The rise of Software-Defined Vehicles (SDVs) is transforming the automotive industry—but with great connectivity comes great cybersecurity risks. From over-the-air (OTA) updates to vehicle-to-everything (V2X) communication, modern vehicles are more connected than ever, making them prime targets for cyber threats.
In a recent webinar, Florian Rohde, former Tesla engineer and automotive security expert, joined us to discuss the evolving attack surface of SDVs and the API vulnerabilities that hackers exploit. Here's what we learned...
TLDR Key Takeaways
Software-Defined Vehicles (SDVs) Introduce New Cybersecurity Risks Modern vehicles rely on millions of lines of code and advanced connectivity features like OTA updates, V2X communication, and API-enabled functions. While these innovations improve functionality, they also create new cybersecurity challenges that automakers must address.
APIs Are a Major Vulnerability in Connected Vehicles APIs enable crucial vehicle functions such as remote unlocking and real-time diagnostics, but they also provide entry points for cybercriminals. Strong authentication, encryption, and continuous monitoring are essential to safeguard against API-related threats.
Over-the-Air (OTA) Updates Can Be Both a Security Lifeline and an Attack Vector While OTA updates allow for rapid security patches and feature improvements, they also introduce risks like supply chain attacks, rollback vulnerabilities, and swarm attacks. Secure update mechanisms, such as cryptographic signing and rollback protection, are critical to mitigating these risks.
Automakers Must Adopt a Software-First Approach to Stay Competitive Tesla’s success highlights the importance of vertical integration, frequent software updates, and proactive security measures. Traditional automakers must shift from a mechanical-first mindset to a software-driven strategy to compete in the evolving automotive landscape.
How Software-Defined Vehicles Are Changing the Game
The rise of Software-Defined Vehicles (SDVs) is transforming the automotive industry—but with great connectivity comes great cybersecurity risks. From over-the-air (OTA) updates to vehicle-to-everything (V2X) communication, modern vehicles are more connected than ever, making them prime targets for cyber threats.
In a recent webinar, Florian Rohde, former Tesla engineer and automotive security expert, joined us to discuss the evolving attack surface of SDVs and the API vulnerabilities that hackers exploit.
Here’s what we learned.
Why Software-Defined Vehicles Are a Cybersecurity Game-Changer
Modern vehicles are no longer just mechanical machines—they are software on wheels. With millions of lines of code controlling critical functions like acceleration, braking, and autonomous driving, today’s cars resemble highly complex, networked computing systems.
Connected vehicle technologies include:
While these advancements enhance convenience and efficiency, they also create new cybersecurity risks that automakers must address before hackers do.
The API Security Risk: A Soft Underbelly for Hackers
APIs are the backbone of connected vehicles, enabling everything from remote unlocking to real-time diagnostics. But as Sam Curry’s infamous car hacking research revealed, API vulnerabilities can allow attackers to take control of vehicles remotely.
Real-world API threats include:
Darren Shelkusky, API security expert at Ford, called APIs “the soft underbelly of the automotive connected ecosystem.” With cybercriminals targeting APIs as an entry point, automakers must implement strong authentication, encryption, and threat monitoring to stay ahead of attacks.
Over-the-Air (OTA) Updates: Security Lifeline or Attack Vector?
Tesla and other SDV pioneers have revolutionized vehicle software with OTA updates, allowing real-time software patches without a trip to the dealership. While this is a huge advantage for security, it also introduces new risks, such as:
Mitigating these risks requires:
At Tesla, Florian’s team implemented a “ratchet system” that prevented software downgrades once a security patch was installed. Automakers must adopt similar secure update mechanisms to prevent exploitation.
Vehicle-to-Everything (V2X): A New Attack Surface
As cars become more connected, V2X communication introduces both convenience and danger. Vehicles now interact with:
But what happens if a malicious actor hacks into these systems? Imagine a cybercriminal turning all traffic lights green at once or rerouting thousands of cars into a traffic jam—scenarios that are entirely possible without proper security controls.
Florian warns that “the weakest link in the network becomes the easiest attack vector”—whether that’s a poorly secured vehicle, a compromised traffic signal, or a third-party API.
Security priorities for V2X include:
Lessons from Tesla: Why Legacy Automakers Must Think Like Software Companies
Florian’s experience at Tesla highlights the fundamental difference between traditional automakers and SDV pioneers. While legacy brands like Ford, Audi, and Toyota were founded on mechanical engineering, companies like Tesla, Rivian, and Lucid were built as software-first businesses.
Key takeaways from Tesla’s approach:
Traditional automakers must embrace software-first thinking or risk being left behind in an era where cybersecurity is just as important as performance and safety.
Regulations: Are Governments Keeping Up?
Regulatory standards are evolving, but the U.S. is lagging behind.
The UNECE WP.29 cybersecurity regulations now require automakers in Europe to implement cybersecurity management systems (CSMS) and provide 15 years of software security updates after a vehicle’s end of production.
But in the United States, no such cybersecurity mandates exist. While standards like ISO 21434 provide best practices, compliance is not legally required—meaning security varies widely across automakers.
Key automotive cybersecurity standards:
Until stronger regulations are enforced worldwide, automakers must take proactive measures to protect vehicles from cyber threats.
How to Strengthen API Security in Automotive Development
To protect connected vehicles, automakers should:
Want to upskill your team? Take our free API security courses at APIsec University.
Need to test your APIs for vulnerabilities? Try our fully automated API security scanner for free at APIsec.ai/sign-up.