Driving Innovation Safely: 5 Ways to Secure Software-Defined Vehicles

Posted on May 13, 2025

Author: RunSafe Security

With millions of lines of code and hundreds of software programs managing everything from autonomous systems to braking, software security is now an undeniable component of vehicle safety. The challenge for the industry is balancing rapid innovation with stringent safety and security requirements while also managing costs.

“Automotive companies have become software companies, and their software practices are essential to drive innovation,” said Joe Saunders, Founder and CEO of RunSafe Security, in a recent webinar with Automotive IQ. “When safety and security are combined, it means we can build innovation going forward.”

For modern vehicles, that will mean addressing common vulnerabilities in software to not only minimize security risk, but to maximize innovation and ensure safety overall.

The Growing SDV Market and Its Security Implications

The growth of Software-Defined Vehicles (SDVs) is remarkable, with projections suggesting the SDV market will exceed $650 billion by 2030, representing 15-20% of the entire automotive ecosystem. This growth is driven by both consumer benefits and industry innovation.

For consumers, SDVs offer enhanced connectivity, personalized services, and improved safety features. From the industry perspective, autonomous driving capabilities, electric vehicle technologies, and over-the-air (OTA) update functionality are creating new service models and revenue streams for manufacturers.

However, this software revolution comes with significant security challenges. Modern vehicles now contain upwards of 100 million lines of code across 40-70 different software packages or applications. This dramatic increase in code creates an extensive attack surface that needs addressing.

The Current State of Automotive Cyber Attacks

Recent industry reports paint a concerning picture of the vulnerability landscape:

92% of automotive attacks in 2024 were remotely executed
70% of attacks could potentially affect thousands or millions of devices across different manufacturers due to common software and architectures
35% of attacks involved car system manipulation

These statistics highlight the growing risk of cyber threats to connected vehicles. “In the automotive industry, if you think about autonomous driving and attack vectors that could affect car system manipulation, I think everyone would agree that security is really about safety,” Joe said. “With more software, it means we have a chance to find ways to generate more security for these applications.”

3 Common Vulnerabilities in Software-Defined Vehicles

Vulnerabilities are commonly found in three areas of SDVs: electronic control units, Advanced Driver Assistance Systems (ADAS), and infotainment systems. Infotainment systems in particular are becoming a bigger risk, due to new connectivity features.

Infotainment Systems

Hacks against vehicle infotainment systems were in the news in early 2025. Over a dozen vulnerabilities were discovered in a Mercedes-Benz infotainment system. Security flaws in Subaru’s Starlink-connected infotainment system allowed hackers to remotely control the vehicle, including turning it on and off, unlocking it, and more.

Hackers can gain access to data and location information through these systems, but more concerningly, as recent examples show, infotainment systems are often used as an on-ramp to access other critical vehicle systems.

“Not all vehicles today are segmented from a security perspective and people can jump from one component to the other,” Joe said.

Electronics Control Units (ECUs) in Automobiles

Vulnerabilities in real-time operating systems (RTOS) can be exploited once attackers gain access to a vehicle’s systems. “ECUs are an easy target once an attacker is on board,” Joe said.

Because ECUs are most commonly programmed in languages like C and C++, they are susceptible to memory safety vulnerabilities. An attacker who exploits a memory safety vulnerability in the ECU firmware could take runtime control and cause erratic vehicle behavior.

Advanced Driver-Assistance Systems (ADAS)

Advanced Driver-Assistance Systems (ADAS) are similarly susceptible to memory safety vulnerabilities. “In many cases, in the underlying software, like ADAS, we have seen that the vulnerabilities are related to memory safety vulnerabilities.”

ADAS enhances safety using sensors, cameras, radar, and complex software. A successful attack could alter sensor data or decision-making algorithms, endangering the vehicle’s safety. For example, memory corruption in sensors could result in incorrect object detection, leading to collisions or other dangerous situations.

Case Study: Tesla Vulnerabilities

An example of a memory-based vulnerability in automotive software is CVE-2022-42431, a critical buffer overflow vulnerability discovered in Tesla Model 3 vehicles. A buffer overflow is a classic memory safety vulnerability that ultimately allows an attacker either to escalate privileges or even gain the ability to execute arbitrary code.

The implications are severe: “What that means is they can ultimately leverage the existing code and do something that wasn’t originally intended by the original developer for that feature,” Joe said. “These kinds of vulnerabilities are very critical and ultimately get rated through the services as the highest severity scores.”

These examples illustrate how memory safety vulnerabilities—classic issues in software developed using “memory unsafe” languages like C and C++—pose significant risks to vehicle security and, by extension, passenger safety.

SAFEGUARDING CODE: A COMPREHENSIVE GUIDE TO ADDRESSING THE MEMORY SAFETY CRISIS [WHITE PAPER]

Best Practices for Securing Software-Defined Vehicles

1. Implement Software Development Lifecycle Practices

Over the past decade, the industry has seen dramatic improvements in the software development lifecycle. Automotive manufacturers should continue to enhance these practices by:

Implementing secure coding standards
Conducting thorough threat modeling
Utilizing automated vulnerability detection tools
Integrating security protections into the development process

2. Adhere to Automotive Safety and Security Standards

Standards like Automotive Safety Integrity Levels (ASIL), which define four levels of safety classification based on risk to passengers, play a crucial role in ensuring vehicle security. These standards, along with industry frameworks like ISO 26262 and AUTOSAR, provide essential guidelines for secure development.

3. Deploy Runtime Protection Systems

One of the most effective security strategies is implementing runtime memory protection at the software build stage. This approach eliminates the entire class of memory-based vulnerabilities, which account for 40-70% of all vulnerabilities in these systems, without requiring code rewrites or adding system overhead.

4. Leverage Over-the-Air Updates

OTA update capabilities provide a mechanism for addressing vulnerabilities and deploying security patches throughout a vehicle’s lifecycle, allowing manufacturers to continuously improve security posture even after vehicles have been deployed to customers.

5. Manage Software Supply Chain Risk

With the complexity of automotive software supply chains, addressing and mitigating third-party software risks and risks from open source software is crucial. Steps include:

Requiring suppliers to provide Software Bills of Materials (SBOMs)
Conducting security assessments of third-party components
Establishing transparent communication channels with suppliers
Proactively identifying and addressing vulnerabilities in the supply chain

The Road Ahead for Automotive Software Security

As the automotive industry continues its transformation toward software-defined vehicles, security must be a foundational consideration rather than an afterthought. By implementing secure development practices, adhering to industry standards, deploying runtime protections, and managing supply chain risks, manufacturers can create vehicles that are both innovative and secure.

The key takeaways for automotive manufacturers and OEMs:

ECUs, ADAS, and infotainment systems are particularly vulnerable to memory safety vulnerabilities
Software security is now an undeniable component of vehicle safety
Focusing on safety and security today will enable innovation and resilience against future risks

By addressing these challenges head-on, the automotive industry can continue to drive innovation while ensuring the safety and security of the vehicles that consumers depend on every day.

RunSafe_Blog_Automotive_CTA_2025

Improving Code Coverage: The Benefits of Exhaustive Static Analysis & Runtime Exploit Prevention

Improving Code Coverage: The Benefits of Exhaustive Static Analysis & Runtime Exploit Prevention

May 5, 2025

This is a guest post by TrustInSoft. TrustInSoft develops solutions for advanced software analysis that specialize in formal verification of C, C++ and Rust source code to ensure safety, security and reliability. Key Takeaways: High code coverage is crucial for...

Zero-Day Vulnerabilities: Exploitation Trends and Lessons Learned

Zero-Day Vulnerabilities: Exploitation Trends and Lessons Learned

May 1, 2025

Zero-day vulnerabilities are one of the most significant threats facing enterprises and critical infrastructure. These unknown software flaws, which attackers can exploit before patches become available, pose substantial risks to essential systems, operations, and...

Securing the ICS/OT Software Supply Chain: What Schneider Electric’s Discovery Means for Industrial Systems

Securing the ICS/OT Software Supply Chain: What Schneider Electric’s Discovery Means for Industrial Systems

Apr 28, 2025

Industrial systems worldwide share a common weakness in their software supply chains that most security strategies completely miss. Just ask Andy Kling, VP of Cybersecurity at Schneider Electric, one of the world’s leading industrial automation and energy companies....