Vehicle Cybersecurity Risks in Modern Software-Defined Cars

At Qualitex Trading Co. Ltd., we have built our reputation on the mechanical reliability of Japanese engineering. From the legendary durability of a Toyota Hilux to the precision of a Honda Civic, we know these machines inside and out. But as an expert who has spent years exporting these vehicles globally, I must address a silent shift: your car is no longer just a machine; it is a “computer on wheels” powered by over 100 million lines of code.

The industry often tries to reassure us by claiming there is an “air gap”—a physical and logical separation—between the screen you use to play music and the systems that control your steering and brakes. However, recent specialized security research utilizing the CarVal reasoning engine has proven that these barriers are often a dangerous illusion.

The Illusion of the Gateway

In modern vehicle architecture, a component called the “Gateway” is supposed to act as a digital bouncer. It segments the In-Vehicle Network (IVN), keeping the In-Vehicle Infotainment (IVI)—your dashboard screen—separate from the Body Control Module (BCM), which handles your locks, lights, and even critical driving commands.

The hard truth we are seeing in the 2025-2026 security landscape is that these gateways are bypassable. Researchers analyzing real-world vehicles, including luxury and mass-market models, identified five distinct multi-stage attack paths that allow a remote hacker to leap from a non-critical system directly into your car’s physical controls.

The 5 Multi-Stage Attack Paths

As a used car exporter, we prioritize transparency. It is vital for our clients to understand how a network breach can become a safety crisis :

The Browser-to-Brake Path: This is the most alarming. By exploiting a memory flaw in the car’s built-in web browser, an attacker can gain initial access. From there, they can craft “bypass messages” that trick the gateway into forwarding malicious commands directly to the BCM.
The Mobile App Replay: Official manufacturer apps designed for remote start or locking often lack “code obfuscation.” This allows hackers to reverse-engineer the authentication and start your engine or unlock your doors without ever touching your keys.
In-Vehicle Ethernet Exploitation: Many new high-tech imports use internal Ethernet for data. Attackers can move laterally through this network to gain “root” access over the vehicle’s core processors.
Cloud-to-Car Hijacking: Because cars are now persistently connected to the cloud for updates, a vulnerability in the manufacturer’s backend server can allow a hacker to send commands to any car on the road just by knowing its VIN.
In-Vehicle Malware: Just like a laptop, your car’s dashboard can be infected with malware through unverified apps, which then transitions from the entertainment domain to direct kinetic control.

Why the Used Car Market Must Stay Vigilant

At Qualitex Trading, we see the transition to “software-defined vehicles” as an inevitable evolution, but one that requires a new kind of maintenance. Traditional IT threats are now automotive threats. When ransomware attacks on the auto industry more than doubled in 2025, they weren’t just stealing data—they were locking owners out of their ignitions and demanding payment to restore control. [7, 5]

Until vehicle architectures are mathematically provably secure, we recommend our clients stay informed about the software versions of their imports. A car’s safety is no longer just about its crash-test rating; it’s about the integrity of its code.

1. What is a “Computer on Wheels”?

Modern cars now contain over 100 million lines of code, controlling everything from entertainment to engine timing, making them more like rolling servers than traditional mechanical tools.

2. Does an “air gap” exist in Japanese cars?

While manufacturers design “gateways” to separate entertainment from driving systems, research shows these can be bypassed by sophisticated remote code execution (RCE) attacks.

3. Can a hacker really control my brakes through my car’s browser?

Yes. Research has demonstrated that vulnerabilities in a car’s web browser can allow an attacker to send crafted messages that bypass the gateway and reach the Body Control Module (BCM).

4. What is the Body Control Module (BCM)?

The BCM is an Electronic Control Unit (ECU) responsible for a car’s physical functions, including door locks, windows, lights, and in some cases, contributing to kinetic commands.

5. Is my official manufacturer mobile app safe?

Not necessarily. Some official apps have been found to lack proper code encryption, allowing hackers to reverse-engineer authentication keys and remotely unlock or start vehicles.

6. How has ransomware changed for car owners in 2025?

Ransomware has moved beyond corporate offices. Attackers are now seizing remote control of individual cars on the road, locking owners out until a ransom is paid to restore functionality.

7. What is a “Cloud-to-Car” attack?

This occurs when a hacker compromises the manufacturer’s backend servers, allowing them to send unauthorized control commands to any connected vehicle via its Vehicle Identification Number (VIN).

8. Can my car get a virus like my laptop?

Yes. Modern In-Vehicle Infotainment (IVI) systems can be infected with malware, which can then be used as a jumping-off point to attack safety-critical driving modules.

9. Are older “dumb” vehicles safer from hackers?

From a cybersecurity standpoint, yes. Older vehicles without internet connectivity or software-defined actuators lack the remote attack surfaces that hackers exploit in modern “smart” cars [1].

10. What does Qualitex Trading Co. Ltd. recommend for used car buyers?

We recommend checking if the vehicle’s software and telematics systems have been updated to the latest manufacturer firmware to patch known RCE vulnerabilities.

Stay tuned for our next post, where we explore how simple stickers can trick an AI into swerving into oncoming traffic.