As modern vehicles evolve into software-defined vehicles (SDVs), cybersecurity is becoming a critical concern for automakers, security professionals, and regulators. With the rise of connected cars, over-the-air (OTA) updates, and vehicle-to-everything (V2X) communication, the attack surface is expanding rapidly.

In a recent webinar, Florian Rohde, former Tesla engineer, shared insights into the key security risks facing SDVs and the measures required to mitigate them. This article explores the main takeaways from the discussion and highlights the core cybersecurity challenges in automotive development.

What Are Software-Defined Vehicles (SDVs)?

Traditionally, vehicles were mechanically engineered products with limited software integration. However, modern cars now contain millions of lines of code that control critical functions, from braking and acceleration to navigation and autonomous driving.

Characteristics of SDVs

• Reliance on software updates to enhance performance and security
• Integration of cloud connectivity for remote monitoring and diagnostics
• Use of APIs for mobile app connectivity, such as unlocking doors and remote start
• Adoption of machine learning and AI for assisted and autonomous driving

While this shift improves convenience and efficiency, it also introduces new cybersecurity vulnerabilities.

The Role of APIs in Automotive Cybersecurity

APIs (Application Programming Interfaces) are essential for connecting vehicles to cloud services, mobile apps, and other systems. However, they have also become a major attack vector for cybercriminals.

Examples of API vulnerabilities

• Unlocking car doors remotely using weak authentication mechanisms
• Starting and stopping vehicles by exploiting exposed endpoints
• Tracking vehicle locations in real time by accessing GPS data
• Taking over user accounts by bypassing insecure API authorization

A well-known example of API exploitation in the automotive industry comes from researcher Sam Curry, who discovered that vulnerabilities in automotive APIs allowed remote control over various car models.

How automakers can improve API security

• Implement strong authentication and access control
• Encrypt sensitive data transmitted via APIs
• Continuously monitor for unusual API activity
• Conduct regular penetration testing on exposed APIs

Over-the-Air (OTA) Updates: A Double-Edged Sword

OTA updates allow car manufacturers to deploy real-time software fixes and new features remotely, reducing the need for physical recalls. However, these updates also introduce security challenges.

Potential security risks with OTA updates

• Supply Chain Attacks – If an automaker’s update server is compromised, attackers could push malicious software to thousands of vehicles.
• Rollback Vulnerabilities – Attackers might force a vehicle to downgrade to an older, vulnerable software version.
• Swarm Attacks – If an exploit is found, an attacker could compromise an entire fleet simultaneously.

Best practices for secure OTA updates

• Use cryptographic signing to verify the authenticity of software updates
• Implement rollback protection to prevent downgrades to vulnerable versions
• Continuously monitor update processes for anomalies

At Tesla, Rohde’s team implemented a “ratchet system” to ensure that once a security patch was applied, the software could not be downgraded—a critical protection against rollback attacks.

Vehicle-to-Everything (V2X) Communication: A New Attack Surface

V2X technology enables vehicles to communicate with traffic lights, other vehicles, and smart city infrastructure. While this enhances efficiency and safety, it also creates potential cyber threats.

Security risks in V2X communication

• Manipulating traffic signals to cause congestion or accidents
• Spoofing vehicle messages, tricking cars into dangerous driving behavior
• Intercepting and altering data, disrupting traffic management systems

Security measures for V2X networks

• Authenticating V2X messages to ensure they come from trusted sources
• Encrypting V2X data transmissions to prevent tampering
• Building resilient fail-safes to prevent catastrophic failures

Rohde pointed out that if one part of the system, such as a traffic light, is vulnerable, it can be exploited as an attack vector—even if the vehicles themselves are secure.

Challenges Facing Automotive Cybersecurity

As cyber threats continue to evolve, automakers must take a proactive approach to security rather than relying solely on compliance with existing regulations. Key security priorities for the industry include:

• Securing API development to prevent unauthorized access
• Encrypting vehicle communication to protect internal networks
• Implementing real-time security monitoring to detect and respond to threats
• Conducting regular penetration testing to identify vulnerabilities
• Strengthening OTA security strategies to prevent supply chain attacks

Regulatory Efforts in Automotive Cybersecurity

The UNECE WP.29 cybersecurity regulations require automakers in Europe to implement cybersecurity management systems (CSMS) and provide 15 years of security updates for vehicles. The ISO 21434 standard outlines best practices for securing automotive software, but compliance is not legally required.

In the United States, there are currently no strict cybersecurity mandates for vehicles, making it even more important for automakers to take independent security measures.

The Future of Automotive Cybersecurity

As vehicles become increasingly software-driven, cybersecurity will play a fundamental role in ensuring safety, reliability, and consumer trust. In the coming years, the industry will see:

• Stricter cybersecurity regulations worldwide
• Greater emphasis on API security in automotive development
• Improved V2X security protocols to prevent manipulation
• Stronger OTA update security to prevent supply chain attacks

Automakers, security professionals, and regulators must collaborate to address these challenges and protect the future of connected vehicles.

‍