Five Uncomfortable Truths About Automotive Cybersecurity

January 22 2021 | 3 min

As a pioneer in automotive cybersecurity, Thomas Wollinger has brought ESCRYPT from its beginnings in 2004 to a position as one of the world’s leading providers of system solutions for vehicle data security. Today, ESCRYPT has some 400 associates at 19 locations worldwide and is part of the Bosch Group. ESCRYPT solutions are an integral part of large-scale automotive production in many places and are used in millions of vehicles all over the world.

Thomas Wollinger’s special focus lies in the strategic development and integration of ESCRYPT's product and solution portfolio. At FuzzCon - Automotive Edition, he took up a managerial perspective, to talk about some uncomfortable truths in automotive cybersecurity.

At ESCRYPT, we basically design, enable and manage IT security. As security consultants, we are specialized in security strategy, training, and a variety of other fields within the automotive software domain. We consider ourselves experts in all kinds of testing methods, including functional testing, vulnerability scans, penetration testing, everything from automated testing to manual testing, and of course fuzzing.

In our testing efforts, we like to take a holistic approach, which means that we test electronic control units individually, but also the entire vehicle platform. Our goal is basically to secure the whole ecosystem of a connected car.



“In a connected world, cybersecurity is as important for your safety as the brakes” Ralf Speth, CEO Jaguar/Land Rover


When I started with automotive security, we were securing all electronic control units (ECUs) individually. Since then, the complexity and connectivity of vehicles have increased dramatically, creating more opportunities for potential attackers to infiltrate those systems. This change requires a completely different approach and a new set of security skills. To sum up the key developments I have witnessed during my career, I have summarized five uncomfortable truths about automotive cybersecurity:


1. The Titanic Syndrome

In 2023, there will be 775.000.000 connected cars worldwide. The titanic syndrome states that those who put themselves in danger will perish. In the development of increasingly software-driven connected vehicles, this means that those car manufacturers (OEMs) who don’t have a security strategy will not survive, as security can be seen as an indispensable foundation of interconnectivity.

However, the main challenge is that security vulnerabilities only become visible to the public when it's already too late. Customers usually don't notice when security is cut for profits (until their car fails them). And this is why there are still so many managers who see security primarily as a cost driver. 

What can you do to increase security awareness?

  • Treat security as a strategic task
  • Create security awareness throughout the entire company
  • Enable security orchestration of the whole software development lifecycle

2. No Safety Without Security

Cyberattacks on vehicles have increased by a factor of seven over the last four years. Even if only a small number of those attacks are successful, the consequences can be devastating, especially as they are a potential threat to an entire fleet of vehicles.

What can you do?

  • Use original equipment from trusted partners
  • Consider security during the entire lifecycle
  • Enable your team (IDS, SOC, Firewall)


3. 100% Security Is Not Affordable

There are 100 million lines of code (LoC) in the new Golf 8. For comparison, in a Boeing 787, there are only 14 Million LoC! Even if your team has an excellent bug detection rate, you will still, almost certainly, miss some bugs or vulnerabilities. The challenge here is balancing the risk and the investment, meaning that you will have to decide how much risk you are willing to take.

What can you do?

  • Segment your car and define safety-critical parts
  • Prioritize your security activities in the important fields 
  • Build resilient systems

4. Omnipresent Threat

According to the German Federal Office for Information Security (BSI), each day there are 322,000 new malware threats. If you don't find those vulnerabilities first, someone else will exploit them. The complexity of our systems is increasing dramatically. Since vehicles have quite a long lifecycle, the software complexity will increase even further while the car is on the road. This means that you will need to put in some extra effort to keep your car secure in the long run.

What can you do against these threats?

  • Find the right strategy from the beginning
  • Protect all connected entities
  • Ensure long-term security 


5. Impending Sanctions

It's important to comply with new regulations such as the new UNECE regulations and the upcoming ISO 21434. Even if these norms aren't mandatory yet, OEMs who do not follow the rules will soon be disqualified. As if automotive software wasn’t complicated enough, these norms and regulations increase the complexity even further, which is why many developers perceive them as additional requirements.

Don’t get this wrong, regulations are very critical to facilitate the use of effective security measures, but in some cases, they can lead to over-regulation. This means that complying with norms and standards becomes more important than the actual task at hand. Regulations certainly create pressure within the industry, but they can also be an opportunity, for example, to convince the upper management to reassess their priorities. Security must come first!

What can you do against impending sanctions?

“Security is not a product, but a process” -
Bruce Schneier, Cryptographer & Security Expert


I'm glad to see that testing methods such as feedback-based fuzzing are emerging as a new standard in the automotive sector. Nevertheless, we need to think about automotive security in a much broader way. The security perspective has to be kept in mind during the entire software development lifecycle (SDLC). This includes the management of processes, security strategy, and company culture.

Start your journey with fuzz testing by watching our demo video.

Watch CI Fuzz Demo

Thomas Wollinger CEO ESCRYPT

About Dr. Thomas Wollinger

Dr. Thomas Wollinger has been the managing director of ESCRYPT since 2007. As a pioneer in automotive cybersecurity, he has brought the company from its beginnings in 2004 to a position as one of the world’s leading providers of system solutions for vehicle data security. Today, his special focus is on the strategic development and integration of ESCRYPT's product and solution portfolio for automotive security and beyond. 



Recent Posts

One Year of Fuzzing and Fixing Suricata

Autofuzz: Fuzzing Without Writing Fuzz Targets or Harnesses

Fuzzing 101 – The Basics (FAQ)

19 Bugs in Jsoup Found With Jazzer

Share Article

Subscribe to updates