When I wrote „Beware of Car Hacking – A Systematic Analysis“ back in 2016, automotive cybersecurity was still a marginal topic. Terms like ISO 21434 or Threat Analysis and Risk Assessment (TARA) hadn‘t even entered the conversation. Yet, the fundamental security issues that I described then are the same ones I still encounter in modern vehicles today — only now, the systems have become far more complex, and the potential consequences even more severe.
For years, the automotive industry believed its mechanical DNA would safeguard it against digital exposure. That belief was comforting but completely wrong. Today, cars have become nodes in the Internet of Things (IoT), each equipped with countless ECUs and millions of lines of code — a level of complexity that multiplies vulnerabilities instead of eliminating them.
Ahead of Standards, Not Behind Them
When I published the book in 2016, I wasn‘t trying to comply with a framework — I was describing a mindset. Back then, the notion of TARA — Threat Analysis and Risk Assessment — hadn‘t yet been formalized within ISO 21434. But the analytical and destructive thought processes I mapped out in my field study followed exactly that logic: identify assets, recognize threats, and anticipate risks long before a standard told you how to do it.
In hindsight, my approach anticipated what would later become one of the cornerstones of ISO 21434 — adopting a systematic and risk-based methodology for protecting vehicle systems [web:1]. The same structured threat modeling and adversarial thinking that underpins TARA were already embedded in my methodology, conceived out of necessity rather than compliance.
That is why, even after nearly a decade, the book‘s validity hasn‘t aged — it has strengthened. The very weaknesses I exposed before connected mobility and over-the-air updates became buzzwords are the same cracks appearing under different names today. If anything, modern architectures, from zonal networks to autonomous driving stacks, have accumulated new layers of exposure while inheriting the same underlying design blind spots.
The Myth of Mechanical Security
For far too long, engineers assumed that a solid mechanical construction meant safety. It doesn‘t. Beneath the surface, cars have become digital organisms. Their nervous systems — the control networks — are open to intrusion, their sensory organs — the sensors — can be deceived, and their brains — the control units — can be reprogrammed or overwhelmed.
I wrote this book to challenge that comfort zone. The first step toward understanding cybersecurity is abandoning the illusion of mechanical immunity. Once the code controls motion, hacking becomes a physical event.
Thinking Destructively – Long Before ISO
The concept of destructive thinking isn‘t about chaos; it‘s about prediction. My experience in vehicle electronics for brands like Audi, BMW, and Lamborghini taught me that safe engineering begins with uncomfortable questions: What would happen if the actuator fails open? If the brake command is spoofed? If false telemetry floods the system? In other words, thinking like an attacker to protect as an engineer.
This mindset forms the psychological foundation of modern TARA methodology — decades before the term became fashionable or standardized [web:1][web:4]. To me, every diagnostic vector, every unsecured bus, and every missing fail-safe was not merely a technical flaw but a narrative of risk — a story waiting to unfold in the wrong hands.
Old Flaws, New Cars
Fast-forward to 2025: the vehicles around us are saturated with cloud APIs, ADAS functions, infotainment links, and continuous OTA updates. And yet, whenever I examine the internal logic of these networks, I find the same signatures — unchecked diagnostic paths, weak authentication, exposed OBD ports, and wireless interfaces that bypass fundamental control principles. The shells are sleeker; the vulnerabilities remain.
A recent Kaspersky report underlines what many of us already know: today‘s connected vehicles still exhibit exploitable flaws in their over-the-air updates, diagnostic systems, and ECU integrations [web:9]. The architectures evolved, but the logic of exploitation did not.
The Unseen Weapon: Applied Diagnostics
When I first discussed the dangers of applied diagnostics in 2016, most dismissed them as hypothetical. Now, with wireless diagnostic interfaces and smartphone-connected OBD tools, those same vectors are routine entry points. These service functions — meant for maintenance — have become hacker goldmines. Unprotected, they enable access to live systems in motion.
- Data espionage: Harvesting GPS history, biometric data, or driver profiles.
- Actuator abuse: Triggering hydraulic systems, steering valves, or brakes under load.
- Wireless intrusion: Exploiting cheap aftermarket Bluetooth or Wi-Fi dongles to bridge into CAN or Ethernet networks.
As predicted, these diagnostics remain the soft underbelly of connected vehicles — proof that superficial progress has not produced structural resilience.
Customers Must Wake Up
It‘s time to shift responsibility. I no longer address this message solely to developers. I am speaking to the modern driver. The customer must become a conscious participant in the cybersecurity conversation. If you buy a car with advanced tech, demand to know: Who validates its digital safety? What is the disclosure policy for vulnerabilities? Who holds the key when your digital key fails?
OEMs have for too long marketed convenience as innovation while treating cyber resilience as an appendix. It‘s time for customers to insist that cybersecurity receive equal priority to performance, efficiency, or comfort. Only when consumer pressure meets regulatory structures will the industry pivot toward responsibility rather than marketing gloss.
Cybersecurity Cannot Be Retrofitted
The hard truth is that cybersecurity must be baked into vehicle architecture — not patched later by software updates. Too often, I‘ve seen systems designed for function, not defense. Security can‘t survive as an afterthought. It must be intrinsic, from the earliest steps of concept to production.
That‘s why my 2016 thesis remains painfully relevant: if you don‘t think like a hacker, your product will be defended by hope, not design.
Conclusion: Still Warning, Still Relevant
Nearly ten years have passed since the release of „Beware of Car Hacking – A Systematic Analysis.“ The technology has changed, but the essence of the threat remains immutable. My early reflections on destructive thinking — written before ISO 21434 and TARA were formal terms — continue to guide responsible design today.
The message has never been more urgent: learn to think destructively before others exploit your naivety. Recognize risk before it manifests. And for today‘s drivers — demand more from your manufacturers. Because safety in the digital age is no longer a matter of steel or horsepower. It‘s a matter of thought.
This is not a retrospective. It‘s a reminder.
Get your copy here or your favorite book store.
