Contextualizing Security and Privacy of Software-Defined Vehicles: State of the Art and Industry Perspectives
Marco De Vincenzi, Mert D. Pesé, Chiara Bodei, Ilaria Matteucci, Richard R. Brooks, Monowar Hasan, Andrea Saracino, Mohammad Hamad, Sebastian Steinhorst
TL;DR
This paper examines the security and privacy challenges of Software-Defined Vehicles (SDVs), arguing that software-centric architectures with OTA and V2X connectivity expand attack surfaces. It combines a SALSA-based literature review with expert elicitation to map SDV attack surfaces, propose mitigations, and analyze OTA and privacy risks under current regulations. Key contributions include a working SDV definition, a taxonomy of SDV attack surfaces and their mitigations, an OTA-focused security analysis, and a privacy framework with regulatory context and defenses such as differential privacy and data sanitization frameworks. The work highlights the need for multi-layered, secure-by-design architectures spanning in-vehicle, edge, and cloud domains, along with standardized interfaces and regulatory collaboration to build trust and enable ongoing software-enabled automotive innovation.
Abstract
The growing reliance on software in vehicles has given rise to the concept of Software-Defined Vehicles (SDVs), fundamentally reshaping the vehicles and the automotive industry. This survey explores the cybersecurity and privacy challenges posed by SDVs, which increasingly integrate features like Over-the-Air (OTA) updates and Vehicle-to-Everything (V2X) communication. While these advancements enhance vehicle capabilities and flexibility, they also come with a flip side: increased exposure to security risks including API vulnerabilities, third-party software risks, and supply-chain threats. The transition to SDVs also raises significant privacy concerns, with vehicles collecting vast amounts of sensitive data, such as location and driver behavior, that could be exploited using inference attacks. This work aims to provide a detailed overview of security threats, mitigation strategies, and privacy risks in SDVs, primarily through a literature review, enriched with insights from a targeted questionnaire with industry experts. Key topics include defining SDVs, comparing them to Connected Vehicles (CVs) and Autonomous Vehicles (AVs), discussing the security challenges associated with OTA updates and the impact of SDV features on data privacy. Our findings highlight the need for robust security frameworks, standardized communication protocols, and privacy-preserving techniques to address the issues of SDVs. This work ultimately emphasizes the importance of a multi-layered defense strategy,integrating both in-vehicle and cloud-based security solutions, to safeguard future SDVs and increase user trust.