The spectacular, but ultimately harmless, hacking of the My Volkswagen app by an Indian cyber researcher last year continues to raise serious questions about cyber security for millions of connected vehicles, triggering demands for more rigorous secure-by-design approaches.
Serious flaws in the My Volkswagen app made it all too easy for the researcher, Vishal Bhaskar, to gain access to large amounts of personal and vehicle data.
Chief Technology Officer at Device Authority.
He was able to arrive at the correct combination of four digits through automation. He then uncovered internal usernames, passwords, tokens and credentials for third-party payment processors.
From another endpoint, he employed the vehicle identification number (VIN) to access customers’ personal details and brought up service histories for any vehicle, customer complaints and satisfaction surveys.
The vulnerabilities were reportedly patched in May of 2025, but the question remains – how many more gaps in connected vehicle security are there likely to be?
And if one of the world’s biggest automotive OEMs (original equipment manufacturers) failed to spot a glaring gap, how will others fare?
The proliferating threats to connected vehicle security
The potential for hacking was signalled more than ten years ago with the publication of The Car Hacker’s Handbook. But since then, the manufacturers have steadily installed more eye-catching automated data-connected services in their vehicles, and are now venturing into AI.
Statista expects that by 2030, 96 per cent of all new cars in the world will have built-in connectivity. Last year, for example, Hyundai, entered into a partnership with Samsung that, among other things, will enable motorists to use Galaxy smartphones to access information about their vehicles – including battery range and location.
The push towards greater integration could lead to links between Samsung’s IoT platform and a new Hyundai infotainment system.
Yet as digital functionality in vehicles develops, high-profile security incidents are becoming more frequent, highlighting the urgent need to address security gaps before criminals find them. In January this year, for example, a bug in Subaru’s web portal was reported to have enabled a hacker to start a vehicle and track its location.
When there is so much data streaming from and to vehicles, poor security practices could easily cause data breaches without any intervention from hackers, resulting in regulatory penalties.
Criminals, however, will target back-end systems with ransomware, using any endpoint or vulnerability to gain entry before locking up the systems providing connectivity for hundreds of thousands of vehicles.
The priority route to greater security
OEMs need to take the initiative against these threats. From now on, along with their Tier 1 suppliers they must adopt a secure-by-design approach from the factory to the crusher, collaborating with innovators in device security to ensure vehicles stay secure as threats evolve.
Part of that secure-by-design stance is operating an OEM-owned key management system (KMS). Centralized control of cryptographic keys and policies across electronic control units (ECUs), telematics control units (TCUs), and supplier devices reduces fragmentation, improves revocation speed and produces the evidence trail regulators expect.
An OEM-run KMS turns policy into enforcement, governing the certificates that every vehicle radio and service depends on.
From infotainment systems to navigation and anti-theft systems, vehicles rely on wireless connectivity, with each transmitting device a potential point of weakness unless OEMs use a KMS and/or automation of some sort to manage machine identities on a vast scale.
Security must cover the connected vehicle’s entire ecosystem through successful integration of cybersecurity solutions. Consolidation is important for end-to-end security, when there are up to 70 different vendors covering all aspects of vehicle security.
Protection of this ecosystem should extend to the cloud and include the vehicle security operation center (VSOC) and vehicle-to-cloud (V2C) communications.
Evolving global standards for automotive cyber security
As a priority, OEMs must work hard to comply with the EU’s UNECE WP.29 regulations for new vehicle types. This has laid the groundwork for cyber security for a vehicle’s lifecycle – from design and development to post-production and issuance of updates.
OEMs also need to adopt best-practice standard ISO21434 which focuses on cyber security protection for vehicles’ electrical and electronic systems and requires threat analysis, risk management and measures to boost resilience.
In markets beyond Europe, OEMs should also ensure compliance with AIS 189 in India and China’s GB/T standards. AIS 189 is a variant of the EU’s WP.29, encompassing Tier 1 and Tier 2 suppliers, as well as OEMs.
With Indian regulators pushing for alignment with ISO21434, the direction of travel is clear – cyber security must be demonstrable through cyber security management systems (CSMSs) and software update management systems (SUMSs).
The Chinese GB/T regulations embed strict data privacy and residence rules with an emphasis on threat-modelling and post-market monitoring.
PKI (public key infrastructure) automation, lifecycle management of the digital certificates that authenticate devices to the network, and zero-trust architectures are all important features of the Chinese approach.
Securing vehicle machine identities through automation
An advanced, automated approach to this key question of machine identity security is now necessary as vehicles communicate with many external networks that include automated payment systems, Wi-Fi hotspots, roadside infrastructure – and other vehicles.
Managing each onboard device’s PKI certificate is utterly critical so connected systems know it is secure and to ensure the data it transmits is encrypted.
OEMs must manage these identities throughout changes of vehicle ownership, using next-generation IoT technology platforms to ensure security software is updated and devices are constantly authenticated.
The scale of the task over the 15-25-year lifecycle of a vehicle requires advanced automation to take care of certificate provisioning, renewals and revocations. This is especially effective for the protection of telematics control units, providing a reliable trust anchor.
Integration of advanced PKI management will deliver real benefits
If they are to secure millions of connected vehicles and maximise the value of their current approaches to PKI security, OEMs are going to need these more advanced, integrated approaches. They must be able to simplify their security management, increasing protection while reducing overheads.
A platform approach that embeds security-by-design has the distinct benefit of achieving faster time-to-market for new vehicles or applications. It allows OEMs to set policy on vital aspects of security such as the frequency of certificate key rotation. Then they can trust their data, developing services with greater confidence.
If OEMs are to maximize their opportunities in this fast-evolving field they must address the IoT threats to automotive security. The integration of AI with IoT is reshaping the automotive world, but it demands the most effective security possible, enabling performance without compromising protection and compliance.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
