API Security

How Software-Defined Vehicles Are Changing the Game

February 19, 2025

7 minutes

The rise of Software-Defined Vehicles (SDVs) is transforming the automotive industry—but with great connectivity comes great cybersecurity risks. From over-the-air (OTA) updates to vehicle-to-everything (V2X) communication, modern vehicles are more connected than ever, making them prime targets for cyber threats.

In a recent webinar, Florian Rohde, former Tesla engineer and automotive security expert, joined us to discuss the evolving attack surface of SDVs and the API vulnerabilities that hackers exploit. Here's what we learned...

‍

🔸

Software-Defined Vehicles (SDVs) Introduce New Cybersecurity Risks Modern vehicles rely on millions of lines of code and advanced connectivity features like OTA updates, V2X communication, and API-enabled functions. While these innovations improve functionality, they also create new cybersecurity challenges that automakers must address.

🔸

APIs Are a Major Vulnerability in Connected Vehicles APIs enable crucial vehicle functions such as remote unlocking and real-time diagnostics, but they also provide entry points for cybercriminals. Strong authentication, encryption, and continuous monitoring are essential to safeguard against API-related threats.

🔸

Over-the-Air (OTA) Updates Can Be Both a Security Lifeline and an Attack Vector While OTA updates allow for rapid security patches and feature improvements, they also introduce risks like supply chain attacks, rollback vulnerabilities, and swarm attacks. Secure update mechanisms, such as cryptographic signing and rollback protection, are critical to mitigating these risks.

🔸

Automakers Must Adopt a Software-First Approach to Stay Competitive Tesla’s success highlights the importance of vertical integration, frequent software updates, and proactive security measures. Traditional automakers must shift from a mechanical-first mindset to a software-driven strategy to compete in the evolving automotive landscape.

How Software-Defined Vehicles Are Changing the Game

In a recent webinar, Florian Rohde, former Tesla engineer and automotive security expert, joined us to discuss the evolving attack surface of SDVs and the API vulnerabilities that hackers exploit.

Here’s what we learned.

Why Software-Defined Vehicles Are a Cybersecurity Game-Changer

Modern vehicles are no longer just mechanical machines—they are software on wheels. With millions of lines of code controlling critical functions like acceleration, braking, and autonomous driving, today’s cars resemble highly complex, networked computing systems.

Connected vehicle technologies include:

Over-the-Air (OTA) Updates – delivering real-time software patches and feature enhancements
V2X Communication – allowing cars to talk to each other, traffic lights, and infrastructure
API-Enabled Features – enabling remote control of car functions via mobile apps
AI-Driven Autonomous Capabilities – making real-time driving decisions

While these advancements enhance convenience and efficiency, they also create new cybersecurity risks that automakers must address before hackers do.

The API Security Risk: A Soft Underbelly for Hackers

APIs are the backbone of connected vehicles, enabling everything from remote unlocking to real-time diagnostics. But as Sam Curry’s infamous car hacking research revealed, API vulnerabilities can allow attackers to take control of vehicles remotely.

Real-world API threats include:

Unlocking doors remotely
Starting or stopping vehicles
Tracking vehicle locations in real time
Gaining unauthorized access to user accounts

Darren Shelkusky, API security expert at Ford, called APIs “the soft underbelly of the automotive connected ecosystem.” With cybercriminals targeting APIs as an entry point, automakers must implement strong authentication, encryption, and threat monitoring to stay ahead of attacks.

Over-the-Air (OTA) Updates: Security Lifeline or Attack Vector?

Tesla and other SDV pioneers have revolutionized vehicle software with OTA updates, allowing real-time software patches without a trip to the dealership. While this is a huge advantage for security, it also introduces new risks, such as:

Supply Chain Attacks – If an update server is compromised, hackers can push malicious code to thousands of vehicles.
Rollback Vulnerabilities – Attackers can force a car to downgrade to an older, vulnerable version of the software.
Swarm Attacks – If an attacker exploits a flaw, they could simultaneously impact a large fleet of connected vehicles.

Mitigating these risks requires:

Cryptographic signing of software updates
Rollback protection mechanisms
Continuous monitoring for suspicious update requests

At Tesla, Florian’s team implemented a “ratchet system” that prevented software downgrades once a security patch was installed. Automakers must adopt similar secure update mechanisms to prevent exploitation.

Vehicle-to-Everything (V2X): A New Attack Surface

As cars become more connected, V2X communication introduces both convenience and danger. Vehicles now interact with:

Traffic lights (for real-time signal changes)
Other vehicles (for navigation and collision avoidance)
Smart city infrastructure (for optimizing traffic flow)

But what happens if a malicious actor hacks into these systems? Imagine a cybercriminal turning all traffic lights green at once or rerouting thousands of cars into a traffic jam—scenarios that are entirely possible without proper security controls.

Florian warns that “the weakest link in the network becomes the easiest attack vector”—whether that’s a poorly secured vehicle, a compromised traffic signal, or a third-party API.

Security priorities for V2X include:

Authenticating all messages between vehicles and infrastructure
Encrypting V2X communication to prevent tampering
Monitoring traffic control systems for suspicious activity

Lessons from Tesla: Why Legacy Automakers Must Think Like Software Companies

Florian’s experience at Tesla highlights the fundamental difference between traditional automakers and SDV pioneers. While legacy brands like Ford, Audi, and Toyota were founded on mechanical engineering, companies like Tesla, Rivian, and Lucid were built as software-first businesses.

Key takeaways from Tesla’s approach:

Vertical Integration – Building software and hardware in-house instead of relying on third-party suppliers
Frequent Software Updates – Rolling out updates every 6-12 weeks instead of leaving vehicles unpatched
Over-the-Air Security Fixes – Addressing vulnerabilities before hackers can exploit them

Traditional automakers must embrace software-first thinking or risk being left behind in an era where cybersecurity is just as important as performance and safety.

Regulations: Are Governments Keeping Up?

Regulatory standards are evolving, but the U.S. is lagging behind.

The UNECE WP.29 cybersecurity regulations now require automakers in Europe to implement cybersecurity management systems (CSMS) and provide 15 years of software security updates after a vehicle’s end of production.

But in the United States, no such cybersecurity mandates exist. While standards like ISO 21434 provide best practices, compliance is not legally required—meaning security varies widely across automakers.

Key automotive cybersecurity standards: