Connected cars are already on Europe’s roads, loaded with software, sensors, and constant data connections. Drivers love the features these vehicles bring, from remote apps to smart navigation, but each new connection also opens a door to potential cyber risks. What makes cars smarter is the same thing that makes them more vulnerable.
A new study from Óbuda University in Budapest and the University of Oslo sheds light on these threats, where current rules fall short, and how drivers feel about the security of their vehicles. Cybersecurity experts say the combination of innovation and uneven security controls leaves the industry exposed.
Attackers have options
Connected cars are essentially digital platforms with multiple entry points for attackers.
The research highlights several areas of concern. Remote access attacks can target telematics systems, wireless interfaces, or mobile apps linked to the car. Data leaks are another major issue because connected cars collect sensitive information, including location history and driving behavior, which is often stored in the cloud.
Sensors present their own set of risks. Cameras, radar, lidar, and GPS can be manipulated, creating confusion for driver assistance systems. Once inside a vehicle, attackers can move deeper by exploiting the CAN bus, which connects key systems such as brakes, steering, and acceleration.
Even routine updates are potential hazards. Compromised firmware can spread through over the air updates, affecting large numbers of vehicles at once. The supply chain also adds complexity. A vulnerability in a single third party component or API can impact multiple manufacturers and models.
Rules are in place but lack consistency
Europe has taken steps to address these risks. Regulations such as UNECE R155 and UN R156 require cybersecurity and software update management systems for type approval, giving regulators the power to block unsafe vehicles. GDPR sets rules for handling personal data, while the upcoming Cyber Resilience Act will introduce stricter security expectations for connected products.
Industry standards like ISO SAE 21434 and ISO 24089 provide detailed guidance on vehicle cybersecurity and software updates. Others, including TISAX and AUTOSAR Adaptive, focus on process and architecture. However, these are often voluntary and lack the enforcement power of legal regulations.
The study found no single framework that addresses all threat areas. Some focus on system integrity, others on privacy, and others on safety. Supply chain security remains a weak spot because many standards do not directly require third party accountability. This leaves manufacturers to manage supplier risk through contracts and audits.
David Brumley, a professor of offensive cybersecurity at Carnegie Mellon University and CEO of Mayhem, told Help Net Security that the research could have gone further in explaining why these standards differ.
“The researchers didn’t quite lay out why there are different standards,” Brumley says. “ISO 21434 typically focuses on software development — think of it as pre-release — while R155 focuses on deployed software in the wild. Development versus ongoing security are different tasks.”
“The researchers incorrectly characterized R155, at least in practice,” he says. “Car manufacturers are shipping huge amounts of insecure software. This is stuff that a cursory reading of R155 would suggest would put them at risk. When I’ve spoken to car manufacturers, they boil R155 to a report that’s written, not action. Developers within automotive often have no real idea what’s in these standards, and certainly don’t have a mandate from management to address them in spirit.”
He points to Audi as an example of how this disconnect plays out. “Audi cars, at least up through 2024, ship with loads of software with well-known vulnerabilities, such as FreeImage,” Brumley says. “This software doesn’t even have a maintainer anymore. On face value this wouldn’t pass R155, but systematically this is just one of hundreds or thousands of examples where insecure software is on the vehicle.”
Public awareness is rising, but trust is lagging
Alongside its technical review, the study surveyed about 300 people, mostly in Europe, to gauge their views on smart car security and privacy.
A majority believe their vehicles send data to both manufacturers and outside companies, with awareness highest among owners of newer cars. Respondents from Western Europe were more likely to say they think their data is being shared compared to those in Eastern Europe.
Most drivers want information about what data is collected and where it goes, yet very few said they have received that information. Brand perception also plays a role. Many participants prefer European or Japanese brands, while some expressed distrust toward vehicles from certain countries, citing political concerns, safety issues, or perceived quality gaps.
The study suggests that the term “smart car” itself is still vague in the minds of many consumers. People tend to focus on features like autonomous driving or entertainment systems, while paying less attention to what happens behind the scenes with data security and privacy.
Innovation outpaces regulation
Manufacturers are pushing out new software-defined features, integrating apps, and rolling out over the air updates. This speed increases the number of attack paths and makes it harder for security practices and rules to keep up.
The study shows that while Europe has strong building blocks in place, there are still mismatches between technical standards, legal requirements, and consumer expectations. Public trust will depend on closing those gaps.
Brumley warns that the pace of innovation has outstripped the willingness of some automakers to embrace the spirit of regulations.
“R155 sounds good on paper, but enforcement is weak,” he says. “The result is cars on the road today with known vulnerabilities. Until there is accountability, this will remain a systemic problem.”
Source link
