The automotive industry is racing toward a driverless future. But with innovation comes an undeniable truth: cybersecurity will determine whether autonomy delivers on its promise or stalls in its tracks. From advanced driver-assistance systems to fully autonomous taxis, cars are becoming software-defined vehicles, reliant on connectivity, sensors, and millions of lines of code.
In a recent episode of Exploited: The Cyber Truth, RunSafe Security CEO Joe Saunders joined Gabriel Gonzalez of IOActive to discuss the real-world vulnerabilities threatening connected cars and, more importantly, how the industry can build resilience from the ground up. Their insights shed light on both the dangers and the opportunities shaping the future of mobility.
As Joe puts it: “Vehicles are loaded with software. If you think about it, they are software systems with wheels as opposed to cars with individual components.”
When Connectivity Becomes an Open Door
Consider the humble telematics unit, the “black box” that connects vehicles to cellular networks. Gabriel Gonzalez and his team discovered that insecure MQTT configurations in fleet vehicles could let attackers intercept messages, track cars, and even take remote control.
“They found that they could actually fully control the car. It could unlock the car and get all the messages from the car,” Gabriel explained about the vulnerability his team discovered.
It’s a chilling reminder thatan entire fleet could be compromised by one misconfigured server.
This is a technical flaw and a business risk. For logistics companies, mobility providers, or public safety fleets, a cyber incident could mean service disruption, financial loss, and reputational damage.
The Expanding Attack Surface of Modern Cars
Today’s vehicles contain dozens of applications, from ECUs to infotainment systems and advanced driver assistance modules. “There are hundreds of millions of lines of code now on automobiles and vehicles today. There is a lot of attack surface and therefore a lot of opportunity for things to go awry,” Joe noted.
- Infotainment systems are no longer isolated—they often link directly to safety-critical functions.
- Shared, autonomous taxis introduce the risk of physical tampering by passengers.
- Software supply chain complexity means vulnerabilities can lurk deep within third-party components.
As Gabriel points out: “In a taxi or similar autonomous vehicles, you don’t know what the previous passenger did to the vehicle.” Even simple actions like moving a seat could become dangerous if controlled by an attacker during driving.
Software supply chain complexity adds another layer of risk. “In automotive, there are different types of companies. Some of them are just integrators. They don’t even own the code for the ECUs,” Gabriel explained, highlighting how vulnerabilities can originate far from the final vehicle manufacturer.
It’s not enough to patch vulnerabilities after the fact. Security must be part of the design of modern vehicles, not an afterthought.
Building Resilience Through Security-by-Design
So what’s the path forward? Both Joe and Gabriel emphasized one guiding principle: security-by-design.
Key strategies include:
- Build-time protection: Hardening software before it ever hits the road reduces exploitability.
- Software supply chain visibility: OEMs must demand transparency from tiered suppliers and enforce security standards.
- Memory safety and runtime defense: Preventing buffer overflows and code execution attacks is non-negotiable.
“Building security into those components prior to shipping can certainly reduce the exposure and the problem that you would suffer from having to patch components,” Joe emphasized. “Build-in security that protects the device at runtime, I think, ultimately is a good approach.”
Collaboration Is the New Competitive Advantage
One of the most encouraging shifts in the industry is cultural. Fifteen years ago, researchers were often ignored—or worse, threatened—for disclosing vulnerabilities. Today, manufacturers increasingly partner with researchers and CERTs to responsibly patch flaws.
“Maybe 15 years ago when you submitted a vulnerability, companies didn’t even know what we were talking about. Some companies were thinking that we were trying to get money out of them,” Gabriel recalled. Today’s reality is starkly different: “Nowadays, all the other certs and all these entities, they help with the process, especially with companies that are not well known and they are not too large.”
From DEF CON’s Car Hacking Village to Pwn2Own competitions, automakers now recognize that transparency and collaboration lead to stronger defenses. In fact, inviting researchers to “break” cars in controlled environments is becoming a badge of maturity, not weakness.
Lessons for Auto Industry Leaders
The race toward autonomy isn’t just about AI, sensors, or customer experience—it’s about trust. Without cybersecurity, the risks could outweigh the rewards. RunSafe Security’s 2025 Connected Car Cyber Safety & Security Index supports this. Consumers are more aware of cybersecurity risks than ever before. 70% of drivers said they would consider buying an older, less connected car just to reduce cyber risk.
For industry leaders, that means:
- Fleet operators should audit telematics and enforce strong authentication.
- OEMs must bake security into the SDLC and scrutinize software supply chain components.
- Researchers and security firms should continue to act as partners, not adversaries.
If we get this right, autonomous vehicles could transform mobility in ways we’ve only begun to imagine. If we get it wrong, the consequences will be measured in more than just software bugs—they’ll affect safety, privacy, and public confidence.
Stay Ahead of the Threat
At RunSafe Security, we help OEMs and suppliers build resilience from the inside out by hardening software and reducing exploitability without impacting performance.
Learn more in our white paper: Driving Security: Safeguarding the Future of Automotive Software.
