Technology has entered all areas of life, and our cars are no exception. They have become computers on wheels, equipped with sensors, software, and connectivity that provide safety and comfort. However, like all technological innovations, this one also brings risks, making cars vulnerable to cyberattacks.
The very fact that someone can hack a vehicle and take control of it is terrifying, turning scenarios from movies into reality. Add to this the fact that software in cars processes and stores our personal data, and this fear takes on a new dimension.
In the event of a security breach, things like our driving data, contacts, call logs, messages, and even location info could end up in the wrong hands. The responsibility of manufacturers is growing, not only in terms of physical safety but also in cybersecurity, as these two aspects go hand in hand.
So if someone thinks that hacking a car is not plausible, they should think again. In 2024, a group of researchers led by Sam Curry discovered a vulnerability in Kia’s web portal that allowed them to reassign control of the internet-connected features of any Kia vehicle manufactured after 2013. The same researchers also managed to remotely hijack and track certain Subaru models.
According to VicOne’s report, the automotive industry faced $22.5 billion in cyberattack costs. This includes $20 billion from data leakage, $1.9 billion due to system downtime, and $538 million in ransomware damages.
Cybersecurity risks to automotive systems
Automotive systems face various cybersecurity threats, including remote hacks, physical attacks, software vulnerabilities, and malware.
Remote attacks: Vehicles today are equipped with Bluetooth, Wi-Fi, and cellular connections for convenience and functionality, but if these systems are not properly secured, hackers can remotely access the vehicle’s network.
Physical access attacks: Vehicles have diagnostic ports (like OBD-II), which are intended for maintenance and troubleshooting, but these can be exploited by attackers if they can physically access the vehicle. In addition, internal vehicle networks such as the CAN bus (which connects key systems like brakes and engine control) are vulnerable to tampering, potentially allowing hackers to manipulate vehicle functions, such as speed, braking, or even disabling safety features.
Software vulnerabilities: Like any software, bugs and weaknesses can be exploited, allowing attackers to gain unauthorized control or steal sensitive data from the vehicle.
Malware and ransomware: Hackers can inject malicious software into vehicle systems, either remotely or through compromised USB drives. Ransomware can lock critical systems, making the vehicle inoperable until a ransom is paid.
In-vehicle networks like CAN and LIN control critical functions, from the engine to seat adjustments, but they weren’t designed with security in mind, leaving them vulnerable to hacking.
To protect these systems, measures like encryption (to secure data), authentication (to verify device identities), and intrusion detection systems (IDS) (to detect suspicious activity) are being implemented to prevent unauthorized access and manipulation.
Future security concerns
Self-driving cars are bringing revolutionary changes to the transportation industry, but just the fact that we don’t have control over the vehicle is something that, while sounding advanced, is also concerning.
In the future, we will likely have robo-taxis with Level 5 autonomy, where cars will be able to operate entirely without human intervention, making this a huge challenge for everyone to handle all possible problems that will come with it. Before these cars hit the streets, it’s crucial that manufacturers and regulators prioritize cybersecurity measures to ensure the safety of the technology and its passengers.
These measures must address both external threats (such as remote hacks) and internal threats (such as vulnerabilities within the vehicle’s own software or sensor systems).
The security of autonomous vehicles requires securing the communication between AI algorithms, sensors (LiDAR, radar, cameras), and cloud-based services. These connections are critical to how AVs operate and interact with their environment.
Vehicle-to-Everything (V2X) communication and over-the-air (OTA) updates could be major weak points that manufacturers should adress. V2X covers various types of communication between a vehicle and its surroundings. The goal is to improve road safety, traffic efficiency, and autonomous driving capabilities by allowing cars to “talk” to other entities.
On the other hand, OTA updates are wireless software updates sent directly to a vehicle from the manufacturer or service provider. Instead of taking your car to a dealership for a software upgrade or bug fix, the update is delivered via the internet, similar to how smartphones receive updates.
Intercepting V2X communications or OTA updates could lead to way more serious consequences than just stealing data because these features control critical functions of the vehicle.
The US government has also expressed concerns over the use of Chinese and Russian technology in autonomous cars, proposing bans on such software and hardware to mitigate espionage and national security risks. This adds geopolitical dimension of automotive cybersecurity.
The regulatory landscape
The problem might lie in differing regulatory approaches from country to country, so global cooperation is essential in establishing cybersecurity standards for autonomous vehicles.
In the EU, the General Safety Regulation 2019/2144 mandates stringent cybersecurity requirements for new vehicles, including secure software updates and risk-based security measures.
In contrast, the United States relies on voluntary guidelines from the National Highway Traffic Safety Administration (NHTSA) which encourages proactive security practices without enforceability.
Global standards organizations like ISO and SAE are playing a key role in shaping industry practices, especially through the ISO/SAE 21434 standard, which outlines a framework for securing vehicle systems across their entire lifecycle.
Cyber awareness behind the wheel
Not all dangers comes from exploits targeting complex systems, sometimes they come from the person behind the wheel.
For example, in social engineering and phishing attacks, a person could receive an email that appears to be from a car manufacturer, warning about a critical software update. Trusting the message, they might click the link, follow the instructions, and unknowingly open the door to intrusion.
Cars are now also equipped with apps that make life easier, whether for navigation or streaming music. But there is a potential risk: many of these apps connect to public Wi-Fi networks. If an app lacks secure connections, it could expose your data, or even your car’s system, to cyberattacks.
Automakers and cybersecurity experts must prioritize efforts to raise awareness, helping consumers understand how their data is used and how to protect themselves. This includes explaining why regularly updating software, using secure Wi-Fi networks, and ensuring that vehicles have built-in security features are important.
Drivers should also be aware of potential risks such as unsecured Bluetooth connections, vulnerabilities in the cloud services that store vehicle data, and the importance of password protection for connected systems.
In the future, with the rise of connected vehicles, autonomous driving systems, and IoT integration, the automotive sector must continue to implement proactive cybersecurity strategies to stay ahead of potential threats.
