Digital attack surfaces in the car: BSI warns of the new reality in road traffic

Quick overview:

• Acute threat situation:Infotainment systems, vehicle data and charging infrastructure are primary targets. Active exploitation of vulnerabilities is real, not just theoretical.
• Regulatory pressure is increasing:UNECE R 155andNIS 2force proactive risk management. Failure to comply will result in massive financial and operational risks.
• Supply chains as a weak point:Global networking makes supply chains critical attack vectors. WithoutSBOMandTISAXThere is a risk of unrecognized vulnerabilities.
• AI as a double-edged sword:Autonomous systems offer enormous opportunities, but present new, complex attack surfaces that overwhelm traditional security.
• Act now:Proactive strategies, internal and external cooperation and building digital resilience are not an option, but an existential necessity.

Why cybersecurity is becoming a strategic priority in the automotive sector

The advancing digitalization of road traffic - from networked infotainment systems to autonomous driving functions - creates unprecedented opportunities, but also presents an exponentially growing attack surface. Decision makers face the challenge of not only leveraging these innovations, but also protecting them from potentially catastrophic cyberattacks that can threaten ROI, skyrocket costs and irreversibly damage reputations. Cybersecurity in road transport should not be viewed as an IT problem, but as a strategic business risk.

Based oncurrent analyzes from the BSIand in-depth industry experience, in this article we highlight the strategic urgency and show why cybersecurity in the automotive sector in 2025 is not just a technical requirement, but a decisive factor for competitiveness, market access and long-term company success.

You will receive concrete insights into the current threat scenarios, the regulatory requirements and the strategic implications for your company.

Infotainment & vehicle data: The open door to attack

The seemingly harmless infotainment systems in modern vehicles are a preferred target for cybercriminals. According to BSI analysis, numerous vulnerabilities were reported between February 2024 and March 2025, with physical access (Bluetooth, WiFi) being the most common attack vector, see Figure 1.

Figure 1: Classification according to the described access path from the analysis of vulnerability reports related to vehicles from public sources, source:BSI, period: February 2024 – March 2025(Messages for which classification was not possible or which relate to an already known event were not counted.)

Attackers can inject malicious code via crafted image files or weaknesses in communication protocols. The consequences are serious:

• Real-time tracking of vehicle positions
• Eavesdropping on conversations in the vehicle
• Manipulation of driving functions (opening doors, operating windshield wipers, intervening in the steering)

These attacks not only threaten occupant safety, but also brand reputation and customer trust. A single high-profile incident can wipe out years of development work and investment.

The underestimated security risk

Many companies underestimate the danger posed by “non-security” systems such as infotainment. The focus is often on direct driving safety, while these interfaces are perceived as less critical - a fallacy that can be expensive.

The Supply Chain Blind Spot: When Suppliers Are Your Biggest Risk

The global connectivity of automotive supply chains is a driver of innovation, but also a potential gateway for cyber attacks. Malicious code can be introduced into supplier parts before they are installed. A complete oneSoftware Bill of Material (SBOM) is replaced by theCyber Resilience Act (CRA)increasingly important to the EU. Without this transparency, later vulnerabilities can hardly be identified or remedied.

Why internal security is not enough

A purely internal security strategy is inadequate. Reliance on external suppliers means that their level of cybersecurity directly influences your own. Many companies shy away from looking deeply into their partners' supply chains for fear of complexity and costs. But the costs of a supply chain attack far exceed these concerns.

Autonomous driving & AI: New opportunities, new attack surfaces

The advance of autonomous driving and the use of artificial intelligence are transforming mobility. But this complexity also creates novel attack vectors, such as manipulative inputs (adversarial attacks) on AI and sensor systems that can misdirect autonomous driving functions.

The BSI has one in the “AIMobilityAudit” projectProcess developed for deriving and evaluating test criteria for AI systemsto identify cybersecurity risks at an early stage. Despite extensive regulations (EU AI Act,UNECE R 155), there are still significant gaps in the standardization and technical implementation of verifiable requirements

Investing in AI security as a competitive advantage

While the efficiency and safety gains from autonomous driving are immense, inadequate cybersecurity can cause incidents that block market access and lead to immense liability risks. Investing in AI-specific cybersecurity is an investment in the scalability and security of your autonomous fleets.

Regulation 2025: Non-compliance is no longer an option

The regulatory landscape is becoming increasingly dense and requires proactive action.

UNECE R 155: Cyber Security Management System becomes mandatory

• UNECE Regulation No. 155 has been in force since 2021 and will be expanded to cover lighter EU vehicle classes from 2025.
• It calls for a comprehensive cyber security management system

NIS 2 Guideline: Enhanced Reporting Requirements

• The implementation of the NIS 2 directive from the end of 2025 requires operators of critical infrastructure and "manufacturers of motor vehicles and motor vehicle parts" to take far-reaching risk management measures
• Reporting requirements for significant security incidents are being tightened
• Consequences for non-compliance

Non-compliance not only results in severe penalties, but can also deny market access and jeopardize your company's operating license. The implementation of these specifications is a strategic necessity to minimize risks and secure your business viability.

Why cybersecurity is a strategic competitive advantage

The cybersecurity situation in road transport is a strategic business risk that has a direct impact on profitability, market share and brand value. Investing in robust cybersecurity is not just a cost, but an investment in future viability and a decisive competitive advantage.

ROI through security by design

The integration of security by design and security by default across the entire product life cycle minimizes the long-term costs of security incidents and improvements. A proactive strategy significantly reduces financial risk and protects against incalculable expenses caused by compliance violations or cyberattacks.

Market leadership through trust

Investing in comprehensive cybersecurity strategies now will establish you as a thought leader and trustworthy partner. Anyone who hesitates risks losing touch with the forefront of automotive innovation and becoming a target for attackers.

Cybersecurity as an integral part of business

The complexity and networking of modern vehicles make cybersecurity a permanent task. Integrate cybersecurity as an integral part of your business strategy, from product development to sales to use and retrofitting.

Your next steps: recommendations for action

• Audit your supply chain: Require SBOMs and establish cybersecurity supply chain risk management processes
• AI security assessment: Check your autonomous systems for AI-specific attack vectors
• Compliance Check: Ensure your company proactively meets UNECE R 155 and NIS 2

Now is the time to strengthen your company's digital resilience on the road. We would be happy to support you in translating these complex challenges into implementable strategies and shaping your future in connected road traffic safely. Talk to us!

Next step: Free initial consultation

📖 Also read:BSI TR-03185-2: Compliance hurdle or strategic lever for your market advantage?

Would you like to strategically anchor IT security in your company? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →