As software-defined vehicles take center stage in the automotive industry, cybersecurity is no longer an optional layer. It is a foundational requirement for both safety and security. In episode 8 of Exploited: The Cyber Truth, RunSafe Security Founder and CEO Joe Saunders joins host Paul Ducklin to explore how Secure by Design principles, memory safety, and proactive supply chain controls can help the automotive sector get ahead of growing cyber risks.
With modern vehicles containing over 100 million lines of code and dozens of software components, attack surfaces are expanding. And as Joe points out early in the episode, today’s vehicles aren’t just “computers on wheels”—they’re entire software ecosystems in motion.
Listen the full episode:
Automotive Cybersecurity Risks in Software-Defined Vehicles
The convenience of real-time navigation, remote keyless entry, and seamless phone integration comes with a hidden cost: exposure. According to Joe, 92% of cyberattacks in the automotive space in 2024 were conducted remotely—many affecting millions of vehicles at once. Attackers are increasingly leveraging the very protocols that enhance user experience to manipulate vehicle systems, including brakes, steering, and door locks.
Complicating matters further is the long-standing reliance on the CAN bus protocol for in-vehicle messaging. While essential for transmitting signals between components like brake pedals and wheel systems, the CAN bus was never designed with security in mind, and its widespread use makes replacing it a monumental task.
“The traditional protocol and networking through the CAN bus does feel like a bit of a dinosaur in the automotive industry, and unfortunately, we can’t just get rid of it.” — Joe Saunders
Safety and Security: Two Sides of the Same Coin
When it comes to compliance, frameworks like ISO 26262 and its Automotive Safety Integrity Level (ASIL) classifications are essential. These standards guide manufacturers in assessing and minimizing the risks associated with both hardware and software failures, especially in systems where human safety is on the line.
From ASIL A (least critical) to ASIL D (most critical), these classifications help developers determine the necessary level of rigor required for different components. Joe uses the example of backup lights (ASIL A) versus fully autonomous driving controls (ASIL D) to illustrate how cybersecurity is increasingly being embedded into broader safety discussions.
Memory Safety and Real-Time Operating Systems
A key focus of the episode is the importance of memory safety in securing embedded systems like ECUs and infotainment units. Vulnerabilities in these systems can lead to catastrophic outcomes, especially when attackers exploit low-level memory bugs to gain control of vehicle operations.
RunSafe’s platform addresses this challenge head-on by hardening binaries against memory-based attacks without requiring changes to source code. This is especially relevant for real-time operating systems (RTOS) such as QNX and embedded Linux, which are commonly used across millions of vehicles.
Untangling the Automotive Supply Chain
One of the most pressing and complex challenges for automakers is managing their global, multi-tier supply chains. Software Bills of Materials (SBOMs) play a critical role here by offering visibility into the origin and composition of every software component.
“There are restrictions in the United States… you can’t get [automotive components] from China or Russia. How do you know that a software component is not built by an entity from one of those countries?” — Joe Saunders
The automotive supply chain doesn’t just involve hardware. It also includes firmware, embedded software, and third-party libraries. Without tools like SBOMs and strong vendor verification processes, organizations are vulnerable to both intentional backdoors and unintentional compliance violations.
Shift Security Left in Automotive Software Development
The episode concludes with a discussion around the concept of “shifting left”—embedding security early in the software development lifecycle instead of treating it as a post-production checkbox.
For automotive development teams, this includes:
- Incorporating security testing during the build and integration stages
- Using automated tools to validate compliance with ISO and ASIL standards
- Understanding the security posture of all platforms used (RTOS, embedded Linux, Android, etc.)
“It’s far easier to add in security as you’re building something than to find out you have a big exposure… and then go back and fix everything retroactively.” — Joe Saunders
This proactive approach reduces the likelihood of costly recalls and ensures that safety isn’t sacrificed for convenience or speed to market.
Final Thoughts: Future-Proofing Automotive Cybersecurity
Software-defined vehicles are reshaping transportation and with that innovation comes risk. As Joe highlights throughout the conversation, aligning cybersecurity with functional safety is essential for building trust, meeting regulatory demands, and ultimately protecting drivers and passengers.
If you’re building or securing vehicle systems, the time to shift left is now.
