Remote hacks, GPS spoofing, and sensor attacks: AVs face mounting cyber threats

Self-driving cars are inching closer to mainstream adoption, but the threat landscape they face is accelerating just as rapidly. A newly published paper, "Cybersecurity for Autonomous Vehicles" on arXiv, underscores the urgency of cybersecurity as a foundational pillar for the safe deployment of autonomous driving technology. Authored by Sai Varun Reddy Bhemavarapu, an application security engineer based in Texas, the study provides a comprehensive assessment of the mounting cybersecurity risks in autonomous vehicle ecosystems and outlines the countermeasures essential to secure this transformative industry.

Autonomous vehicles (AVs), equipped with a complex web of sensors, AI-driven decision-making software, and interconnected communication systems, are inherently exposed to a wide range of digital threats. From remote hijacking and GPS spoofing to manipulation of vehicle networks and privacy violations, the cybersecurity attack surface of AVs rivals that of enterprise networks,  but with far higher stakes involving human lives and public safety. The research frames this challenge as both a technical and regulatory imperative, urging a multi-layered security architecture and proactive governance to match the sophistication of the threats.

What makes autonomous vehicles especially vulnerable to cyber threats?

Unlike traditional cars, AVs rely on a fusion of cameras, LiDAR, radar, GPS, and AI to interpret surroundings, make split-second decisions, and navigate without human input. This high level of automation, particularly in Level 3 to Level 5 systems as defined by the Society of Automotive Engineers, introduces numerous points of failure if not properly secured. The study identifies key vulnerabilities in software design, hardware components, and communication protocols that can be exploited by attackers to disrupt normal vehicle functions or gain unauthorized control.

One of the most severe risks arises from unauthorized remote access to an AV’s control systems. Once compromised, attackers can manipulate steering, acceleration, braking, and navigation, essentially turning the vehicle into a weapon. This is not theoretical: the paper references real-world incidents such as the 2015 Jeep Cherokee hack, which exposed critical weaknesses in vehicular software that allowed remote manipulation.

Equally dangerous are denial-of-service (DoS) attacks, which flood vehicle sensors or networks with traffic, causing system outages or misinterpretation of the environment. Sensor spoofing attacks can deceive the car’s perception systems, tricking it into seeing phantom objects or ignoring real obstacles, while man-in-the-middle attacks intercept and alter communications between the AV and external infrastructure. Remote code execution (RCE) vulnerabilities present another dire scenario, enabling attackers to implant malicious code that overrides the vehicle’s operating parameters.

Beyond the digital realm, the research also highlights hardware-based attacks, such as Controller Area Network (CAN) bus intrusions, GPS signal spoofing, and firmware manipulation of Electronic Control Units (ECUs), which can disable or corrupt core vehicular functions. These threats collectively pose significant risks to driver safety, data privacy, and trust in the AV industry.

What does a robust cybersecurity architecture for AVs look like?

To counter these risks, the study proposes a layered security architecture that encompasses both preventative and reactive mechanisms. The foundation begins with secure hardware components like Trusted Platform Modules (TPMs) and Hardware Security Modules (HSMs), which create isolated environments for secure operations and encryption key storage.

Secure coding practices, regular software updates, and penetration testing are emphasized to reduce software vulnerabilities. The author recommends a range of intrusion detection and prevention systems (IDPS), including signature-based, anomaly-based, and heuristic-based detection methods. These tools can monitor real-time behavior, detect suspicious activity, and isolate compromised subsystems to prevent lateral movement by attackers.

The importance of protecting communication channels is another focal point. Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication protocols, which utilize technologies like Dedicated Short-Range Communication (DSRC) and 5G, must be encrypted and authenticated to prevent eavesdropping and spoofing. The use of secure network layers and encrypted data exchange is necessary to preserve the integrity of decision-making and route planning.

The paper also champions Over-the-Air (OTA) updates as a critical mechanism for addressing new vulnerabilities, but warns that these update channels must themselves be secured to prevent tampering. Furthermore, incorporating fail-safe mechanisms, such as fallback sensors and redundancy systems, can help AVs maintain operational stability during attempted attacks.

Continuous security monitoring, incident response planning, digital forensic capabilities, and employee training are advocated as part of a comprehensive defense-in-depth strategy. Bug bounty programs and public-private collaboration are also presented as practical ways to uncover and mitigate unknown vulnerabilities.

How do legal, ethical, and regulatory frameworks intersect with cybersecurity?

Technological measures alone cannot address the full spectrum of cybersecurity threats. The research underscores the critical need for regulatory frameworks and ethical guidelines that align with the rapid pace of AV development. Standards such as ISO/SAE 21434 for automotive cybersecurity, ISO 26262 for functional safety, and SAE J3016 for automation levels are essential cornerstones in ensuring consistent security implementation across the industry.

National and international regulations like the General Data Protection Regulation (GDPR) govern how AVs handle user data, mandating strict controls on data collection, storage, and processing. In the U.S., the Federal Motor Vehicle Safety Standards (FMVSS) and California’s autonomous vehicle testing laws provide further layers of legal oversight.

Ethical concerns are also addressed, including the infamous trolley problem, how AVs should prioritize decisions in unavoidable crash scenarios,  and questions of liability. Who is accountable in the event of a cyber-induced crash: the vehicle owner, the software developer, or the manufacturer? The study calls for the development of clear contractual frameworks and legal standards to assign responsibility and foster transparency.

Discrimination and fairness in algorithmic decision-making are also acknowledged. The author warns of the dangers if AVs are trained or coded with biased data that could influence how they treat pedestrians, passengers, or other vehicles based on socio-demographic cues.

The research calls for a multi-stakeholder effort involving manufacturers, researchers, regulators, and civil society to jointly develop resilient and trustworthy AV systems. Public trust, it argues, will be the ultimate currency in the adoption of autonomous vehicles and that trust will be won or lost on the strength of their cybersecurity defenses.