Evolving cyber security threats highlighted by Trustonic

The automotive sector has experienced monumental change over the last decade, with one of the biggest shifts being the move towards software-defined vehicles (SDVs), says Trustonic.

Although this development is unlocking a multitude of opportunities, it has introduced new challenges — not least when it comes to cyber security. 

Andrew Till (pictured above), general manager of Secure Platform at cyber security company Trustonic, has decades of experience in connected technologies and embedded security.

He shares his perspective on the evolving threat landscape, explaining why systems like infotainment and OTA (over the air) updates are prime hacker targets and why secure-by-design thinking is now essential, not just for compliance, but to instil consumer trust, ensure resilience and protect brand reputation.

Fleet News: What are the biggest cyber security risks emerging from the shift to software-defined vehicles?

Andrew Till: “As vehicles become more software-defined, they’re effectively turning into mobile computers — bringing both innovation and increased cyber security risk. The complexity of software systems, greater connectivity and cloud integration expand the potential attack surfaces that can be exploited.

“A key challenge lies in aligning the entire supply chain around a shared security architecture. If companies continue working in isolation — as has historically been the automotive industry’s approach to security — more vulnerabilities will emerge.

“SDVs often reuse core cyber security software across multiple domains, meaning a weakness in one area can cascade across the vehicle.

“Importantly, SDVs are dismantling the ‘security through isolation’ principle that automotive has relied on for decades. Internal domains are now interconnected, so even a simple component like a wireless tyre pressure sensor could be used as an entry point to launch an attack on more critical systems.

“This isn’t just an R&D issue — the move to SDVs is a structural transformation that impacts every part of an OEM’s business.”

FN: Why are infotainment systems and OTA updates becoming such attractive targets for hackers?

AT: “Quite simply, they’re familiar terrain for attackers. Modern IVI (in-vehicle infotainment) systems run on platforms also used in consumer devices like smartphones — making them easier to access, study and exploit using widely available tools.

“In contrast, domains such as network gateways are much harder for a hacker to get their hands on and require a much deeper level of automotive expertise.

“IVIs are also designed to connect to external devices via Wi-Fi or Bluetooth, creating multiple potential attack vectors.

“Meanwhile, OTA updates are essential for vehicle maintenance and security but, if compromised, they can provide hackers with large-scale access to an entire fleet.

“Typically, bad actors will try to launch man in the middle or injection attacks to include their payload in another’s valid system update. 

“These systems are critical to ensuring that a vehicle’s security can be maintained throughout its lifetime and therefore need to be rigorously protected.”

FN: What are some real-world examples or case studies that show how these weaknesses have already been exploited?

AT: “One of the most famous cases remains the Jeep Cherokee hack, where researchers remotely accessed the vehicle via its infotainment system and then allowing access to other critical systems, but this isn’t an isolated case.

“The annual Pwn2Own Tokyo event provides an insight into current attack trends, with recent winners exploiting issues like poor system configuration, missing signature verification and unprotected hardware ports. These are fundamental cybersecurity flaws that show how real and current the threat is.

“Today, attackers are targeting everything, from EV charging stations to in-vehicle systems and even cloud platforms.”

FN: Is there a common misunderstanding among manufacturers when it comes to securing connected vehicles?

AT: “One major misconception is that cyber security can be added late in development but, in reality, it needs to be part of the foundation. Another is the belief that securing the cloud is enough.

“While cloud security is essential, many OEMs still underestimate the risks posed by compromised in-vehicle hardware. Strong attestation mechanisms, signature verification and understanding the trust levels of data must all be prioritised.

“A secure cloud doesn’t help much if the device connecting to it has been breached.”

FN: How can secure-by-design thinking help OEMs get ahead of the regulatory curve?

AT: “Secure-by-design transforms security from a box-ticking exercise into a long-term philosophy that encompasses the whole supply chain. If cyber security is treated as just another feature, companies risk falling short when regulations evolve or threats escalate.

“OEMs need to plan not just for today, but for a decade down the road. That means building in the ability to adapt and strengthen protection over time — keeping pace with regulatory frameworks like UNECE WP29 and ISO/SAE 21434.

“Type Approval authorities are also shifting their focus, increasingly looking at a vehicle’s ability to stay secure over time (evergreen capabilities), not just the manufacturer’s security management systems. Being proactive now will save time, cost and risk later.”

FN: What’s the commercial risk for car brands who delay action on embedded cyber security?

“The risks are significant and growing. Consumers are becoming more aware of cyber security, driven in part by marketing from mobile and tech brands like Apple and Samsung, and are bringing those expectations into the automotive space.

“Brands that fail to prioritise security risk losing customer trust and could face reputational damage if a breach occurs.

“In some cases, there could be serious legal and financial consequences, especially if insurers determine that an OEM failed to meet its cyber security obligations.

“The Land Rover insurance issues in 2024 are a recent example of how quickly these risks and consumer awareness can escalate.”

FN: What should OEMs be asking of their Tier 1 and software suppliers to ensure a secure vehicle ecosystem?

AT: “First and foremost is to collaborate. Protecting the ecosystem requires OEMs, Tier 1s, and software suppliers to work together on architecture, implementation, testing and remediation - not in isolation.

“OEMs should ensure partners understand their core cyber security principles and demand transparency in development practices. This includes secure coding, regular patching and hardware-level protections like encrypted communication and secure boot.

“It’s also time to reward the right behaviour. Highlight Tier 1s and suppliers who lead in secure-by-design approaches, not just those who minimise risk. Sharing success stories and case studies can promote a more positive and proactive industry culture.”

AT: “I would just reiterate that collaboration across the industry is key. No single organisation can solve these challenges alone.

“At Trustonic, we believe that shared responsibility and open dialogue between OEMs, Tier 1s, regulators and cyber security providers is essential.

“As vehicles become more connected, trust will be the foundation of customer loyalty, fleet operator confidence and brand strength. Getting cyber security right is critical to earning and maintaining that trust.”