30 October 2025
“Security researchers are the main factor motivating automakers to invest in protecting their products”
Industrial system vulnerability research experts Sergey Anufrienko and Alexander Kozlov discuss threats associated with over-the-air data transmission technologies, attack vectors targeting electric vehicles specifically, the evolution of transportation systems from a cybersecurity perspective, and the role of artificial intelligence in ensuring cybersecurity.
How would you rate the information security level of modern cars, and how do they compare with cars produced 10–15 years ago in this respect?
Sergey Anufrienko: From an information security standpoint, the car has been and remains far from the most secure device in the world. Arguably, only the simplest car with a minimal set of electronic components – for example, one with just a radio receiver – can be called secure. Modern cars are equipped with advanced data communication technologies designed to exchange data between various systems inside the vehicle, with cloud services, with road infrastructure (Vehicle-to-Everything), and even with other vehicles (Vehicle-to-Vehicle). The amount of information transmitted is growing; there are more and more usage scenarios for a car that the owner can trigger remotely, sometimes without even realizing this (by performing certain actions within the car and using different elements of its user interface, without suspecting that many of these actions require communication with remote infrastructure outside the vehicle). As a result, the attack surface increases.
However, this does not mean that cars were more secure 10 or 15 years ago. Back then, there were many so-called low-hanging fruits – easy-to-discover vulnerabilities that arose because manufacturers did not give the information security of their products much thought. Over the past decade, many major carmakers have eliminated those vulnerabilities, but the more sophisticated and harder-to-detect vulnerabilities remain, and new ones continue to appear. At the same time, manufacturers that have only recently entered the market do not even provide that level of information security for their cars.
Is the head unit the most vulnerable component of a modern car?
SA: I would call it the primary object of interest for security researchers, which takes the first blow during tests. The head unit is the vehicle’s electronic module that most closely resembles IT systems familiar to most researchers, both functionally and architecturally. That is why about half of all car vulnerability research reports describe issues related to the head unit in one way or another. However, the head unit is of secondary interest to our team, as we focus on researching remote attack vectors that could affect the vehicle’s critical systems, such as the braking system, engine, and transmission. We try to find out how attackers could use an embedded 3G/4G modem, Wi-Fi, or Bluetooth to gain access to the vehicle.
Alexander Kozlov: In my view, the head unit and the telematics module are actually the least vulnerable devices. For example, they incorporate firmware signature verification mechanisms that are not implemented in virtually any other electronic components. This means that if attackers gain access to a unit without signature verification, they can easily reprogram it. But the head unit is usually connected to other buses via the CAN bus, using a gateway that isn’t easy to hack. Even if an attacker gains control of the head unit, there are few options for further developing the attack. This means that such an attack usually does not result in major problems from an information security standpoint.
What threats arise from using over-the-air data transmission technologies in vehicles?
SA: There are classic attack vectors related to accessing personal data and stealing a digital key. In the former case, this can involve stealing information from a connected smartphone, eavesdropping on the vehicle interior, or intercepting traffic; in the latter case, it can involve blocking the engine or locking the doors to extort a ransom from the victim. In both cases, however, the question of expediency for the attacker arises. It is much easier and cheaper to hack the victim’s smartphone or personal computer to obtain data, while attacks on a vehicle aimed at extorting a ransom carry a high risk that rarely justifies the potential gain.
AK: Remote attacks on vehicles, especially those involving extortion, are complex and expensive to carry out. For example, an exploit for a vehicle modem can cost about a million dollars on the black market. In addition, for a successful attack, you need access not only to the modem’s firmware but also to the control units of specific vehicles, which are significantly different from one vehicle to another. As a result, a targeted attack on a specific private car is economically impractical for most attackers.
There are car-sharing services, taxi fleets, logistics companies, and government organizations that operate vehicle fleets. There are also some very special cases: specialized machinery that is architecturally built on a vehicle platform and is controlled remotely. For example, the downtime of a haul truck in a quarry is extremely expensive. In such cases, threat actors may be motivated to carry out an attack designed to disrupt the operation of haul trucks or a fleet of specialist vehicles in order to demand a ransom.
SA: There are also attack vectors that directly threaten the life and health of road users. This includes remotely interfering with a vehicle in ways that undermine its safety properties – for example, activating the airbag, disabling the brakes, or disrupting traction control. But those are targeted attacks on specific vehicles, which require significant resources and highly skilled operators. In addition, they carry a fundamentally different level of legal exposure for the attackers. We are not aware of any real-world cases of such attacks, but we can say with confidence that this is not the kind of attack that ordinary criminals can carry out. Exceptional actors, such as national intelligence services, could certainly pull off something like this. The most attractive targets for such attacks are autonomous vehicles and vehicles that support automatic steering. Attacks on them can be planned and executed with greater precision and selectivity, opening the door to entirely new scenarios. Imagine what would happen if all autonomous vehicles were not just stopped but made to go, for example, to an airport. Unfortunately, this is potentially feasible and therefore causes serious concern.
You say remotely interfering with a vehicle is expensive and unprofitable. There is a known case of an attacker using an antenna to intercept a digital key in 30 seconds and then driving off in a Rolls-Royce. Perhaps what matters is how expensive a car is?
AK: Many modern features, including those related to remotely controlling vehicles, come at a price, which includes potentially reduced information security. That is a fact. But this is about car theft, and cars were stolen 20 and 40 years ago, as well; it’s just that modern technologies enable it at a new level. However, the essence has not changed.
This example demonstrates once again that hacking a modern vehicle is possible. Many security researchers know that cars from a certain Asian manufacturer can be hacked by removing a headlight (on some models, this can be done without opening the hood) and connecting to the CAN bus. Then you can plug in a Raspberry Pi with remote access – an inexpensive microcomputer available from online stores – and gain full remote control of the car. This vulnerability has existed for many years. Car thieves actively exploit it, but the manufacturer stubbornly turns a blind eye and does not consider it a problem.
What is different about a vehicle’s information security?
AK: The context in which vulnerable code is executed. The CAN bus, which links control units into a single network, appeared about 40 years ago. Since then, manufacturers have not been able to fully migrate even to CAN FD, let alone to Ethernet. Most cars still use the CAN bus. This is revealing from an information security perspective: we see issues stemming from it, including problems at the physical layer. Yet nobody fixes these problems for years, even decades. Why? Presumably because most manufacturers and industry players do not regard this as a high priority.
It should be kept in mind that cars are used for a long time. Vehicles with vulnerable architectural solutions will continue to run on our roads with the same vulnerabilities for at least another 15 or 20 years. By comparison, when a smartphone manufacturer stops releasing firmware updates for a model, it typically affects relatively few users because most have already moved on to a newer model. A car is a major purchase for most people and often changes several owners during its service life. A large proportion of cars outlive vendor support while remaining in operation.
Would it be fair to say that the attack surface of electric vehicles is larger than that of cars with conventional engines?
AK: Electric vehicles are additionally connected to charging infrastructure, which adds EV-specific attack vectors. There is electromagnetic radiation during charging – an EV emits electromagnetic waves that can be intercepted with specialized equipment, such as an antenna, at distances of up to 10 meters. An attacker can interfere with an established connection, impact the communication channel between the EV and the charging station, and thus disrupt the charging process. If this happens, the charging session will most likely be aborted because the protocol may be configured to do so. There is no direct risk to the vehicle itself in that scenario. However, an attacker can hack the charging station via the charging interface and even try to connect to the power grid or impact other infrastructure. That is a serious risk because the consequences can be grave.
Another possible scenario could be an attack on a fleet of electric buses rather than a single private EV. If an attacker remotely disrupts the communication channel between a charging station and a bus that typically charges at night, the bus may remain uncharged in the morning because the charging session is likely to be interrupted. Detecting such a problem requires a physical inspection of the charging station to check whether charging is occurring.
How risky is the steer-by-wire technology in terms of information security?
SA: If it is technically possible to influence steering via information messages, this automatically creates the risk that an attacker could exploit that possibility. Security researchers Charlie Miller and Chris Valasek proved this 10 years ago when they remotely accessed a Jeep Cherokee and sent it into a ditch. Steer-by-wire means that the steering wheel is not mechanically linked to the wheels via a steering rack and control is transmitted over wires. In that case, even if the driver holds the wheel firmly, they may not be able to prevent an attacker from taking over the car’s steering.
You said that autonomous transport can become a tool for attacks by certain types of adversaries. But there is already significant skepticism about autonomous cars. What doubts do you have as security researchers?
SA: One problem in the evolution of autonomous vehicles is that companies working in this area often rush to release their products without giving proper attention to testing and security. As a result, work to improve a product’s cybersecurity begins only after it hits the public roads. This is an approach that relies on luck – that everything will go well. An example of such immaturity was the Tesla Autopilot incident that became widely known after a viral video earlier this year. In the clip, a Cybertruck pickup failed to recognize a banner showing a photo of a road and drove into it. It is known that Tesla vehicles do not use lidars but rely solely on machine vision.
AK: Essentially, the main problem of autonomous transport is the absence of a driver. Someone needs to make decisions behind the wheel. Relying solely on machine vision is dangerous. And it is not only a matter of not having computer vision that matches human vision. It is also important to consider the specific environment in which the vehicle operates. Away from big cities, road markings are sometimes inadequate or absent, and road signs can be misleading. As a result, many people drive without relying on cues from the road infrastructure. So, as long as autonomous cars operate in big cities and on federal highways, where infrastructure is kept in a decent shape, things go more or less smoothly. But I expect to see a spike in road incidents if and when autonomous vehicles become ubiquitous.
How relevant are the information security problems we are talking about to other types of transport?
AK: Extremely relevant, because urban transport, at least here in Moscow, is now automated and uses cloud infrastructure. This applies not only to buses or electric buses. I believe river buses operate similarly. And subway trains have long been connected to systems that monitor what is happening with drivers and in carriages, literally second by second. Naturally, there are also relevant threats to functional safety here, but the consequences can be even more serious.
In which direction will transportation systems develop from an information security perspective?
SA: First of all, manufacturers should follow the path taken by the makers of the best smartphones. They should, at the very least, implement the security-by-design measures used in mobile software.
There is a lot of talk now about the Vehicle SOC (Security Operations Center) concept. It involves centrally collecting telemetry data from all vehicles to enable a SOC to detect anomalies and identify possible attacks. However, the process of creating such centers is still in the early stages of idea development.
When do you expect vehicle SOCs to emerge, and do you believe they can become truly effective tools for ensuring vehicle cybersecurity?
AK: At the moment, only a few vendors collect any information about the operation of onboard units that would make it possible to detect signs of internal or external illegitimate impact on them. Importantly, the methods used to collect data, the data formats, and the potential indicators of compromise differ fundamentally across vehicles. There is no unified system for collecting and analyzing such data.
In this respect, creating various vehicle SOCs is the right step toward ensuring vehicle information security. However, beyond purely technical and economic barriers, many other obstacles will have to be overcome. For example, collecting vehicle telemetry involves transmitting it via the infrastructure of third-party organizations. If the data transmission channel or the infrastructure of the organizations that collect and process the data is compromised, attackers can obtain information about all events in the vehicle. Ordinary car owners are unlikely to be of interest to attackers, but certain individuals and organizations could become targets. I believe vehicle SOCs will start to emerge widely in the next three to five years.
What role will artificial intelligence play in ensuring vehicle cybersecurity?
SA: Kaspersky offers AI-based solutions. Specifically, a solution for vehicles, which is the combination of the Kaspersky Automotive Secure Gateway based on Kaspersky OS, which provides cybersecurity protection for connected vehicles, including by providing reliable separation of security domains, and Machine Learning for Anomaly Detection, a software solution designed to detect anomalous events by using a custom neural network to analyze telematics data and detect deviations from normal operating modes. The latter solution is integrated into the former, so Kaspersky Automotive Secure Gateway can use a neural network model to detect anomalies in CAN bus traffic. Importantly, both products adapt autonomously to what is going on in the vehicle.
In addition to these products, we have the Kaspersky Unified Monitoring and Analysis Platform (KUMA), a SIEM that can analyze security events using the GigaChat neural network model from Sber (Sberbank of Russia). The system can collect information about vehicle incidents in a vehicle SOC and provide data for analysis in a human-readable form.
You said that automakers are slow to fix vulnerabilities in their products, and that attacks on vehicles are not economically viable for attackers. What is the value of security researchers’ work when it seems that the outcome is useful to no one but themselves?
SA: That situation existed in other sectors, too. Quite recently, that was true for industrial equipment and industrial automation systems. Today, few people question why these should be protected, whereas 10 years ago, our efforts in that area could have been seen by some as futile and overly paranoid. The same was true for ordinary IT systems at the dawn of their development. In fact, some IT systems are still following that path – for example, proactive information security tools are making great strides into Linux systems, which used to be attacked far less frequently and in far less sophisticated ways than Windows systems. I am convinced that many other fields will follow suit – for example, medical equipment, aviation, space, and so on.
Findings from vehicle-related security research are increasingly made publicly available, which should have a positive effect on all industry participants. Automakers are paying closer attention to information security issues, and researchers are examining their systems even more closely. That should produce a positive shift and is certainly better than a situation in which exploitation techniques are only known to a narrow circle of attackers.
For now, researchers remain the main driving force of change, motivating manufacturers to look for solutions to protect their vehicles. Considerable effort and funds are invested in raising awareness of the problem. There are major events dedicated specifically to this subject area. For example, security researchers come together at Pwn2Own Automotive – an annual competition where cars are hacked and new vulnerabilities are discovered.
You regularly speak at industry conferences, and your reports receive awards. What do you consider the key to producing an impressive piece of research whose findings can influence the industry?
AK: Goal setting and the team. The material for many studies that address fundamental information security problems lies on the surface. Sometimes it is enough to think carefully about the subject of research and interesting findings will follow.
Some security researchers rely on their own experience in threat analysis and research to begin creating cybersecurity solutions for vehicles. How feasible is that path within Kaspersky, and how does it fit into your professional ambitions?
AK: With our extensive research experience, we have a clear understanding of potential vulnerabilities in technologies that end users and even product designers who use these technologies often do not suspect. Experience allows us to suggest new security solutions. Many successful products on the market originated in exactly this way.