2026-06-18 — views
AV Cybersecurity — Remote Attack Vectors and How Tesla and Waymo Defend Their Fleets
AV cybersecurity: attack surface, research-documented threat categories, Tesla vs Waymo defense postures, and why a major incident could halt the AV ramp.
Article 45 in the Physical AI Benchmark Series — The Cybersecurity Dimension
Every previous article in this series has examined the AV ramp through operational, regulatory, or market-access lenses. This article addresses a risk dimension that gets far less coverage: cybersecurity. A major cyber incident affecting a commercial AV fleet would not merely damage the company involved — it could halt the entire industry’s regulatory approval trajectory by destroying the public and legislative trust that currently allows driverless deployments to expand.
Autonomous vehicles are not cars with better software. They are internet-connected, AI-driven robotic platforms that operate in public spaces continuously, without a human driver to notice anomalies or intervene. That combination creates an attack surface that has no precedent in traditional automotive security. This article maps the threat landscape, describes research-documented attack categories at a conceptual level, compares Tesla and Waymo defense postures, and explains why the ramp implications of a successful attack are industry-wide — not company-specific.
Section 1 — Why AVs Are Uniquely Exposed
Traditional vehicle cybersecurity research focused on the CAN bus and OBD-II port — interfaces that require physical access to exploit. The 2015 Miller and Valasek demonstration on a Jeep Cherokee, which achieved remote steering and brake control via the cellular network, was a watershed moment precisely because it showed physical access was not required. Autonomous vehicles amplify that exposure by orders of magnitude.
| Attack surface | Description | Unique to AV? |
|---|---|---|
| Sensor spoofing | Feeding false data to LiDAR, radar, or cameras — for example, adversarial patches that cause stop signs to be misclassified by vision models | Partially — AVs rely on sensors for all decisions; human drivers can override |
| GPS/GNSS spoofing | Broadcasting false GPS signals to cause map localization errors and route manipulation | Partially — humans notice when navigation is wrong; AVs may not |
| OTA update hijack | Intercepting or replacing software updates delivered over the air with malicious code | Yes — AVs receive frequent OTA updates; a fleet-wide compromise here is catastrophic |
| Remote command injection | Exploiting APIs used for remote monitoring, diagnostics, or fleet management to inject unauthorized commands | Yes — AV fleet management infrastructure has no analog in traditional vehicles |
| V2X attacks | Exploiting vehicle-to-everything communications (traffic signals, road sensors) to inject false environmental data | Yes — emerging attack surface as V2X infrastructure deploys at scale |
| AI model poisoning | Corrupting training data or fine-tuning pipelines to alter deployed model behavior | Yes — specific to AI-driven vehicles; no analog in traditional automotive |
| Physical sensor tampering | Laser dazzling of cameras or LiDAR, radar jamming, reflective materials on road surfaces | Partially — far more impactful without a human driver to compensate |
| Supply chain compromise | Malicious code inserted into third-party components — maps, ML frameworks, sensor firmware | Partial — automotive supply chain attacks predate AVs but scale differently here |
The critical structural difference is the human-in-the-loop. Traditional vehicles have a driver who notices when the car behaves unexpectedly, who can feel the road and hear unusual sounds, who has legal and practical control at all times. An AV operating without a safety driver has no such backstop. An attack that degrades sensor perception or corrupts navigation data may go undetected until a physical consequence occurs.
Section 2 — Research-Documented Attack Categories
Security researchers have published proof-of-concept demonstrations of several attack categories against AV-relevant systems. The following describes these at a conceptual level only — no exploitation details, tooling, or reproduction steps are included or appropriate here. All citations refer to peer-reviewed or conference-published academic work.
| Attack category | Published research | Impact demonstrated |
|---|---|---|
| Adversarial patches on stop signs | Eykholt et al. (2018), U. Michigan; Morgulis et al. (2019) | Stop sign consistently classified as speed limit sign by state-of-the-art vision models under controlled conditions |
| LiDAR spoofing | Cao et al. (2019), U. Michigan and U. Toronto | False object injection and removal from LiDAR point cloud, causing AV perception stack to see obstacles that do not exist or miss obstacles that do |
| GPS spoofing affecting AV routing | Multiple research publications 2017–2022 | AV navigation system routed toward attacker-specified destination rather than intended destination |
| OTA firmware attacks | Miller and Valasek (2015), Jeep Cherokee — pre-AV but vector demonstration | Remote control of vehicle steering and braking via cellular connection; demonstrated the OTA attack surface before AV-scale deployments |
| Adversarial inputs to object detection | Carlini and Wagner (2017); Szegedy et al. (2014) | Perturbations invisible to human observers cause deep learning classifiers to misclassify with high confidence |
Two important caveats apply to this research landscape. First, these are controlled academic demonstrations, not descriptions of attacks that have been carried out against commercial AV fleets. Real-world attacks on commercial autonomous vehicle deployments have not been publicly confirmed as of mid-2026 (est.). Second, AV operators are aware of this research and have built defenses against the specific techniques published — which is why public research disclosure is generally considered beneficial. Attackers who are unaware of defenses are rarely the ones reading academic security papers.
Section 3 — Tesla vs Waymo Security Architecture
The two leading AV deployment platforms have meaningfully different security postures — differences that track their underlying architectural choices as much as their security team priorities.
| Dimension | Tesla | Waymo |
|---|---|---|
| OTA update security | Signed firmware updates; Tesla operates an extensive public bug bounty program via Bugcrowd; updates delivered via cellular and Wi-Fi connections to consumer fleet | Waymo does not operate consumer-scale OTA at Tesla’s update frequency; updates are fleet-operator managed with more controlled deployment (est.) |
| Network segmentation | Multiple ECU domains in Tesla vehicles; security controls aim to isolate safety-critical systems from infotainment and connectivity layers | Purpose-built vehicle platforms with no infotainment layer; tighter physical network segmentation with fewer non-safety interfaces (est.) |
| Remote monitoring exposure | Tesla app provides real-time vehicle status and limited remote commands; account compromise is a potential path to vehicle access | Waymo has fleet management infrastructure but no consumer app with vehicle command access; attack surface is narrower by design (est.) |
| Sensor redundancy as defense | Camera-only primary perception — if camera systems are compromised or spoofed, no redundant modality provides independent cross-check | LiDAR + camera + radar multi-modal stack — simultaneous spoofing of all three modalities is substantially harder than spoofing any single one |
| AI model security | End-to-end neural network architecture; adversarial robustness is an active research area; model updates delivered via OTA | Modular architecture — each perception and planning layer is independently monitored; anomaly detection can be applied per layer (est.) |
| Bug bounty program | Public Tesla bug bounty via Bugcrowd; Tesla vehicles have participated in Pwn2Own automotive competitions | Waymo security research program exists but is less public-facing than Tesla’s consumer-oriented program |
| Supply chain | Tesla vertical integration of key components — Dojo training compute, FSD chip, battery — reduces third-party software components in safety-critical paths | Some third-party platform dependency (Zeekr vehicle base for Gen 6); adds supply chain verification requirements (est.) |
| Regulatory compliance | UN R155 Cybersecurity Management System required for EU market; Tesla compliance status ongoing (est.) | UN R155 compliance for EU fleet operations (est.); US compliance governed by NHTSA voluntary best practices framework |
The sensor redundancy point deserves elaboration. Tesla’s camera-only philosophy is a deliberate engineering choice with genuine cost and scalability advantages — removing LiDAR reduces vehicle cost and complexity significantly. But from a security standpoint, a single-modality sensor stack means a successful spoofing attack on that modality has no cross-check. Waymo’s multi-modal stack raises the attack cost: an adversary would need to simultaneously fool LiDAR, radar, and cameras — three different physical principles operating on different wavelengths — to inject a false perception state that the fusion layer accepts. That is a substantially harder problem.
Section 4 — The Ramp Risk: What a Major Incident Would Mean
The AV industry’s regulatory approval process rests on a foundation of accumulated safety miles and demonstrated reliability. Driverless permits in San Francisco, Phoenix, Austin, and other cities were granted because operators accumulated hundreds of millions of miles and demonstrated disengagement and incident rates below human baselines in those environments. A high-profile cybersecurity incident would attack that foundation directly — not the technology, but the trust that allows the technology to operate.
The likely sequence following a confirmed cyber-caused safety incident:
-
Immediate operational halt. The affected company would almost certainly voluntarily ground its fleet within hours pending investigation. Depending on severity, regulators might mandate suspension rather than wait for voluntary action. Investigation timelines for complex cyberattacks run weeks to months.
-
Regulatory freeze on new permits. NHTSA, California DMV, and other state regulators overseeing active AV deployments would likely pause the issuance of new driverless operating permits pending industry-wide security review. Expansion plans — new cities, expanded geofences, additional vehicle deployments — would stop.
-
Legislative response. Congress has periodically proposed mandatory AV cybersecurity standards; none has passed as of mid-2026 (est.). A confirmed incident would provide the legislative momentum those proposals currently lack. Mandatory standards, if enacted hastily, often have poorly designed compliance requirements that delay deployment without commensurate safety benefit.
-
Category-level trust damage. This is the most significant ramp risk. A major incident at one AV operator would not merely damage that company — it would damage public perception of the entire category. The rideshare and AV market is not differentiated by brand in most riders’ minds: “a self-driving car hurt someone” is the headline, not “a specific company’s autonomous vehicle with a specific software configuration experienced a specific exploit.” Category-level trust damage takes years to repair.
Historical analog: the Boeing 737 MAX software safety failures in 2018–2019 grounded an entire aircraft model for 20 months, triggered global aviation regulatory reviews of software certification processes, and required a fundamental redesign of how aviation safety regulators evaluate software-intensive aircraft systems. The AV industry does not yet have the equivalent of aviation’s mature software certification framework — which means a comparable incident would likely produce more severe and longer-lasting regulatory fallout, not less.
Section 5 — Regulatory Cyber Requirements
The regulatory landscape for AV cybersecurity reflects a significant gap between the EU and the United States.
| Regulation | Jurisdiction | Requirement | Status |
|---|---|---|---|
| UN R155 (CSMS) | EU and adopting countries | Cybersecurity Management System required for vehicle type-approval; covers OTA security, supply chain risk management, incident detection and response | In force since 2022; mandatory for new model types from July 2024 |
| UN R156 (SUMS) | EU and adopting countries | Software Update Management System; governs OTA update security and validation processes | In force; paired with R155 as a unified framework |
| NHTSA Cybersecurity Best Practices | United States | Voluntary guidance covering vehicle architecture, supply chain, incident response, and information sharing | 2022 update; no federal mandate; compliance is at manufacturer discretion |
| SAE J3061 | Industry standard (global) | Cybersecurity Guidebook for Cyber-Physical Vehicle Systems; defines a risk-based development process | Widely referenced by manufacturers and researchers; not a regulatory requirement |
The US regulatory gap is the central policy issue. Unlike the EU, the United States has no mandatory automotive cybersecurity standard. AV operators self-certify their security posture and voluntarily follow NHTSA best practices. The AV START Act and SELF DRIVE Act — both of which included cybersecurity provisions — failed to pass Congress as of mid-2026 (est.). This creates a situation where the EU is setting the effective global standard through market access requirements: any AV operator that intends to expand to European markets must comply with R155/R156, which means the EU requirement is in practice a global floor for serious operators even without a US mandate.
The policy argument for mandatory US standards is straightforward: voluntary compliance is adequate when the cost of non-compliance falls entirely on the non-complying entity. In cybersecurity, the cost falls on the victim — the passenger, the pedestrian, or in the case of a fleet-wide exploit, the entire industry’s regulatory standing. That externality is the standard economic justification for mandatory regulation over voluntary guidance.
The AV cybersecurity story has not had its defining incident yet. That is precisely when the industry has the most leverage to build defenses — before a regulator or a headline forces the issue. The difference between Tesla’s camera-only architecture and Waymo’s multi-modal stack is not merely a perception quality argument: it is also a defense-in-depth argument about how many attack surfaces must be simultaneously compromised to corrupt the vehicle’s environmental model. Both companies face the more fundamental challenge: as these fleets scale from thousands to hundreds of thousands of vehicles, every internet-connected endpoint is a potential entry point, and the value of a successful fleet-wide exploit scales with the deployment footprint. Security investment must scale faster than the fleet.
Sources: UN Regulation 155 (CSMS) — UNECE (unece.org); NHTSA Cybersecurity Best Practices for Modern Vehicles (nhtsa.gov); Eykholt et al., “Robust Physical-World Attacks on Deep Learning Visual Classification,” arXiv:1707.08945 (2018); Tesla Bug Bounty Program — Bugcrowd (bugcrowd.com/tesla). All figures marked (est.) are estimates based on public disclosures, regulatory filings, and published research; they have not been independently verified and may differ from primary source data.
Sources
- UN Regulation 155 (Cybersecurity) — UNECE ↗
- NHTSA Cybersecurity Best Practices for Modern Vehicles — NHTSA ↗
- Adversarial examples in physical world — Eykholt et al. (2018) — arXiv ↗
- Tesla Bug Bounty Program — Bugcrowd ↗