Unraveling Tactics Used by Hackers to Infiltrate Self-Directed Automotive Systems

In the first half of 2025, infotainment systems in software-defined vehicles (SDVs) emerged as a favoured entry point for hackers, posing significant security and safety risks.

Many advanced driver-assistance systems (ADAS) components are written in C or C++, making them susceptible to memory safety vulnerabilities. These issues, such as buffer overflows, use-after-free bugs, and heap corruption, are well-known problems in embedded systems that hackers can exploit to gain unauthorized access and escalate privileges within a vehicle's software ecosystem.

Infotainment systems, often Android- or Linux-based, are deeply integrated into the broader vehicle architecture and built on insecure foundations. Other components could be built on real-time operating systems (RTOS). Memory safety flaws in the embedded software of these systems, often built on C and C++ languages, are a significant area of concern due to their potential to introduce security and safety risks.

To mitigate these risks, automakers are adopting several measures. Building Android-based infotainment systems from source enables integration of security protections such as runtime exploit prevention and memory safety hardening during the system build process, enhancing control over the OS security.

Automating vulnerability identification and risk quantification with tools that scan for memory safety issues at both build-time and runtime provides actionable insights to developers. Deploying runtime code protections like memory relocation and runtime exploit prevention shields code even in legacy systems where rewriting code is impractical.

Generating and maintaining a comprehensive software bill of materials (SBOM) is crucial for ongoing vulnerability management and supply chain security. This ensures full visibility into all software components, including third-party and open-source components.

Strong network segmentation between infotainment, telematics, and safety-critical domains such as ADAS (Advanced Driver-Assistance Systems) and ECUs (Electronic Control Units) is necessary to prevent lateral movement of attackers after a breach.

Embedding secure development practices into the software development life cycle (SDLC), including threat modeling, fuzz testing, and static analysis, is essential for proactively identifying and fixing security weaknesses in automotive software.

In summary, automakers strengthen vehicle cybersecurity by integrating memory safety protections during development, continuous vulnerability scanning, runtime defenses, secure network architectures, and rigorous secure coding standards to address and mitigate common memory safety vulnerabilities inherent in infotainment systems of SDVs.

Security researchers have demonstrated the potential consequences of memory safety vulnerabilities with a successful attack on ADAS. A successful attack could alter sensor data or manipulate decision-making algorithms, posing a direct safety risk. A recent example involves the exploitation of memory safety vulnerabilities like heap overflow and out-of-bounds write errors in the Bluetooth chipset of a Tesla, demonstrating how a single flaw can undermine the integrity of the entire vehicle.

By addressing these vulnerabilities and adopting best practices, automakers can protect their vehicles from attackers and ensure the safety and security of their customers on the road.

Unraveling Tactics Used by Hackers to Infiltrate Self-Directed Automotive Systems