Cybersecurity in the Vehicle
When the IoT Becomes the Weakness
The increasing connectivity through IoT devices enables new comfort features but also creates dangerous entry points for hacker attacks.
Adobe Stock / Open Studio
The use of more sensors, IoT devices, and OTA updates simultaneously creates increasingly risky security vulnerabilities. From the perspective of cybersecurity experts, it is almost impossible to prevent more serious consequences in the long term.
The Internet of Things (IoT) is the basis for the collection of real-time data, which is essential for the connected vehicle. Behind it is a large number of individual IoT devices installed in the car. However, networking creates security consequences that are difficult to oversee. "As soon as remote access to vehicles and data is allowed, OEMs in the automotive sector have an incredibly high responsibility to ensure that no unauthorised actor can enter this system. However, we already see a long list of failures," says Sebastian Steinhorst, Professor of Embedded Systems and Internet of Things at the Technical University of Munich.
In December 2024, for example, a serious data protection incident at the Volkswagen Group became known. Due to a misconfiguration at VW's software subsidiary Cariad, movement data of around 800,000 electric cars from several brands, as well as personal data of vehicle owners, were publicly accessible in an Amazon cloud storage for months. At Kia, security experts found significant vulnerabilities in the web portal last June. Hackers were able to use vehicle owners' app access. Based solely on license plates or vehicle identification numbers, attackers could register as "invisible" secondary users, locate cars, and remotely control functions such as door locks, engine start, and horn. "This is the opposite of good IoT device management," notes Sebastian Steinhorst.
The mobility ecosystem becomes a problem
“IoT devices in the automotive and smart mobility ecosystem have now become critical infrastructure. Cyberattacks on these devices pose greater risks and impacts than on other IoT devices. Therefore, stakeholders must ensure security, operational availability, and data integrity,” states cybersecurity specialist Upstream in a report. From the perspective of the study authors, the increasing spread of smart mobility devices heralds a new era of massive cybersecurity risks. They note: “Numerous devices are vulnerable to attacks, including chargers and infrastructure for electric vehicles, autonomous systems and kits for self-driving cars, traffic management systems, telematics systems, fleet management solutions, and intelligent agricultural devices.”
Drivers are also increasingly aware of the threat to their vehicle safety: 42 percent are concerned about cyberattacks on their vehicle, and 40 percent see connected vehicles with software updates as a threat, found a study by the Center of Automotive Management in cooperation with Cisco.
For all IoT functions where over-the-air (OTA) changes are made, gateways are created, says Sebastian Steinhorst: “Although regulations like the NIS2 directive or the Cyber Resilience Act, which applies from 2027, ensure that there is necessarily an awareness here. But how this is really handled in practice remains open - as does whether these regulatorily required minimum cybersecurity requirements will ultimately suffice.” The expert believes that regulation will not dramatically improve the situation. “In the coming years, there will likely be situations where perhaps entire fleets of vehicles of a manufacturer and type come to a standstill because the system has been compromised,” Steinhorst suspects.
Only as strong as the weakest link
In the case of the VW incident, no gross misconduct could be identified. For example, data was not left unencrypted somewhere. Instead, a misconfiguration in the software led to a situation where it was possible to enter a mode from the outside in which certain data became accessible. This, in turn, made it possible to access the keys stored in the cloud to decrypt data. So it was a multi-layered situation, even though the system initially appeared secure at first glance.
“In cybersecurity, we always have the same problem: the weakest link in the chain can cause an entire, well-thought-out security concept to collapse. With the increasing complexity in systems and more networking in the automotive sector, the previous security incidents show: it is only a matter of time before things happen that really have more negative effects,” says Sebastian Steinhorst. In growing systems, for example, an old component that might have a weakness is sometimes used. So the question is: how can such systems be further secured in the future?
Modern methods meet old-fashioned processes
Unlike with smartphones, where an update for a zero-day vulnerability is available a few days later, the issue presents itself differently in vehicles, says Steinhorst. Only for vehicles where OTA access is possible at all can a quick security patch be implemented. For the majority of the fleet, however, a recall must be issued via the Federal Motor Transport Authority.
“It becomes difficult because, on one hand, very modern methods are used, but on the other hand, actions are still too slow and sluggish,” the expert notes. This is where technologies such as intrusion detection and response systems come into play. An active system should be able to bring the vehicle into a secure mode upon indication of a security vulnerability or detect an attack itself and autonomously initiate the first defence mechanisms in the vehicle's software.
The Upstream study also quotes Martin Arend, General Manager Automotive Security at BMW: “To be able to react quickly and comprehensively, it is of utmost importance for the BMW Group to always keep an eye on the effectiveness of our measures on site. To meet these challenges, we continue to place the greatest emphasis on the reliability and scalability of our detection systems, making them a cornerstone of our cybersecurity strategy.”
This article was first published
at automotiveit.eu
