Draft:Automotive Cybersecurity

This article may incorporate text from a large language model. It may include hallucinated information or fictitious references. Copyright violations or claims lacking verification should be removed. Additional guidance is available on the associated project page. (June 2025)

Automotive cybersecurity refers to the protection of automotive systems, including software, hardware, communications, and data, from cyber threats. As modern vehicles become increasingly connected and autonomous, cybersecurity has emerged as a critical area for ensuring the safety, privacy, and reliability of automotive systems.

Modern vehicles rely on numerous Electronic Control Units (ECUs), networks (e.g., CAN, LIN, Ethernet), and software systems to operate functions such as braking, steering, infotainment, and driver assistance. With the rise of telematics, over-the-air (OTA) updates, vehicle-to-everything (V2X) communications, and connected services, the attack surface of vehicles has expanded significantly.

Automotive cybersecurity involves applying risk assessment, security engineering, intrusion detection, and mitigation strategies to prevent unauthorized access and control of vehicle systems.

The field of automotive cybersecurity began gaining public attention in the early 2010s following several high-profile research demonstrations and real-world vulnerabilities. One notable example is the 2015 remote hack of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek, which led to a recall of 1.4 million vehicles by Fiat Chrysler Automobiles (FCA).

Since then, cybersecurity has become a central concern for original equipment manufacturers (OEMs), suppliers, regulators, and standardization bodies.

Threats in the automotive domain can target multiple areas, including:

• In-vehicle networks (e.g., CAN bus spoofing or injection)
• Wireless interfaces (e.g., Bluetooth, cellular, Wi-Fi, V2X)
• Telematics control units (TCUs)
• Infotainment systems and mobile app integrations
• Over-the-air update mechanisms
• Autonomous driving functions and sensor spoofing

Attacks may lead to consequences ranging from data breaches and privacy violations to physical safety risks or full vehicle takeover.

Several industry standards and regulations have emerged to guide the development of secure automotive systems:

• ISO/SAE 21434 - “Road Vehicles - Cybersecurity Engineering,” providing a framework for cybersecurity throughout the vehicle lifecycle.
• UNECE WP.29 R155/R156 - United Nations regulations requiring cybersecurity and software update management systems for type approval in many markets.
• SAE J3061 - Guidebook for cybersecurity in the automotive domain (precursor to ISO/SAE 21434).

To mitigate risks, manufacturers and suppliers deploy a range of cybersecurity controls, including:

• Secure boot and firmware integrity
• Network segmentation and intrusion detection systems (IDS)
• Authentication and encryption of communications
• Hardware security modules (HSMs)
• Security operations centers (SOCs) for fleet monitoring
• Penetration testing and vulnerability management
• Over-the-air update verification and rollback protection

Automotive cybersecurity is supported by collaboration across industry, academia, and government. Notable initiatives include:

• Auto-ISAC (Automotive Information Sharing and Analysis Center) - Facilitates threat intelligence sharing among OEMs and suppliers.
• ETSI and 5GAA - Work on connected vehicle and V2X security standards.
• Pwn2Own Automotive - A cybersecurity competition focused on identifying vehicle vulnerabilities in a controlled environment.

China has rapidly advanced its regulatory framework around vehicle cybersecurity and data governance:

• GB 44495‑2024 (“Cybersecurity Regulation for Vehicles”) was introduced in August 2024. Based on UNECE R‑155 and ISO/SAE 21434, it mandates a Cybersecurity Management System (CSMS), comprehensive threat detection, incident handling, and audit processes

• The “Vehicle Network Cybersecurity Abnormal Behavior Detection Mechanism” (GB/T 45181‑2024), effective April 1, 2025, requires automakers to detect and respond to network anomalies in real time.

• On June 13, 2025, China’s MIIT issued draft regulations governing the export of car-generated data, specifically requiring security assessments and official approval for outbound transfers of “important” data used in ADAS or autonomous systems. Exemptions apply, such as for companies in free-trade zones.

These standards operate within a wider framework:

• The Cybersecurity Law (effective June 1, 2017) establishes data localization and security requirements.
• The Data Security Law (effective Sept 1, 2021) regulates data handling and national security.
• The Personal Information Protection Law (PIPL, effective Nov 2021) sets out strict rules on data consent, cross-border transfers, and breach notifications.

Despite progress, challenges persist:

• Complex supply chains and legacy systems complicate end-to-end security.
• Balancing safety and security can lead to trade-offs in system design.
• Long product lifecycles require long-term cybersecurity support.
• Evolving threat landscape demands constant updates and monitoring.

As vehicles become more autonomous, connected, and electrified, cybersecurity will play an even more critical role. Emerging areas of focus include:

• AI-based threat detection
• Post-quantum cryptography
• Secure data sharing for mobility services
• Cybersecurity for software-defined vehicles

Recent years have seen a surge in public security research revealing vulnerabilities in modern connected vehicles:

Nissan Leaf App Vulnerability (2025): In April 2025, researchers from PCA Cyber Security (formerly PCAutomotive) disclosed a critical vulnerability in the Nissan Leaf, allowing attackers to access certain remote functions using only the vehicle’s VIN number. The exploit allowed unauthorized control of climate settings and access to trip data without authentication.^[1]

Škoda Remote Tracking Exploit (2024): In December 2024, researchers revealed flaws in Škoda’s backend systems that could allow attackers to remotely track vehicles and access sensitive user data through the mobile app infrastructure. The vulnerabilities stemmed from insufficient backend authorization mechanisms.^[2]

Pwn2Own Automotive 2025: Held in Tokyo in January 2025, Pwn2Own Automotive featured several successful vehicle-related exploits. PCAutomotive’s team demonstrated:

• A stack-based buffer overflow in the Alpine iLX-507 infotainment system;
• A three-bug chain (heap overflow, auth bypass, and isolation flaw) against the Sony XAV-AX8500;
• A vulnerability in the Tesla Wall Connector, allowing unauthorized remote access.

These exploits earned the team multiple Master of Pwn points and cash rewards under responsible disclosure protocols.^[3]

Tesla Keyless Entry Relay Attacks: Research continues to demonstrate the vulnerability of keyless entry systems to relay and replay attacks. Despite mitigations like PIN-to-drive and ultra-wideband (UWB) key fobs, some Tesla models remain susceptible to physical proximity-based hacks.

UConnect System Flaws (2023): New research in 2023 reported lingering issues in the UConnect infotainment system affecting Jeep and Dodge models. Although less critical than the 2015 Jeep Cherokee exploit, it revealed ongoing concerns about telematics and app interface security.

These incidents highlight the dynamic nature of automotive cybersecurity, with threats targeting mobile interfaces, wireless communications, backend APIs, and internal vehicle networks.

• Autonomous vehicle
• Connected car
• ISO/SAE 21434
• Vehicle-to-everything
• CAN bus
• Information security
• Safety-critical system