Vehicles are becoming increasingly software-based, and there’s no getting away from it, says Gianfranco Vinucci, Chief Operating Officer at PCA Cyber Security.
Automotive OEMs and suppliers spy an opportunity for cockpits to play host to connected digital platforms that offer drivers convenience while presenting the automotive industry greater opportunities to open recurring revenue streams via digital services. The pace of this change means it’s increasingly outdated to see car head units as infotainment devices. Head units acting as connected platforms – capable of services like In-Car Payment and AI-embedded voice assistants served by Over-The-Air (OTA) app updates – are the new normal.
The automotive industry needs to factor the security implications into their equations. The Bluetooth, Ethernet, and internal Wi-Fi connectivity that makes this shift possible expands the automotive attack surface. This needs to be proactively managed as cabin connectivity and network functions continue to be centralised into digital platforms.
Head units: a hacking entry point of choice
A decade ago, attempts to hack vehicle head units were understood as efforts to target physical-access points (i.e; USB ports). Fast forward to today and head units are among the most externally exposed systems you’ll find in a car. Modern head units sit at the meeting point of Bluetooth, USB, smartphone projection, Ethernet, telematics and vehicle-facing functionality. Hackers and ethical hackers alike regularly target head units as the starting point of a vehicle compromise. This isn’t simply a case of head units being an attractive entry point because they’re connected. It’s also because they’re increasingly trusted and critical to vehicle functions.
The scale of potential exposure needs to be stressed. Our team has previously disclosed how a common Bluetooth stack used in a range of head units, manufactured by different vendors, left millions of vehicles exposed to Remote Code Execution (RCE) that makes it possible for attackers to track GPS coordinates, record audio inside a car, obtain personal phonebook information and move laterally to other Electronic Control Units (ECUs) to access critical elements of a car.
Defensive measures face a barrage of vulnerabilities
It needs to be said that automotive OEMs and suppliers aren’t oblivious to these risks. Modern vehicles employ network security domain separation to stop, or limit, the impact of attacks. Dedicated gateway units act as firewalls, isolating safety-critical systems (like steering, braking, and gear shifting) from less trusted head units.
This architecture forces attackers to attempt complex lateral movements to compromise safety systems. The problem is that increasingly connected software systems open more paths for this lateral movement to take place. And this leaves vehicles increasingly exposed. Q1 of this year saw a 102pc year-on-year rise in documented automotive-specific vulnerabilities. Worryingly, 88 per cent of these vulnerabilities present a low attack complexity (specialised tools or extensive preparation not necessary for exploitation).
As already established, modern head units are the most exposed systems in a car, so the work to respond to the current landscape of heightened vulnerability must start with recognising and managing their risk profile.
Recognising and responding to the status quo
A significant hurdle for automotive security is product life cycles. Vehicles remain on the road for years, while vulnerabilities that leave software exposed change daily. This presents an obvious problem; head units that were deemed secure in initial testing before market launch can be left vulnerable by underlying components later down the line.
By identifying that problem, we also land on a solution. Automotive OEMs and suppliers need an automotive security strategy covering entire product lifecycles. This must start with establishing a product’s full software bill of materials (SBOM) through independent verification of vendor claims. With validated SBOMs for products, OEMs and suppliers are in a position to put the discovery of new Common Vulnerabilities and Exposures (CVEs) into the context of their product lines. This can then be addressed with OTA patch delivery to keep end users safe.
Responding to CVEs is one thing. The heightened threat landscape also strengthens the case for OEMs and suppliers to use device testing as an opportunity to think like an attacker and meaningfully probe for potential zero-day vulnerabilities. Penetration testing has an important role to play here.
It’s not feasible, or necessary, to slow the move to software-driven, connected vehicles. But it is perfectly possible for the automotive industry to manage the security implications of that shift with strategies that move beyond ‘point-in-time’ assessment. OEMs, Tier-1 suppliers and mobility providers should focus on securing head units with continuous threat monitoring and response that keeps vehicles secure across a unit’s entire lifecycle.
See also the company’s blog.




