• ID 124110546 © Maciek905 | Dreamstime.com
    689a4530211d96ce949d13cb Code Dreamstime L 124110546

    How Hackers Gain Access to Software-Defined Vehicles

    Aug. 11, 2025
    Infotainment systems have become the dominant attack vector for hackers targeting SDVs in 2025. These breaches enable attackers to steal personal data and gain direct control over critical vehicle safety systems like braking and steering by exploiting weak network segmentation.
    Related To:

    In the first half of 2025, a clear pattern has emerged. Infotainment systems are becoming the easiest way into software-defined vehicles (SDVs) for attackers.

    In January, security researchers uncovered vulnerabilities in Subaru’s Starlink system that allowed for remote access to sensitive customer data and vehicle functions. A similar flaw in the Nissan Leaf infotainment platform enabled unauthorized access and privilege escalation, giving attackers a path to take over other critical vehicle systems. And just recently, potentially 350 million vehicles were exposed through vulnerabilities in the BlueSDK Bluetooth stack called “PerfektBlue.”

    These cases highlight that as SDVs become more connected and complex, infotainment systems are fast becoming a favored entry point for hackers.

    Infotainment Systems: The Hacker’s On-Ramp

    Infotainment units are designed to deliver convenience and connectivity, including navigation, entertainment, voice control, and wireless syncing. But added connectivity increases exposure. Because many vehicles lack strict internal segmentation, a single compromised system can allow for lateral movement across critical components.

    In practice, this means attackers can:

    • Harvest personal and location data from the driver and passengers.
    • Remotely control basic vehicle functions, including door locks and engine start/stop.
    • Pivot into critical domains, such as ADAS, braking, and steering modules.

    The risk is high because infotainment systems are deeply integrated into the broader vehicle architecture, and their software is frequently built on insecure foundations.

    Memory Safety: The Silent Risk Inside Infotainment Platforms

    One significant area of concern is memory safety flaws in the embedded software that makes up today’s SDVs. Most infotainment platforms are either Android- or Linux-based systems. However, other components could be built on real-time operating systems (RTOS), and developers rely heavily on C and C++ languages, which are prized for low-level hardware control but are notorious for introducing memory safety vulnerabilities.

    These memory safety vulnerabilities—like buffer overflows, use-after-free bugs, and heap corruption—are the same class of issues that have plagued embedded systems for decades. In the context of an SDV, memory safety issues are both serious security flaws and potential safety risks.

    >>Check out this TechXchange for similar articles and videos

    For example, security researchers exploited a heap overflow vulnerability and an out-of-bounds write error in the Bluetooth chipset of a Tesla. This made it possible for them to break into the vehicle's infotainment system and, from there, escalate privileges to gain root access to other critical subsystems within the car. It’s a clear demonstration of how a single flaw in an infotainment or connectivity layer can undermine the integrity of the entire vehicle.

    Once Inside, Lateral Movement is Easy

    Attackers who compromise infotainment platforms often find that the rest of the vehicle is just a few hops away. Critical electronic control units (ECUs) that govern engine performance, braking, or collision-avoidance systems weren’t built with today’s threat landscape in mind. Many assume an implicit level of trust inside the vehicle network, which hackers can exploit once they’ve breached the outer layer.

    The same goes for advanced driver-assistance systems (ADAS), which are central to modern vehicle safety. ADAS leverages sensors, cameras, radar, and complex software to deliver features like lane keeping assist, traffic jam assist, and automated emergency braking to help prevent collisions. These systems add convenience and are proven safety enhancements.

    However, many ADAS components are written in C or C++, making them susceptible to memory safety vulnerabilities that represent a direct safety risk. A successful attack could alter sensor data or manipulate the decision-making algorithms that underpin ADAS functionality.

    For example, memory corruption in a sensor module could cause the system to misinterpret its environment. This leads to incorrect object detection and potentially results in collisions or other dangerous situations.

    Weak internal isolation, outdated software dependencies, and the continued use of legacy development practices create a soft underbelly within even the most high-tech vehicles.

    Mitigating Risk Requires Securing the Software Core

    Infotainment systems are the canary in the coal mine, pointing to weakness in software across the vehicle ecosystem.

    To reduce risk and harden SDVs against attacks requires the following steps: 

    • Building Android-based infotainment systems from source. This gives OEMs and suppliers more control over the security in the OS, allowing them to insert security protections, like runtime exploit prevention and memory safety hardening, during the build process to address memory safety concerns.
    • Automating vulnerability identification and risk quantification. Use tools that scan for memory safety issues and provide actionable insights at both build-time and runtime.
    • Deploying runtime code protections. Techniques such as memory relocation and runtime exploit prevention can shield embedded code from exploitation, even in legacy systems where code rewrites are impractical.
    • Generating and maintaining a comprehensive build-time SBOM (software bill of materials). Full visibility into all software components, including third party and open source, is critical for vulnerability management and supply chain security.
    • Ensuring strong network segmentation between infotainment, telematics, and safety-critical domains like ADAS and ECUs, to prevent lateral movement after a breach.
    • Embedding secure development practices, like threat modeling, fuzz testing, and static analysis, into the SDLC for all automotive code.

    The Road Ahead

    SDVs are software platforms on wheels. And like any connected software platform, they’re vulnerable to attack, especially at their most exposed interfaces. Infotainment systems provide a foothold.

    If automakers want to stay ahead, cybersecurity can’t be an afterthought or just another box to check for compliance. It must be woven into the fabric of vehicle safety from day one. In a world where a hacker can use your favorite song as a stepping stone to your steering or brakes, protecting the software at the heart of every vehicle is the only way forward for safe, innovative mobility.

    >>Check out this TechXchange for similar articles and videos

    About the Author

    Joseph M. Saunders | Founder and CEO, RunSafe Security

    Joe Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics.

    He’s built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.

    Continue Reading

    Sponsored Recommendations

    Comments

    To join the conversation, and become an exclusive member of Electronic Design, create an account today!