Hacker for Lisyan: experts talked about the vulnerability of cars

Modern cars are becoming more complex, which means they are more vulnerable to cyber attacks. Last year, more than 500 automotive vulnerabilities were identified. The attacks themselves have become easier to carry out, and information for hacking can be found on the Internet, noted at a cybersecurity conference during Transport Week in Moscow. Izvestia dealt with proposals to protect the electronics of modern machines.

Telematics risk

Almost all the world's leading manufacturers have launched mass services using embedded telematics systems, said Mikhail Bryachak, First Deputy General Director of the Scientific Research Institute of Motor Transport (NIIAT).

If 75% of all cars were equipped with telematics in 2024, then 79% in 2024. It is expected that by the end of 2025, the level of machines with such services in the EU and the UK may reach 100%. The total volume of shipments last year reached 64.5 million units, and by 2029 it will grow to 82 million. Thus, the share of connected vehicles will amount to 93% of the total.

Mikhail Bryachak named the introduction of artificial intelligence-based personal assistants and wireless on-board software updates among the main trends in this segment.

"The wider the range of services offered, the greater the threats and risks in this area," he noted.

Hacking has become easier

The number of automotive vulnerabilities published annually since 2014 has been growing, said Vladimir Pedanov, Director of Automotive Cybersecurity at GLONASS. According to the data provided by him, until 2018, the number of vulnerabilities did not exceed several dozen, but in 2019 it increased to 266, in 2023 there were 426, and in 2024 - 530. Most likely, there will be even more vulnerabilities in the coming years, the expert notes.

Over the past 10 years, cyber attacks have also transformed — they are becoming more widespread, accessible and easy to execute. Previously, it took months or even years of work to prepare for them, but now it takes weeks. Information for hacking can be found in the most common social networks.

— One of the Russian automakers requested us to carry out work on analyzing the security of the multimedia system. And while we were coordinating the transfer of information from this system, our specialists managed to find its firmware and a description of vulnerabilities that had already been found by other specialists and made publicly available," said Vladimir Pedanov.

Since June, owners of Li Auto (Lixiang) cars in Russia have begun to file complaints about hacking of master accounts - keys to full control of the car through the application. The attackers, having gained control of the car, demanded a ransom — an average of 250 thousand rubles.

The vulnerability of modern cars has been felt by a wider range of motorists. Thus, owners of cars of brands that left Russia lost many online services.

Hacking a factory

The focus is shifting to harming the business as a whole, experts say. It is enough to recall the hacking of the British automaker Jaguar Land Rover in August 2025. It cost the UK economy $2.5 billion and affected more than 5,000 different organizations in the country.

At the beginning of the year, the United States introduced a ban on connected car technology from China and Russia. Allegedly, they can collect data and transfer it to "malicious actors."

How cars are tested for cybersecurity

The total amount of code that controls a modern car can exceed 100 million lines, which is comparable to large banking systems, said Oleg Assur, Deputy General Director of the Scientific Testing Institute for Integrated Security Systems.

— The combined complexity leads to errors. Mistakes lead to vulnerabilities, which in turn lead to cyber attacks. To minimize this risk, there is a testing practice in the world," he noted.

So, at the first stage, the car is being tested by the automaker. At the next stage, the testing laboratory is activated. Finally, a penetration test is performed — when the researcher acts as an attacker. In practice, it confirms those possible vulnerabilities that are detected at previous stages. Next, the manufacturer carries out improvements in accordance with the recommendations and comes for repeated tests. Such a cycle is carried out until the risk level becomes acceptable, Oleg Assur notes.

The next level of testing is cyber polygons, which allow testing more complex, complex scenarios — multiple objects, interaction with road infrastructure, communication, and telematics.

We need our own rules

In international practice, there are cybersecurity standards (R155, R156, ISO/SAE 21434), according to industry experts. They have already become a mandatory part of market entry in a number of countries. The R155 rule has been extended to motorcycles and scooters. Local standards have appeared in China and India.

— The R155 rule exists in Russia in a "suspended" state. That is, not only Europe, the USA, China, but also India have gone ahead of us in this matter," Vladimir Pedanov notes.

Russia follows national regulations based on them, Mikhail Bryachak believes, and besides, it is necessary to develop methods for analyzing the security of car software and create an industry Competence Center for cybersecurity of transport.

There are all possibilities to create our own system of testing and certification of cybersecurity and expertise, Oleg Assur believes.

"Russia has one of the best cybersecurity schools in the world," he said.

The reward will find the hacker

In addition, there are Bug Bounty vulnerability search programs, said Vladimir Isaev, Director of Positive Technologies JSC. They are already used in Russian practice, for example, by the Ministry of Finance, as one of the ways to verify government information systems for interacting with the public. In particular, such a check was carried out by "State Services", said Vladimir Isaev.

— In the model of a mandatory certification system, we have certain boundaries in the form of specialists, laboratories, tools, and deadlines. Thousands of specialists, so-called "white hackers", are registered in the Bug Bounty format on platforms and sites that offer such services. Each of them specializes in his own field. They search for the same vulnerability errors in the program hosted by the company for a reward. Thus, we get the maximum depth of verification," he said.

Special category

Vladimir Pedanov said that with the participation of the Ministry of Industry and Trade, work is underway to create an Information Security Management Center SOC. The pilot project is being carried out jointly with FSUE NPP Gamma

— That is, the first thing we will do, we will try to hack cars, the second, we will try to fix the possibilities of this hacking based on telematics data. We have been working on the experiment since last November, but finally we are moving to the practical plane, when the experiment is officially launched, and work has already begun. Currently, work is underway on the transmission of telematics data from various vehicles. The hacker team has already received the task of hacking and testing, and I hope that we will be able to share information with you soon," he said.

GAMA NPP specialists, with support, automate the data collection process, provide incident analysis and response to these incidents. Moreover, vehicles carrying dangerous goods, unmanned vehicles, civil servants' transport and public transport are grouped into a special category.

Localize the data

For new imported, non-localized vehicles, a separate approach is being worked out with the localization of data that can be sent abroad from these vehicles.

— There is always talk that supposedly all Chinese cars transmit some information somewhere, but no one knows where, - says Igor Morzharetto, partner of Autostat.

At the same time, an ordinary buyer, as a rule, does not care where the information from his car goes and what, according to Maxim Kadakov, editor-in-chief of Za Rudem.

— We propose to localize the data that is transmitted from foreign vehicles abroad by analogy with security personalization. And as a control tool, we suggest using a GLONASS SIM card. In other words, we are moving away from the initiatives proposed by NTI Avtonet and other industry participants to create a single repository and a single data library. We are moving to a decentralized storage, when the data will remain with their owners, automakers, and local partners. Our role will be to ensure that this process is real, it is not falsified, and the data is actually stored in Russia," said Vladimir Pedanov.