A spectacular but ultimately harmless My Volkswagen hack application Indian cyber researcher last year continues to raise serious questions about the cybersecurity of millions of connected vehicles, prompting demands for more stringent security approaches.
Serious flaws in the My Volkswagen app made it too easy for researcher Vishal Bhaskar to access large amounts of personal and vehicle data.
Chief Technology Officer of Device Authority.
He was able to get the correct four-digit combination using automation. He then discovered internal usernames, passwords, tokens, and third-party payment processor credentials.
From another end pointIt used the vehicle identification number (VIN) to access customers' personal data and obtained any vehicle's service history, customer complaints and satisfaction surveys.
The vulnerabilities were reportedly patched in May 2025, but the question remains: How many more security holes in connected vehicles could remain?
And if one of the world's largest automotive OEMs (original equipment manufacturers) fails to identify a glaring gap, what will others do?
Emerging Security Threats to Connected Vehicles
The possibility of hacking became known more than ten years ago, when the book “The Automotive Hacker's Handbook” was published. But since then, manufacturers have been constantly installing more attractive automated data services in their cars and are now deciding to AI.
Statista expects that by 2030, 96 percent of all new cars in the world will have a built-in communications system. Last year, for example, Hyundai entered into a partnership with Samsung which, among other things, will allow motorists to use the Galaxy smartphones Access information about your vehicles, including range and battery location.
The push for greater integration could see connections between Samsung's IoT platform and Hyundai's new infotainment system.
However, as digital features in vehicles evolve, loud safety incidents are becoming more frequent, highlighting the urgent need to close security gaps before criminals discover them. For example, in January of this year it was reported that a bug in the Subaru web portal allowed a hacker to start the car and track its location.
When there is so much data streaming from and to vehicles, poor security measures can easily lead to data leakage without any intervention from hackers, resulting in penalties from regulators.
However, criminals will attack server systems with ransomware, using any endpoint or vulnerability to penetrate, before taking down systems that provide connectivity to hundreds of thousands of vehicles.
The priority path to greater security
OEMs need to take the lead in combating these threats. From now on, together with their Tier 1 suppliers, they must take a design-safe approach from plant to crusher, collaborating with device safety innovators to ensure vehicle safety as threats evolve.
Part of this security concept is the use of an OEM-owned key management system (KMS). Centralized management of cryptographic keys and policies across electronic control units (ECUs), telematics control units (TCUs), and vendor devices reduces fragmentation, improves revocation speed, and creates the evidence regulators expect.
Managed by the OEM, KMS turns policy into enforcement by regulating the certifications that every vehicle's radios and services depend on.
Vehicles, from infotainment systems to navigation and anti-theft systems, rely on wireless communications, with every transmitting device a potential weak point unless OEMs use KMS and/or some kind of automation to manage vehicle identity on a massive scale.
Security must span the entire connected car ecosystem through successful integration cybersecurity solutions. Consolidation is important for end-to-end security, where there are up to 70 different providers covering all aspects of vehicle security.
Security of this ecosystem must extend to the cloud and include the vehicle safety operations center (VSOC) and vehicle-to-cloud communications (V2C).
Evolving global automotive cybersecurity standards
As a priority, OEMs must work diligently to comply with EU/UNECE WP.29 regulations for new vehicle types. This laid the foundation for cybersecurity throughout the entire vehicle lifecycle, from design and development to post-production and upgrades.
OEMs also need to adopt the industry-leading ISO21434 standard, which focuses on protecting the cybersecurity of vehicle electrical and electronic systems and requires threat analysis, risk management and resilience measures.
In markets outside Europe, OEMs must also ensure compliance with the Indian AIS 189 standard and the Chinese GB/T standard. AIS 189 is a variant of EU WP.29 covering Tier 1 and Tier 2 suppliers and OEMs.
As Indian regulators push for ISO21434 compliance, the direction of travel is clear: cybersecurity must be demonstrated through Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS).
Chinese GB/T regulations contain strict data confidentiality and rules of residence with an emphasis on threat modeling and post-market monitoring.
PKI (public key infrastructure) automation, lifecycle management of digital certificates that authenticate devices on the network, and zero trust architectures are all important features of the Chinese approach.
Securing Vehicle Identity through Automation
An advanced, automated approach to this key machine issue personality security is now essential as vehicles interact with many external networks, including automated payment systems, Wi-Fi hotspots, roadside infrastructure and other vehicles.
Managing the PKI certificate of each embedded device is critical to ensure that connected systems know it is secure and to ensure that transmitted data is encrypted.
OEMs must manage these identities as vehicle ownership changes, using next-generation IoT technology platforms to ensure security software is updated and devices are always authenticated.
The scale of the task over the 15-25 year life cycle of a vehicle requires advanced automation to secure, renew and revoke certificates. This is particularly effective for protecting telematics control units, providing a strong anchor of trust.
Integrating advanced PKI management will bring real benefits.
If they want to protect millions of connected vehicles and maximize the value of their current PKI security approaches, OEMs will need these more advanced, integrated approaches. They must be able to simplify security management, increase security, and reduce overhead.
A platform approach with security built in has the distinct advantage of reducing time to market for new vehicles or applications. This allows OEMs to set policies regarding critical security aspects, such as how often certificate keys are rotated. They can then trust their data, designing services with more confidence.
If OEMs want to maximize their capabilities in this rapidly evolving area, they must address IoT threats to automotive safety. The integration of AI with the Internet of Things is changing the automotive world, but requires the most effective security to ensure productivity without compromising security and compliance.
We have presented the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel, where we profile the best and brightest minds in today's tech industry. The views expressed here are those of the author and do not necessarily reflect those of TechRadarPro or Future plc. If you are interested in participating, find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
