The evolution of software-defined vehicles (SDVs) has led to exciting innovation in the automotive industry, but it has also brought challenges surrounding vehicle safety and security. Unlike traditional vehicles, which relied on mechanical systems with limited software, SDVs are “software on wheels.” This shift has created dangerous new vulnerabilities, with automotive cyber attacks surging in 2024 according to recent reports and incidents where hackers gained control of vehicle systems jumping to over 35% of all reported cases.
With millions of lines of code and hundreds of software programs managing everything from autonomous systems to braking, software security is now an undeniable component of vehicle safety. Just weeks ago, security researchers demonstrated how vulnerabilities in a 2020 Nissan LEAF could be exploited to remotely control steering and other vital functions.
For automotive manufacturers, balancing innovation with functional safety and effective cybersecurity measures is no small feat. However, by strengthening security, the other two will follow.
The Software-Defined Vehicle Attack Surface
Modern SDVs redefine what it means to drive a car while also redefining the total attack surface of a vehicle. Traditionally, vehicles might have included 20 to 30 software modules to control basic operations, such as anti-lock braking, climate control, or engine performance. However, today’s SDVs can easily have over 100 software programs, all interconnected and often communicating over wireless networks. This unprecedented level of complexity introduces significant risks.
Connectivity Growth: Features such as Bluetooth, Wi-Fi, and cellular networks improve user convenience but create multiple attack vectors. For example, infotainment systems, because of their connectivity, are prime targets on software-defined vehicles. The recent Nissan LEAF hack revealed exactly this vulnerability, with researchers using the vehicle’s infotainment system as an entry point to access critical vehicle controls, including the steering. Not only can attackers gain access to data and location information, they can use vulnerable infotainment systems as an on-ramp to access other critical vehicle systems, like Advanced Driver Assistance Systems (ADAS), CAN-Bus, or key engine control units.
Real-Time Operating Systems (RTOS): Real-Time Operating Systems play a key role in the functionality of software-defined vehicles, as they enable precise, time-critical operations for systems like Electronic Control Units (ECUs). ECUs are primarily programmed in C and C++ due to the need for efficiency and performance in resource-constrained environments. However, the reliance on these memory-unsafe languages significantly expands the attack surface of modern vehicles.
Memory-based vulnerabilities, inherent to C/C++ programming, can be exploited to enable remote code execution, potentially compromising critical safety and performance systems. This creates serious cybersecurity and reliability concerns for vehicles. As RTOS suppliers manage numerous processes, any vulnerability in their codebase can be a gateway for attackers, increasing the likelihood of malicious exploits across the interconnected vehicle ecosystem.
Strengthening Software-Defined Vehicle Security Improves Safety
By addressing potential vulnerabilities in automotive software, manufacturers can prevent cyberattacks that might compromise the safety of drivers and passengers.
One essential step is implementing a secure software development lifecycle (SDLC). This involves practices like regular threat modeling and security testing during development to identify and eliminate vulnerabilities early on. Secure coding practices, combined with tools that automate vulnerability detection, ensure software is resilient and less prone to exploitation. Adopting industry standards like AUTOSAR and POSIX further improves safety by creating systems that are consistent, reliable, and better equipped to handle cybersecurity risks
Additionally, securing the supply chain is crucial as SDVs rely on software from multiple vendors. By enforcing cybersecurity best practices across supply partners and using Software Bill of Materials (SBOMs), manufacturers can track vulnerabilities and reduce risks associated with third-party software.
Regular updates and patches also play a key role in maintaining safety and security. Over-the-Air (OTA) updates allow manufacturers to fix vulnerabilities quickly and efficiently. However, until OTA updates become commonplace and universally implemented, manufacturers can deploy advanced runtime memory protections to safeguard critical systems and prevent attacks that could compromise essential vehicle functions, like braking or steering.
By combining these strategies—secure software development, strong supply chain practices, regular updates, and applying runtime protections—manufacturers can significantly reduce the risk of cyberattacks.
Looking Ahead
The transition from “cars with software” to “software with wheels” has set new benchmarks for innovation but also heightened the stakes for safety and security. Automotive manufacturers must not view these two elements in isolation. Instead, they need a unified approach that anticipates and mitigates vulnerabilities to support and strengthen compliance with safety standards.
