Unveiling the Methods Hackers Use to Infiltrate Computer-Controlled Automobiles

In today's interconnected world, the increasing complexity of Self-Driving Vehicles (SDVs) has brought forth new challenges in ensuring their security. One significant area of concern is the memory safety vulnerabilities found in the embedded software of SDVs. These flaws, if exploited, can lead to serious security breaches and potential safety risks.

Critical electronic control units (ECUs) governing engine performance, braking, or collision-avoidance systems were not built with today's threat landscape in mind. This has left a gap that cybercriminals are eager to exploit. For instance, security researchers were able to exploit a heap overflow vulnerability and an out-of-bounds write error in the Bluetooth chipset of a Tesla, gaining root access to other critical subsystems within the car.

Memory corruption in a sensor module could cause the system to misinterpret its environment, leading to incorrect object detection. This could potentially lead to dangerous situations on the road.

Effective mitigation strategies for these memory safety vulnerabilities focus primarily on software hardening and architectural controls to strengthen vehicle cybersecurity. Key strategies include:

Memory Safety Hardening Techniques: Employing memory safety tools and protections such as bounds checking, safe coding practices, and runtime hardening specifically for C/C++ code—the primary language where most vulnerabilities occur—to prevent buffer overflows and related attacks.
Automated Code Analysis and Vulnerability Assessment: Conducting vulnerability assessments using Software Bill of Materials (SBOMs) and static/dynamic analysis tools early in the SDLC (software development lifecycle) to identify unsafe memory usage and other security weaknesses before deployment.
Strong Network Segmentation and Access Controls: Designing vehicle network architecture to strictly segment infotainment systems from critical vehicle control domains (e.g., braking, steering). This limits lateral movement if an infotainment system is compromised.
Secure Bluetooth and Wireless Protocols: Because infotainment systems often integrate Bluetooth stacks (like Blue SDK), patching known vulnerabilities (e.g., PerfektBlue) and enforcing strict authentication and authorization mechanisms for trusted devices can reduce attack surfaces.
Runtime Monitoring and Anomaly Detection: Implementing real-time monitoring of software behaviour to detect crashes or unusual activity indicative of exploitation attempts, allowing for timely intervention or rollback.
Supply Chain and AI Model Security: Vetting and securing any third-party or AI components used within infotainment software to avoid introducing vulnerabilities through poisoned training data or insecure open-source models.
Robust Testing and Validation: Utilizing automated code reviews, testing for timing, concurrency, and fail-safety, and simulating attack scenarios to validate both functional safety and cybersecurity before vehicle release.

These combined approaches reduce the risk from memory safety vulnerabilities in infotainment systems, which are increasingly targeted as entry points for attacks due to their connectivity and integration with vehicle control systems. Early-stage identification, secure software design, and runtime protections are critical for preserving overall vehicle cybersecurity.

It's important to note that attackers can potentially harvest personal and location data from drivers and passengers, remotely control basic vehicle functions, and pivot into critical domains like ADAS, braking, and steering modules. Strong network segmentation between infotainment, telematics, and safety-critical domains like ADAS and ECUs is necessary to prevent lateral movement after a breach.

Building Android-based infotainment systems from source can provide more control over security and allow for the insertion of security protections. Embedding secure development practices like threat modeling, fuzz testing, and static analysis into the SDLC for all automotive code is essential.

In the first half of 2025, infotainment systems in vehicles, such as those in Subaru's Starlink, Nissan Leaf, and potentially 350 million vehicles through BlueSDK Bluetooth stack, have been exploited by hackers. This underscores the urgency for the automotive industry to prioritise vehicle cybersecurity and implement these mitigation strategies to protect both drivers and passengers.