[Paper] Towards Understanding and Characterizing Vulnerabilities in Intelligent Connected Vehicles through Real-World Exploits

Source: arXiv - 2601.00627v1

Overview

The paper presents the first large‑scale, data‑driven study of security flaws in Intelligent Connected Vehicles (ICVs). By harvesting 649 real‑world, exploitable vulnerabilities—from eight competitive “ICV hacking” events and daily researcher submissions—the authors expose gaps in existing vulnerability taxonomies and lay out a more complete picture of where and how ICVs can be attacked.

Key Contributions

• Comprehensive dataset: 649 verified ICV vulnerabilities covering 48 vehicle models, publicly released for the research community.
• Taxonomy evaluation & extension: Systematic assessment of prior vulnerability classifications, revealing one previously undocumented location and 13 new type categories.
• Threat & risk categorization: Mapping of all exploits into 6 threat families (e.g., privacy breach, remote code execution) and 4 risk levels (low → critical).
• Empirical insights from competitions: Analysis of participant skill sets, attack vectors, and vehicle platforms used in eight ICV security contests (Anonymous Cup, Jan 2023–Apr 2024).
• Actionable guidelines: Recommendations for researchers, OEMs, and policymakers on prioritizing security testing and hardening ICV components.

Methodology

1. Literature synthesis – The authors first surveyed existing ICV security papers and extracted the prevailing taxonomies (where vulnerabilities appear and what type they are).
2. Data collection – They gathered exploits from two sources:
   • Competition data: 592 vulnerabilities submitted during eight ICV hacking contests.
   • Researcher submissions: 57 additional exploits contributed on a daily basis.
3. Classification & mapping – Each exploit was manually labeled according to the legacy taxonomy, then re‑examined to spot mismatches. New locations/types were defined where the old schema failed to capture the exploit.
4. Threat & risk scoring – Using a CVSS‑inspired rubric, the team assigned each vulnerability to a threat family and a risk tier.
5. Statistical analysis – They examined distributions across vehicle models, attack complexity, and participant expertise to surface practical patterns.

Results & Findings

• Coverage gaps: The legacy taxonomy missed 1 location (e.g., “Vehicle‑to‑Infrastructure middleware”) and 13 vulnerability types (including “sensor‑fusion spoofing” and “over‑the‑air firmware downgrade”).
• Threat landscape: Privacy data breaches (≈ 28 %) and remote control attacks (≈ 22 %) dominate, but critical safety‑impacting exploits (e.g., brake‑system hijack) also appear, accounting for ~ 12 % of the dataset.
• Risk distribution: 41 % of exploits are rated high or critical, underscoring that many ICV flaws are not just theoretical.
• Skill correlation: Participants with prior automotive or embedded‑systems experience submitted 73 % of the high‑risk exploits, suggesting a steep learning curve for low‑skill attackers.
• Vehicle diversity: While most exploits target popular brands, niche and emerging EV models are disproportionately represented in the “new location” category, hinting at uneven security maturity across the market.

Practical Implications

• For OEMs: The expanded taxonomy should be adopted in internal threat modeling and secure‑by‑design processes, ensuring that newly identified locations/types are covered in testing pipelines.
• For developers: Incorporating the dataset into fuzzing suites and static analysis tools can surface edge‑case bugs (e.g., sensor‑fusion spoofing) that typical unit tests miss.
• For security teams: The threat‑risk matrix offers a quick triage guide—focus first on high‑risk, high‑impact categories like remote actuation and OTA firmware pathways.
• For regulators & policymakers: The public dataset provides evidence for updating safety standards (e.g., ISO/SAE 21434) to mandate coverage of the newly discovered vulnerability classes.
• For the research community: Open access to 649 real exploits accelerates reproducibility, enables benchmarking of automated vulnerability discovery tools, and encourages collaborative “bug bounty” programs for ICVs.

Limitations & Future Work

• Scope of data sources: The dataset is heavily weighted toward competition submissions, which may bias toward exploits that are “fun” to demonstrate rather than those most likely to be weaponized in the wild.
• Temporal relevance: As vehicle software update cycles accelerate, some vulnerabilities could become obsolete; continuous data collection is needed to keep the taxonomy current.
• Depth of impact analysis: While risk levels are assigned, detailed safety impact assessments (e.g., crash‑simulation outcomes) were outside the study’s scope.
• Future directions: The authors plan to expand the dataset with post‑deployment incident reports, integrate automated classification pipelines, and explore cross‑domain threat propagation (e.g., how a V2X exploit can cascade into cloud services).

Authors

• Yuelin Wang
• Yuqiao Ning
• Yanbang Sun
• Xiaofei Xie
• Zhihua Xie
• Yang Chen
• Zhen Guo
• Shihao Xue
• Junjie Wang
• Sen Chen

Paper Information

• arXiv ID: 2601.00627v1
• Categories: cs.CR, cs.SE
• Published: January 2, 2026
• PDF: Download PDF