Audi has been identified as shipping vehicles (up to at least 2024) with outdated and vulnerable software components, such as **FreeImage**, which lacks active maintenance and contains well-documented security flaws. These vulnerabilities expose connected cars to potential **remote exploits**, **data breaches**, and **system takeovers** via compromised firmware or third-party APIs. The insecure software violates the intent of **UNECE R155** (cybersecurity type approval) but persists due to weak enforcement and a disconnect between regulatory compliance and practical implementation. Attackers could exploit these flaws to manipulate critical vehicle systems (e.g., brakes, steering via CAN bus), exfiltrate sensitive driver data (location history, behavior patterns stored in cloud systems), or deploy **over-the-air (OTA) malware updates** affecting entire fleets. The systemic neglect of security standards—despite legal frameworks like **GDPR** and **ISO/SAE 21434**—undermines consumer trust and leaves drivers exposed to **large-scale cyber-physical attacks**, including scenarios where vehicle control could be hijacked, endangering lives and organizational liability.
Source: https://www.helpnetsecurity.com/2025/09/09/connected-car-cybersecurity-europe/
TPRM report: https://www.rankiteo.com/company/audi-ag
"id": "aud3033730090925",
"linkid": "audi-ag",
"type": "Vulnerability",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Automotive',
'location': 'Germany (Global Operations)',
'name': 'Audi (Volkswagen Group)',
'size': 'Large',
'type': 'Automaker'},
{'customers_affected': '~300 Surveyed (Study Sample)',
'location': 'Europe (Western/Eastern Disparities)',
'name': 'European Connected Car Owners',
'type': 'Consumers'},
{'industry': 'Automotive/Tech',
'location': 'Global',
'name': 'Automotive Supply Chain (Third-Party '
'Component/API Providers)',
'type': 'Suppliers'}],
'attack_vector': ['Remote Access (Telematics/Wireless/Mobile Apps)',
'Data Leaks (Cloud-Stored Sensitive Data)',
'Sensor Manipulation (Cameras/Radar/Lidar/GPS)',
'CAN Bus Exploitation (Brakes/Steering/Acceleration)',
'Compromised Firmware (Over-the-Air Updates)',
'Third-Party Component Vulnerabilities (APIs/Supply Chain)'],
'customer_advisories': ['Owners of connected cars should:',
'- Review manufacturer privacy policies for data '
'collection practices.',
'- Secure linked mobile apps with strong '
'authentication.',
'- Monitor for unusual vehicle behavior (e.g., '
'unexpected software updates).',
'- Report suspicious activity to '
'manufacturers/regulators.'],
'data_breach': {'data_exfiltration': 'Potential (No Confirmed Breach, but '
'Systemic Risk)',
'personally_identifiable_information': 'Yes (via Driving '
'Patterns/Device '
'Links)',
'sensitivity_of_data': 'High '
'(Personal/Behavioral/Geolocation)',
'type_of_data_compromised': ['Location History',
'Driving Behavior',
'Vehicle Sensor Data',
'Cloud-Stored Telemetry']},
'description': 'A study by Óbuda University (Budapest) and the University of '
'Oslo highlights systemic cybersecurity risks in connected '
'cars, including remote access attacks, data leaks, sensor '
'manipulation, CAN bus exploitation, and supply chain '
'vulnerabilities. Current regulations (e.g., UNECE R155, UN '
'R156, GDPR) and industry standards (e.g., ISO SAE 21434, ISO '
'24089) are inconsistent, poorly enforced, or voluntary, '
'leaving manufacturers like Audi shipping vehicles with known '
'vulnerabilities (e.g., unmaintained software like FreeImage). '
'Public awareness of data collection is high, but trust in '
'security measures is low, with regional disparities in '
'perception. The pace of innovation outstrips regulatory '
'accountability, exacerbating systemic risks.',
'impact': {'brand_reputation_impact': ["Erosion of Consumer Trust in 'Smart "
"Car' Security",
'Negative Perception of Manufacturers '
'(e.g., Audi) for Known '
'Vulnerabilities',
'Associated Risks with '
'Political/Safety Concerns for '
'Non-European Brands'],
'customer_complaints': ['Lack of Transparency in Data Collection',
'Distrust in Vehicle Security (Regional '
'Disparities)',
'Preference for European/Japanese Brands '
'Over Others'],
'data_compromised': ['Location History',
'Driving Behavior',
'Personal Data (GDPR-Scope)',
'Vehicle System Logs'],
'identity_theft_risk': 'High (via Stolen Driving Behavior/Location '
'Data)',
'legal_liabilities': ['Potential GDPR Violations for Data '
'Mishandling',
'Non-Compliance with UNECE R155/R156 (Type '
'Approval Risks)',
'Future Cyber Resilience Act Penalties'],
'operational_impact': ['Potential for Remote Vehicle Control '
'Hijacking',
'Disruption of Driver Assistance Systems',
'Mass Firmware Compromise via OTA Updates',
'Supply Chain Cascading Failures'],
'systems_affected': ['Telematics Systems',
'Wireless Interfaces',
'Mobile Apps',
'CAN Bus (Brakes/Steering/Acceleration)',
'Sensors (Cameras/Radar/Lidar/GPS)',
'Over-the-Air Update Mechanisms']},
'initial_access_broker': {'backdoors_established': 'Potential (via CAN Bus or '
'Firmware Exploits)',
'data_sold_on_dark_web': 'Likely (if exfiltrated; '
'no confirmed cases in '
'study)',
'entry_point': ['Telematics Systems',
'Wireless Interfaces '
'(Bluetooth/Wi-Fi)',
'Mobile Apps with Weak '
'Authentication',
'Compromised Third-Party Components',
'Unsecured OTA Update Channels'],
'high_value_targets': ['Vehicle Control Systems '
'(Brakes/Steering)',
'Sensitive Data '
'(Location/Behavioral)',
'Fleet-Wide OTA Update '
'Mechanisms']},
'investigation_status': 'Ongoing (Academic Study; No Formal Incident '
'Investigation Launched)',
'lessons_learned': ['Current automotive cybersecurity standards (e.g., ISO '
'21434, R155) are fragmented and poorly enforced, '
'creating systemic risks.',
'Supply chain vulnerabilities in third-party '
'components/APIs remain a critical blind spot, lacking '
'direct regulatory accountability.',
'Public trust in connected cars is undermined by lack of '
'transparency in data collection and perceived weak '
'security practices.',
'Innovation (e.g., OTA updates, software-defined '
'features) outpaces regulatory and security maturity, '
'increasing attack surfaces.',
'Regional disparities in consumer awareness (Western vs. '
'Eastern Europe) highlight the need for targeted '
'education and standardized disclosures.'],
'motivation': ['Exploitation of Systemic Weaknesses in Automotive '
'Cybersecurity',
'Potential for Large-Scale Attacks via Connected Fleets',
'Data Theft (Location History/Driving Behavior)',
'Financial Gain (Ransomware/Black Market Data Sales)',
'Disruption of Critical Vehicle Functions'],
'post_incident_analysis': {'corrective_actions': ['Legislative: Enact '
'stricter penalties for '
'non-compliance with '
'R155/R156, including '
'vehicle recalls for '
'critical vulnerabilities.',
'Industry: Mandate '
'independent security '
'audits for all connected '
'vehicles before and after '
'deployment.',
'Technical: Implement '
'hardware-based isolation '
'for critical systems '
'(e.g., CAN bus '
'segmentation).',
'Supply Chain: Require '
'cybersecurity '
'certifications for all '
'third-party '
'components/APIs.',
'Transparency: Standardize '
'data collection '
'disclosures with clear '
'opt-out options for '
'consumers.'],
'root_causes': ['Fragmented and Voluntary '
'Cybersecurity Standards (e.g., '
'ISO 21434 not legally binding).',
'Weak Enforcement of Existing '
'Regulations (R155 treated as '
"'paperwork' rather than "
'actionable requirements).',
'Lack of Supplier Accountability '
'in Automotive Supply Chains.',
'Prioritization of Innovation Over '
'Security (e.g., rapid OTA updates '
'without rigorous testing).',
'Consumer Misunderstanding of '
"'Smart Car' Risks (focus on "
'features over security).']},
'recommendations': [{'regulatory': ['Strengthen enforcement of UNECE '
'R155/R156 with audits and penalties for '
'non-compliance (e.g., shipping vehicles '
'with known vulnerabilities).',
'Mandate third-party supplier '
'cybersecurity assessments as part of '
'type approval processes.',
'Harmonize pre-release (ISO 21434) and '
'post-release (R155) security standards '
'to close gaps.',
'Expand GDPR scope to explicitly cover '
'vehicle-generated personal data with '
'stricter consent requirements.']},
{'industry': ["Automakers should adopt 'security by "
"design' principles, including regular "
'vulnerability scanning of deployed '
'software.',
'Implement transparent data collection '
'disclosures with opt-out mechanisms for '
'consumers.',
'Establish a centralized vulnerability '
'reporting/disclosure program for connected '
'vehicles.',
'Collaborate on cross-manufacturer threat '
'intelligence sharing for supply chain '
'risks.']},
{'consumer': ['Educate drivers on cybersecurity risks '
'(e.g., securing mobile apps, recognizing '
'phishing attempts linked to vehicle '
'accounts).',
'Demand clear, accessible information on '
'what data is collected, how it’s used, and '
'who it’s shared with.',
"Advocate for 'security ratings' for "
'connected cars, similar to crash-test '
'safety ratings.']}],
'references': [{'source': 'Óbuda University & University of Oslo Study on '
'Connected Car Cybersecurity'},
{'source': 'Help Net Security Interview with David Brumley '
'(Carnegie Mellon University/Mayhem)'},
{'source': 'UNECE R155/R156 Regulations on Vehicle '
'Cybersecurity',
'url': 'https://unece.org/transport/vehicle-regulations'},
{'source': 'ISO SAE 21434 (Road Vehicles – Cybersecurity '
'Engineering)',
'url': 'https://www.iso.org/standard/70926.html'}],
'regulatory_compliance': {'regulations_violated': ['UNECE R155 (Cybersecurity '
'Management System - Weak '
'Enforcement)',
'UN R156 (Software Update '
'Management - '
'Non-Compliance in '
'Practice)',
'GDPR (Potential '
'Violations for Data '
'Transparency/Consent)',
'Upcoming Cyber Resilience '
'Act (Anticipated '
'Non-Compliance)'],
'regulatory_notifications': ['Study Highlights Gaps '
'to EU Regulators',
'Media Pressure on '
'Automakers (e.g., '
'Audi)']},
'response': {'communication_strategy': ['Academic Publication (Óbuda '
'University/University of Oslo)',
'Media Coverage (e.g., Help Net '
'Security Interview with David '
'Brumley)',
'Consumer Survey Dissemination'],
'remediation_measures': ['Study Recommendations for Stricter '
'Enforcement of UNECE R155/R156',
'Call for Mandatory Third-Party '
'Supplier Audits',
'Proposal to Harmonize ISO SAE 21434 '
'(Pre-Release) and R155 (Post-Release) '
'Standards',
'Public Awareness Campaigns on Data '
'Collection Transparency']},
'stakeholder_advisories': ['Automakers urged to address systemic '
'vulnerabilities in deployed vehicles (e.g., '
'Audi’s use of unmaintained software).',
'Regulators advised to close enforcement gaps in '
'R155/R156 and align with ISO standards.',
'Consumers recommended to demand transparency and '
'advocate for stronger protections.'],
'title': 'Cybersecurity Vulnerabilities in Connected Cars Across Europe',
'type': ['Cybersecurity Vulnerability Assessment',
'Supply Chain Risk',
'Regulatory Non-Compliance',
'Public Awareness Study'],
'vulnerability_exploited': ['UNECE R155 Non-Compliance (Insecure Deployed '
'Software)',
'Unmaintained Software (e.g., FreeImage in Audi '
'Vehicles)',
'Lack of Third-Party Supplier Accountability',
'Weak Enforcement of ISO SAE 21434 (Pre-Release '
'Security)',
'Gaps in GDPR Data Protection for '
'Vehicle-Generated Data']}