While the automotive industry is celebrating software-defined vehicles (SDVs) as the future of mobility, consumers are increasingly wary of the safety of connected and autonomous vehicles due to cybersecurity fears. Recent research shows that 65 percent of drivers believe remote hacking of a vehicle is possible, and 70 percent would consider buying an older, less connected car to reduce cyber risk.
Consumer fears aren’t unfounded. Just this year, flaws in the Subaru Starlink system and Nissan Leaf infotainment platform allowed for remote access to sensitive customer data and vehicle functions. A total of 92 percent of automotive attacks in 2024 were remotely executed.
Unlike in other software industries, a successful cyberattack on or failure in automotive systems can result in direct harm to users or bystanders. Think remote control of braking systems, safety systems, and more. The features that make SDVs unique, like connectivity, hundreds of ECUs, and ADAS, also put vehicles and consumers at risk.
Automotive companies are now software companies. The way that software is developed and secured affects vehicle safety, innovation, and consumer trust.
Safety and Cybersecurity Are One and the Same
Cybersecurity in vehicles has often been framed as a “data protection” issue, but the bigger story is about safety. Consumers also agree on this front: 79 percent say protecting their physical safety from cyberattacks is more important than safeguarding the personal data inside their cars.
Because today’s vehicles contain 100s of millions of lines of code, powering everything from steering and braking to collision-avoidance systems, a single vulnerability can quickly lead to dangerous outcomes. The infamous Jeep Cherokee hack of 2015 illustrated this risk, with a software flaw enabling the manipulation of vehicle’s systems, including controlling braking and shutting down the engine while the vehicle was in motion.
It’s clear that there is no mobility without safety and no safety without cybersecurity.
Automotive Cybersecurity Weak Spots
More software and connectivity in vehicles means more opportunities for compromise. Automotive cybersecurity stats show that software-defined components are growing as a target, with telematics, APIs, and infotainment systems seeing the largest increase in recorded cyber incidents.
To address underlying issues in code, best practices include building in security from the start, like runtime protections, and making full use of over-the-air (OTA) updates to speed along patches and security fixes. These proactive measures go a long way toward overall security and safety.
The risks aren’t just in the software that automakers develop in-house—they ripple through the entire software supply chain, where a single vulnerable component can endanger millions of vehicles. Third-party vendors, open-source libraries, and commercial off-the-shelf software all introduce hidden risks that can hide inside automotive systems.
This poses serious safety problems. A single safety-critical vulnerability affecting a widely deployed model could impact millions of vehicles, potentially leading to accidents, injuries, or fatalities. For example, in what's been called the “PerfektBlue Attack,” researchers discovered critical vulnerabilities in the BlueSDK Bluetooth stack that could have allowed remote code execution on car systems of millions of vehicles.
Build-time Software Bills of Materials (SBOMs) give automakers the visibility that complex software supply chains often obscure, enabling them to pinpoint vulnerable components, trace the provenance of critical code, and hold vendors to higher security standards.
By correlating each software element with public vulnerability databases, SBOMs accelerate patching and streamline incident response, helping teams rapidly assess which systems are exposed when new threats emerge. Full visibility into software opens the door to vehicle resilience.
Shifting Gears on Security and Consumer Confidence
As autonomous and driver-assist systems take the wheel, cybersecurity is a physical safety requirement. Just as airbags and braking systems are tested and proven, security must be built in from day one and continuously verified so that consumers can trust the vehicles they drive. OEMs can no longer rely on the assumption that security is “under the hood.”
Tools like SBOMs, rigorous vendor oversight, and rapid vulnerability remediation must be visible and verifiable. Only by showing consumers that every line of code is accounted for and every risk is managed can automakers close the loop between software integrity and safety and earn the trust that will drive adoption of connected vehicles.
Without demonstrable cybersecurity, there is no safety and without safety, there is no trust. Automakers that secure their software, manage their supply chains, and clearly communicate these protections will define the future of mobility. Those who fail will find their innovations stalled by fear and skepticism, no matter how advanced the vehicles.
Joe Saunders is Founder & CEO of RunSafe Security.
