Connected vehicles are getting smarter by the model year, but also noisier, more exposed, and harder to secure. Cars include dozens of computers and sensors, plus cameras, microphones, and wireless connections that constantly observe what is happening inside and outside the vehicle. They collect and process data on everything from seat occupancy and location to driving behavior and infotainment usage.
As Marelli’s Sean McKeever points out, “they’re like 5,000-pound smartphones, really.” And with all this data available, the industry needs to consider how to best handle cybersecurity, safety, and privacy.
In this episode of Exploited: The Cyber Truth, Paul Ducklin sits down with McKeever and RunSafe CEO Joe Saunders to explore why automotive cybersecurity will be won by designing vehicles to need less data, expose less surface area, and stay resilient even when patching can’t happen fast enough.
Constant Connectivity and the Data Privacy Tradeoff
Connected vehicles continuously generate data, including location and driving behavior, seat occupancy, camera feeds, and infotainment usage. While this data can improve safety, maintenance, and user experience, it also raises questions about privacy, long-term retention, and what happens when that data is accessed by the wrong people.
As Sean McKeever explains, collecting everything isn’t just risky, it’s also expensive and often unnecessary:
“If you make a million vehicles a year and you collect 24/7 telematics on all million of those vehicles, you’re not going to make any money on them by the end of that year.”
The more data that exists, the more data can be breached. A smarter approach to automotive cybersecurity starts with intentional data stewardship:
- Collect only the data needed to deliver a specific feature
- Minimize retention and storage
- Reduce exposure by design
“If you don’t have the data, you can’t have it breached,” McKeever said.
The “less is more” mindset mirrors broader cybersecurity best practices and becomes more important as connected vehicles scale globally.
Autonomous Vehicles and Real-World Beta Testing
Autonomy introduces a different kind of risk. Software decisions can have immediate physical consequences, especially when vehicles are expected to interpret the real world in real time.
Advanced driver-assistance systems (ADAS) such as lane-keeping assist and automatic emergency braking are already common. These systems continue to improve and help reduce accidents in many everyday scenarios. Higher levels of autonomy face a harder problem. They need to handle edge cases that do not fit clean training data, including unusual environments, unexpected objects, and rare situations that are difficult to predict.
McKeever explains why the last stretch of the problem is the hardest:
“It’s that 10% edge case of how quickly can these automated systems learn to react safely? And those outliers are the more dangerous ones.”
That reality raises difficult questions for automakers, regulators, and the public:
- How much risk is acceptable on public roads?
- Who bears responsibility when systems fail?
- How quickly can autonomous software adapt to unpredictable conditions?
From a vehicle cybersecurity perspective, autonomy also expands the attack surface. It increases the need for strong system isolation, authenticated communications, and resilience when patches are not immediately available.
Vehicle theft has shifted from a physical crime to a software-driven one. Attackers do not always need to break windows or hot-wire an ignition. In many cases, they exploit keyless entry systems using RF relay attacks. With inexpensive, widely available radio hardware, criminals can intercept and replay key fob signals, unlocking and starting vehicles without leaving visible evidence.
As Ducklin notes during the conversation, modern theft often leaves no obvious trace. McKeever agrees:
“There’s no broken window. There’s no damage.”
Even worse, the vehicle may not detect anything suspicious at all:
“From the vehicle’s perspective, it’s a completely legitimate use of the vehicle. It sees it as the key has been presented, I have opened the door, I have started the vehicle and the owner is driving.”
This shift highlights a growing challenge for connected vehicles. Convenience features are popular, but they also create new openings for attackers when security assumptions do not hold up in real-world conditions. McKeever points to the broader trend of cheap and accessible RF tooling:
“Commoditization of RF equipment with things like a Flipper Zero or a HackRF1 or just an SDR… for $20 off of Amazon can do a whole lot of functionality very difficult to achieve 10 years ago.”
Addressing this problem will likely require multi-factor approaches and new design assumptions, not only stronger encryption.
Software-Defined Vehicles Demand Security by Design
Unlike smartphones or laptops, vehicles take years to design and often stay on the road for more than a decade. That long lifecycle creates a unique cybersecurity challenge, especially as new vulnerabilities are discovered long after deployment.
As Sean McKeever explains:
“Cars take five to seven years from concept to product rolling out to customers.”
At the same time, modern vehicles run a mix of complex software systems across infotainment, telematics, and safety-critical functions. Joe Saunders described the reality inside modern vehicles:
“There is a combination of different operating systems. There would be Linux based systems. There’d be real time operating systems, and there would even be Android based operating systems on these vehicles.”
That complexity makes collaboration and transparency across the supply chain essential, including visibility into what software components are deployed and how vulnerabilities are managed over time. It also reinforces the need for cybersecurity to be treated as a core design decision from the beginning.
As Saunders explains:
“I envision more and more security built into the software systems from the first place with an eye towards exploit prevention. And even when patches are not available.”
Connected vehicles are here to stay. The road ahead depends on building systems that collect less unnecessary data, limit exposure by default, and stay resilient over the long life of the vehicle.
Modern cars run software for the long haul. See how RunSafe helps automotive teams identify vulnerabilities and reduce exploitability in production systems. Read more.
