When Cars Become Code: The Cyber Risks of Software-Defined Mobility

Not long ago, ‘vehicle control’ meant gears, valves, shafts and steel. Today, a modern vehicle is made up of code as much as metal, making the car a continuously evolving digital system on wheels, powered by 100–500 million lines of code.

As per Deloitte’s Global Automotive Consumer Study (GACS) for the India Market in 2026, one of the most important factors driving one’s choice of brand purchasing vehicles is features/ technology, accounting for 50 percent. This is primarily because, at 80 percent, India has the highest proportion of consumers finding software defined vehicles (SDVs) useful This has led to an increased number of connected cars on the road. 

This transformation is creating value for the customers as well as the original equipment  manufacturers (OEMs) but there are significant risks. Connectivity, personalisation and autonomous features are central to brand differentiation. Yet every interface built for convenience introduces exposure. The competitive advantage of SDVs rest on architectural sophistication, but so does the ever-expanding attack surface.

Real incidents have shown us how a single weak interface can cascade into a safety-critical control issue. 

• Last year, one of the largest global passenger car manufacturers’ vehicle mobile app had insecure authentication. This resulted in the disclosure of vehicle identification number (VIN) and complete control of car functionalities remotely, such as remote start/stop, AC, lock/unlock, geo locations etc. 
• Few years back, a leading sport utility vehicle (SUV) hack moved from the head unit over the cellular interface into the controller area network (CAN) bus, letting researchers manipulate brakes, transmission and steering. This triggered a massive vehicle recall and redefined “cyber” as a road-safety issue. 

The SDV attack surface is no longer a perimeter, but a mesh. Per GACS reports, consumers are ready to pay extra for connected features. The report indicates that 75 percent consumers are ready to pay for autonomous parking while 77–79 percent consumers prefers to have vehicle health reporting, app connectivity, automatic detection of vehicles/ pedestrians and digital keys. 

• Infotainment systems: It is integrated with smartphone mirroring and voice assistants without strict network segmentation or gateway enforcement, which becomes a safety-critical risk
• Advanced driver assistance systems (ADAS): It raises the stakes further, since these platforms ingest data from cameras, radar and LiDAR sensors. A simple manipulation of sensor inputs or injection of adversarial signals could directly influence the vehicle’s behaviour.
• Telematics unit: Maintaining persistent cloud connectivity and the over-the-air (OTA) updates could change an operational convenience to a systemic vulnerability with flawed authentication models or weak certification management.
• V2V/V2X: While improving safety and efficiency, V2X also introduces attack feasibilities such as spoofing and Denial of Service (DoS) into the ecosystem

The industry’s responses cannot rely on reactive patch cycles any longer. Security must be engineered into the vehicle lifecycle from the earliest architectural decisions. Threat analysis and risk assessment (TARA) at the concept stage, secure boot chains, software bill of materials (SBOM) governance and secure coding standards aligned with AUTomotive Open System Architecture (AUTOSAR) and Motor Industry Software Reliability Association (MISRA) practices are foundational controls. These are not optional safeguards; they define system integrity. 

This shift-left posture is further reinforced by the regulatory momentum. ISO/SAE 21434 formalises cybersecurity engineering processes across development, production and decommissioning, while UNECE WP.29 R155 mandates a cybersecurity management system (CSMS) as a prerequisite for vehicle type approval across major markets. National frameworks such as AIS-189 further codify compliance expectations. 

Today, certification hinges on demonstrable risk management, traceability and incident response readiness and cyber governance has entered the homologation process. 

For OEMs, the strategic calculus is shifting. Now, cyber resilience intersects with safety, brand trust, investor buy-in and customer confidence. Per GACS, about 95 percent of customers are willing to pay for SDVs, with safety, security and continuous vehicle health reporting being the top features. As vehicles continue to become software-driven, cyber risk transforms to a safety and brand risk. OEMs that treat cybersecurity as a core system property, architected in early, validated continuously, monitored at fleet scale and anchored in CSMS/ISO 21434 discipline will keep up with attackers and regulators, and outpace competitors on trust, time-to-feature and total lifecycle value.

In a world where software increasingly determines how vehicles sense, decide and move, trust will act as the fuel that redefines the future of mobility.

Rajat Mahajan is Partner and Automotive sector leader at Deloitte India, and Santosh Jinugu is Partner at Deloitte India. Views expressed are the authors' personal.