and external fleet management, source meetings by journalists in vehicles with active smartphone pairing and voice control, and dual-use research teams using vehicles, apps and private cloud accounts without separation.

These scenarios do not require speculative espionage technology. Normal connected-car functions are sufficient to generate operationally relevant metadata.

Which OPSEC line is mandatory for security-relevant institutions?

The security line must be exposure-based. For private users, connected vehicles are primarily a data-protection and cybersecurity issue. For government, armed forces, critical infrastructure, defence industry and sensitive research, they are an operational-security problem.

Sensitive conversations must not take place in connected vehicles. Official phones must not be paired with unassessed vehicles. Government and corporate fleets must be evaluated by manufacturer, software stack, cloud location, data flows, update architecture, remote access, app ecosystem, telemetry model and jurisdiction.

Vehicles in security zones, military sites, government districts, research campuses, energy facilities, ports and defence-industrial locations must be treated as data-bearing systems. Access control, parking policy, fleet operation and device pairing belong inside supply-chain and operational-security management.

What is the strategic finding — and which regulatory level has it reached?

Connected vehicles alter the security geometry of civilian infrastructure. The vehicle becomes a mobile sensor node moving between private spaces, public authorities, industrial facilities, military sites, transport nodes and political decision environments.

The ASIO warning is an early indicator. It moves the issue from consumer privacy into state security discipline. The BIS Final Rule marks the regulatory follow-on stage: vehicle connectivity is being treated as auditable supply-chain and access infrastructure.

The decisive finding is this: states and security-relevant institutions are not losing control over every individual vehicle. They are losing visibility over a growing passive collection surface around personnel, facilities, routines and decision spaces.

Glossary

Vehicle Telemetry
Data on location, route, speed, driving behaviour, diagnostics, system status and use of connected services.

Software-Defined Vehicle
A vehicle whose functions are substantially shaped by software, updates, sensors and digital control.

Vehicle Connectivity System
Hardware and software enabling external vehicle communication through cellular networks, Wi-Fi, Bluetooth, satellite links or comparable interfaces.

Automated Driving System
A software and hardware system supporting automated or partially automated driving functions.

Infotainment System
The vehicle’s digital interface for navigation, media, smartphone pairing, telephony, messaging, voice control and online services.

Pattern-of-Life Analysis
Assessment of recurring movements, contacts, locations and routines for operational evaluation of a person or facility.

Supply-Chain Risk
Security exposure created by dependence on foreign hardware, software, cloud infrastructure, manufacturers, service providers or jurisdictions.

References

News.com.au
Report on ASIO warnings to politicians and public servants regarding sensitive and classified conversations in internet-connected vehicles, published in late May 2026.
news.com.au/technology/innovation/asio-warns-politicians-public-servants-of-sensitive-talks-in-internetconnected-cars/news-story/1a2a5ebdadb0e4d1e19e6725f547c0bc

The Guardian Australia
Live report from Australian Senate Estimates with statements by ASIO Deputy Director-General Lisa Alonso Love on sensitive government conversations in internet-connected vehicles.
theguardian.com/australia-news/live/2026/may/29/australia-news-live

Australian Cyber Security Centre / Cyber.gov.au
Official guidance on connected vehicles, data categories, connectivity, privacy risks and cybersecurity exposure.
cyber.gov.au/protect-yourself/securing-your-devices/how-secure-your-devices/introduction-to-connected-vehicles

U.S. Department of Commerce / Bureau of Industry and Security
Overview of the Connected Vehicles Rule and restrictions on imports and sales of certain connected vehicles as well as related software and hardware components with China or Russia links.
bis.gov/connected-vehicles

Federal Register
Final Rule “Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles”, published on 16 January 2025, effective 17 March 2025.
federalregister.gov/documents/2025/01/16/2025-00592/securing-the-information-and-communications-technology-and-services-supply-chain-connected-vehicles

ENISA
European publication on smart cars and cybersecurity risks in connected vehicles.
enisa.europa.eu/publications/smart-cars