Automakers should do more to increase the safety of vehicles whose software can be updated over the air, according to a cybersecurity expert, because current technology leaves cars vulnerable to being manipulated without an owner’s knowledge.

In the connected cars of today, virtually all communication between a driver’s smartphone and their vehicle takes place over the Internet via the cloud for functions as basic as starting the engine remotely and turning on the air conditioning. Sometimes it’s a user sending a command to the car, and sometimes it’s the manufacturer sending a request for the car’s software to be updated.

There have been several instances where cybersecurity experts successfully sent commands to a vehicle remotely over the Internet using an unauthorised account, according to Liz James, a consultant at IT security firm NCC Group, whose clients include some European automakers.

"Purely from the design of an always-connected vehicle, that threat, which didn’t exist before, now does,” she said.

The risk was on display earlier this year when teams of elite hackers gathered in Tokyo during the Automotive World conference to break into Tesla Inc cars for prize money. Back in 2022, meanwhile, a German teenager made global headlines when he hijacked some functions on Tesla EVs, including opening and closing doors, turning up the music and disabling security features.

Using Apple Inc’s CarPlay or Google’s Android operating systems, drivers the world over have become accustomed to connecting their phones to bring a smartphone-style interface up on a car’s dashboard display to control and use everything from maps to music.

Carmakers are also developing their own operating systems. Toyota Motor Corp is working on one called Arene that it expects to deploy in cars in 2025, while Volkswagen AG’s own software is called VW.os. Honda Motor Co and Nissan Motor Co agreed last month to team up on so-called software defined vehicles.

With automakers "desperate to develop their own software and hardware platforms in order to keep and monetise data, the development of well-functioning and safe platforms” is proving tough, Macquarie Securities Korea Ltd analyst James Hong said.

Tech companies like Apple also have software that’s more resilient to cyberattacks than carmakers, Hong said.

According to one local media report in Japan earlier this week, Toyota, Hitachi Ltd. and some 100 other firms have pledged to unify rules around software in smart cars in order to prevent against cyberattacks.

To help mitigate the risk of hacking, NCC’s James said automakers should adopt opt-in options and more layers of authentication involving users’ smartphones. That would hand drivers the ultimate authority to make security-related commands, such as knowing a car’s location or deciding whether or not to run a software update.

The fact many cars come from the factory already connected to the cloud is another issue, James said. Consumers aren’t very aware that such connectivity could put them at risk of a car cyberattack, she said.

It’s an issue at least a few car dealers are beginning to highlight.

Ryuji Yamazaki, a supervisor at a Mercedes-Benz Group AG dealership in Tokyo, said some would-be buyers are worried about their car being stolen if they turn on the air-con remotely because starting a car’s engine is a prerequisite for that to happen.

"We explain that the car is safe because the engine stops once a user opens the door,” Yamazaki said. – Bloomberg