Connected Cars Advance, But Security Lags Dangerously Behind

Modern vehicles on European roads are packed with sophisticated software, sensors, and constant data links, offering drivers everything from remote control apps to intelligent navigation. While these connected features deliver impressive convenience and functionality, they also introduce significant cybersecurity vulnerabilities. The very technology that makes cars smarter also exposes them to a growing range of digital threats.

Recent research conducted by Óbuda University in Budapest and the University of Oslo examines these emerging risks, identifies gaps in current regulatory frameworks, and explores how drivers perceive the safety of their increasingly digital vehicles. Cybersecurity specialists warn that rapid innovation combined with inconsistent security protocols has left the automotive industry dangerously exposed to potential attacks.

Connected cars essentially function as digital platforms, offering multiple entry points for malicious actors. The study identifies several critical areas of concern. Remote access attacks can target telematics units, wireless interfaces, or mobile applications linked to the vehicle. Data leakage poses another serious problem, as connected cars gather sensitive details like location history and driving habits, often storing this information in cloud servers.

Onboard sensors bring their own set of dangers. Cameras, radar, lidar, and GPS systems can be manipulated, confusing driver assistance features and potentially causing hazardous situations. Once an attacker gains access, they can penetrate deeper by exploiting the CAN bus network, which connects essential components including brakes, steering, and acceleration systems.

Even routine software updates carry risks. Compromised firmware can spread through over-the-air updates, potentially impacting thousands of vehicles simultaneously. The global supply chain adds further complexity, since a single vulnerability in a third-party component or API can affect numerous manufacturers and vehicle models.

Europe has implemented several regulatory measures to counter these threats. Regulations such as UNECE R155 and UN R156 mandate cybersecurity management and software update systems for vehicle type approval, empowering authorities to prohibit the sale of non-compliant vehicles. GDPR establishes rules for handling personal data, and the forthcoming Cyber Resilience Act will impose stricter security requirements for connected products.

Industry standards including ISO SAE 21434 and ISO 24089 offer detailed guidance on vehicle cybersecurity and update protocols. Other frameworks like TISAX and AUTOSAR Adaptive concentrate on development processes and architectural design. However, many of these standards remain voluntary and lack the enforcement power of legal regulations.

The research revealed that no single framework comprehensively addresses all threat areas. Some focus on system integrity, others on data privacy, and still others on functional safety. Supply chain security represents a particular weakness, as many standards do not explicitly require third-party accountability, leaving manufacturers to manage supplier risks through contractual agreements and audits.

David Brumley, a professor of offensive cybersecurity at Carnegie Mellon University and CEO of Mayhem, noted that the study could have better explained why these standards vary. He clarified that ISO 21434 typically addresses software development before release, while R155 focuses on deployed software in active use. These represent fundamentally different security challenges.

Brumley criticized how R155 is being implemented in practice, stating that automakers continue to ship vehicles containing known vulnerabilities. He cited Audi as an example, noting that certain models still include outdated software with well-documented security flaws. Despite R155’s requirements, he observed that developers often lack clear guidance from management about implementing these standards effectively.

Alongside its technical analysis, the study surveyed approximately 300 individuals, primarily in Europe, to understand public attitudes toward smart car security and privacy. Most respondents believed their vehicles transmit data to both manufacturers and external companies, with awareness highest among owners of newer models. Western European participants were more likely than their Eastern European counterparts to think their data was being shared.

Most drivers expressed a strong desire for transparency regarding what data is collected and how it is used, though very few reported having received such information. Brand perception also influenced attitudes, with many participants preferring European or Japanese manufacturers, while some voiced distrust toward vehicles from certain countries due to political concerns, safety issues, or perceived quality differences.

The term “smart car” remains somewhat ambiguous for many consumers, who tend to focus on visible features like autonomous driving or entertainment systems rather than underlying data security and privacy mechanisms.

Automakers continue to rapidly introduce new software-defined features, integrate third-party applications, and deploy over-the-air updates. This breakneck pace of innovation multiplies potential attack vectors and makes it difficult for security practices and regulations to keep up.

The research concludes that while Europe has established strong foundational elements, misalignments persist between technical standards, legal requirements, and consumer expectations. Building public trust will require closing these gaps. Brumley emphasized that innovation has surpassed some automakers’ commitment to regulatory intent, warning that without genuine accountability, vulnerable vehicles will remain a systemic problem on our roads.

(Source: HelpNet Security)