180,000 bugs in every fully autonomous vehicle are like an open door to cyber criminals, says GlobalData

Many autonomous vehicles are not fully protected against cyberattacks, with GlobalData, a leading data and analytics company, estimating that there may be up to 180,000 bugs in the code operating a level 5 autonomous vehicle*— potentially leaving hackers with 15,000 security vulnerabilities to choose from.

GlobalData’s latest report, ‘Cybersecurity in Automotive – Thematic Research’, stresses the importance of defending all of the infrastructure upon which connected cars rely, noting that we are entering a ‘Code War’ era, where every digital device—no matter how small—can be weaponized.

Emilio Campa, Analyst on the Thematic Research team at GlobalData, comments: “Autonomous vehicle manufacturers may be making sure the physical doors lock, but as it stands, the digital doors are wide open. Over the past decade, hackers have accessed the vehicles of numerous major brands: remotely unlocking doors, collecting sensitive data, and even taking control of vehicles. This just isn’t good enough, and autonomous vehicles won’t be safe enough until these gaps are plugged.”

Automotive businesses are increasingly talking about cybersecurity in their financial reports, according to GlobalData’s Company Filing Analytics. The number of mentions of ‘cybersecurity’ expanded almost fourfold between 2016 and 2021. However, the number of mentions is relatively small when compared to other major themes in the sector—especially environmental, social, and governance (ESG) issues. In 2021, the number of mentions of ‘ESG’ was over 20 times bigger than the number of ‘cybersecurity’ mentions.

Campa continues: “Cybersecurity is competing for attention with other major issues such as ESG and geopolitics. While these are also pressing matters, the importance of comprehensive cybersecurity in automotive cannot be overstated. Public safety aside, cyber breaches and cyberattacks directly affect the value and integrity of car manufacturers’ brands. New vulnerabilities are also constantly coming to light, and they can be difficult to fix.”

Cybersecurity-related regulation is being implemented in different ways around the world. The UN Economic Commission for Europe (UNECE) Regulation 155 comes into force in July 2022, the ISO/SAE 21434 standard has been developed, and countries from the US to China are adopting local regulations and oversight. As a result, auto players must be aware of the regulatory landscape to ensure compliance.

Campa adds: “There is a real requirement for manufacturers to get up to speed on cybersecurity, and to do so quickly. The auto industry will face more cyberattacks as it introduces more connected, digital, and electronic systems to new vehicles and as companies themselves become more digital. With cyberattacks causing severe reputational damage and being expensive to remediate, automotive cybersecurity cannot be ignored.”

* Level 5 autonomous vehicles are fully self-driving vehicles that can handle all driving tasks in all circumstances. These vehicles probably won't feature human controls and must be able to safely handle any situation they might encounter.