In-vehicle Infotainment [IVI] systems are advancing at pace…but so are security challenges
In-vehicle infotainment [IVI] systems are no longer just a convenience – they’re at the center of the driving experience. What was once a simple dashboard with radio and GPS has rapidly become a fully connected digital hub.
IVI systems now include real-time navigation, voice-control assistants, streaming audio, app stores, and seamless smartphone integration.
Drivers today expect the same level of connectivity and personalization they experience with their smartphones, and automakers are responding with increasingly sophisticated systems. But as IVI technology accelerates, so do security dangers. Exposure occurs through connectivity, and every feature added to enhance convenience also opens up new attack surfaces.
Automakers now also must contend with more stringent global regulations. Cybersecurity regulations such as UNECE WP.29, R155 & GB44495 and the ISO/SAE 21434 standard are pushing manufacturers to treat cybersecurity as a design requirement rather than a post-production concern.
These standards are pressuring OEMs and Tier 1 suppliers to demonstrate not just compliance, but also ongoing vigilance in safeguarding vehicle systems – IVIs included.
As the race to digitize the driver experience speeds up, manufacturers are being forced to confront an important question: how do we secure the digital heart of the modern vehicle?
The double-edged sword of innovation
The arrival of connected cars has completely changed the dynamics of vehicle security. IVI systems are not isolated modules anymore – they are integrated into different vehicle subsystems, linked to the cloud and often responsible for managing user accounts, apps and data. These systems communicate with each other all the time through Wi-Fi, Bluetooth, cellular networks and even USB ports. It is this increased connectivity that makes smart features a reality, but it also provides an open invitation to hackers.
Whilst remotely controlling a vehicle is not nearly as easy as Hollywood would like us to think, attackers will leverage any weaknesses, and IVIs are a key battleground.
An IVI system that has been exploited can potentially disclose personal data such as location history, address book or payment information. It could also create significant drive distraction issues if HMI elements are suddenly changing or services are being interrupted or even disabled.
Vulnerabilities may also allow hackers access to broader vehicle systems, which could have wider impacts, such as aiding in vehicle theft, removing licensing or regional restrictions or even impacting vehicle safety.
Over-the-air [OTA] updates have become a powerful tool for maintaining and improving IVI systems without the need to visit dealerships. But with the capability to push updates, attackers who compromise the update mechanism would also be able to deploy malicious code to thousands of vehicles at one time.
Because of the inherent risk of OTA updates, it is an area OEMs must focus on. However, the increasing prevalence of third-party apps in IVI systems takes this challenge to a whole new level, as the OEM has limited ability to control the changes made by the third party.
Similarly, these apps also serve as an entry point for malware or incidental data leaks if not sandboxed and thoroughly vetted.
Rising customer expectations, rising responsibility
Customers today expect their vehicles to provide the same frictionless digital experience their smartphones afford them. This expectation comes with trust – the assumption that automakers will safeguard data, ensure apps are functional and the system is fully secure.
But as software has an increasingly important role in vehicle functionality, a security weakness in an IVI system could quickly turn into an even larger issue that affects how the vehicle works or even how the brand itself is perceived.
It could also lead to the vehicle being used as a platform to upload malware to connected backend systems, resulting in a wide range of threats such as ransomware attacks. The cost of a security failure exceeds recall expenses and legal fees – it potentially erodes the very trust motorists place in their vehicles.
The need for built-in, not bolt-on, security
Historically, the automotive industry has approached security as somewhat of an afterthought with physical system separation being the main approach and anything else treated as a bolt-on at the end of product development – but that no longer works. Automotive Security today must be built into IVI systems from the outset, starting at the hardware level and continuing up to application-level protection.
This includes secure boot processes, trusted software update procedures, application integrity at runtime, vehicle domain separation and robust authentication of both users and connected services. IVI systems must not only protect themselves, but they also need to act as secure gateways that shield the rest of the vehicle from outside attacks.
Creating this level of security is a complex, multi-layered process that goes across hardware suppliers, OS providers, app developers and service platforms. For automakers, juggling that complexity while delivering feature-rich, user-friendly IVI systems to customers is a huge undertaking.
How Trustonic supports a security-first approach
As an industry leader in hardware backed security, Trustonic helps OEMs meet these challenges. Our team of experts work with OEMs to enable them to embed security into the heart of IVI systems through our Secure OS – a secure world where sensitive operations are isolated from the broader operating system.
This pioneering architecture is designed to ensure that even if an attacker is able to access one application, critical data and processes are not impacted. With more than 30M vehicles already on road today, we know what it takes to meet the demands of the automotive industry.
Born secure at the point of manufacture, our technology enables secure lifecycle management — allowing manufacturers to provision devices safely during production and manage updates, credentials and policies throughout the vehicle’s lifetime. It also supports Trusted Applications and Services for high-value IVI use cases such as payments, DRM and profile management, without exposing the wider platform to unnecessary risk.
Perhaps most importantly, Trustonic’s approach is compliant with global automotive cybersecurity standards, allowing OEMs to streamline their own compliance process.
By putting hardware-backed security, runtime protection and lifecycle trust first, Trustonic enables automakers to move at speed without sacrificing safety or trust – two pillars that will define the future of mobility.
Securing the road ahead
The move toward connected, software-defined vehicles is irreversible. As infotainment systems are transformed into digital control centres, they will continue to inform the way drivers interact with their vehicles and how customers interact with automakers. With this, however, comes the need to rethink security from the ground up.
Automakers that approach things from a security-first mindset now will be poised to lead in a future where cars are as much digital platforms as they are physical machines.
Security, ultimately, isn’t something to add on at the end. It’s something to build into the very fabric of the driving experience – and that starts at the heart of the vehicle: the IVI system.
