BSI: "Digital attack surfaces in the automotive sector are rapidly expanding"

The German Federal Office for Information Security (BSI) increasingly sees cars as computers on wheels and is concerned about their IT security. "The digital attack surfaces in the automotive sector are growing rapidly," emphasized Thomas Caspers, Vice President of the Bonn-based authority, considering the publication of a report on cybersecurity in road traffic in 2025 in the run-up to the IAA motor show in Munich. Manufacturers and equipment suppliers in the industry would therefore have to build IT security into the technology from the outset and make appropriate default settings ("security by design and default").

Digital services, over-the-air updates and networked control units are increasingly shaping vehicle architectures, the BSI explains in the paper. In addition, the use of AI in assistance systems and automated driving functions is continuously increasing. This means that cars are becoming increasingly networked on the road to autonomous driving, systems are becoming more complex and transportation in general is becoming more digital. Securing the automotive ecosystem is therefore becoming an ongoing task.

According to the report, BSI evaluated a total of 107 reports on IT vulnerabilities and incidents in the automotive sector between February 2024 and March 2025. According to the report, most of the cases required physical access or at least physical proximity, for example via Bluetooth or Wi-Fi, to exploit the vulnerabilities. However, there were also 18 reports in which the vulnerabilities were accessible via the internet.

Infotainment systems as a gateway

The majority of the reports (46 out of 59 classified) were based on security analyses or research work in which those involved developed a proof of concept. In comparison, active exploitation by criminals is currently still rather rare, writes the BSI. However, further threats arise from the option of exerting influence through digital products that enable manufacturers to access information and functions.

Against the backdrop of current geopolitical conflicts, complicated supply chains increase the dangers, it says. Furthermore, new ways of attacking AI components and vehicle sensors through manipulative inputs are also associated with risks. Considering the usually long life cycles of both vehicles and transport infrastructure, the migration to quantum-resistant cryptographic processes is also an important task.

According to the report, infotainment systems are a popular target for attacks due to their many interfaces and networking functions. Security researchers have shown how they combined twelve vulnerabilities in the systems of a Czech manufacturer to install malware via Bluetooth. This enabled them to track the vehicle's position and record conversations, for example. According to estimates, around 1.4 million vehicles were affected.

Vehicle data openly on the net

According to the authors, a similar attack on an infotainment system from a Japanese manufacturer enabled attackers to gain access to the entire device at any time via mobile communications after initial access via Bluetooth. This would have enabled them to eavesdrop on the driver, track the GPS position, or even control vehicle functions such as steering. Furthermore, critical vulnerabilities were discovered in the QNX software, which is integrated in infotainment systems from manufacturers such as BMW, Volkswagen and Audi. One of them allowed program code to be executed remotely.

The authority recalls that the Chaos Computer Club (CCC) discovered that terabytes of position data from VW e-vehicles could be viewed unprotected via the internet due to a configuration error. Information from around 800,000 vehicles and 600,000 customers, including names and addresses, had been affected. An expert also found security loopholes in a web portal of a Japanese manufacturer that provided him with access to location data of vehicles in North America and Japan. It would even have been possible for him to start or open other people's cars via the portal.

The EU directive on network and information security, known as NIS2, brings new legal requirements for many companies in the automotive industry, emphasizes the BSI. These include an obligation to register and report significant security incidents to the authorities. A change in mentality is needed in the industry to encourage the sharing of information about vulnerabilities and to view cybersecurity as a quality feature.

(vbr)