The modern vehicle is no longer a mechanical appliance—it has transformed into a software-defined cyber-physical system, integrating OTA updates, cloud-connected diagnostics, V2X services, and telematics-driven personalization. While this evolution promises unprecedented value in consumer experience and fleet operations, it also surfaces a dramatically expanded and evolving attack perimeter, especially across safety-critical ECUs and communication buses. Cyber vulnerabilities have shifted from isolated IT threats to real-time, embedded exploits. Controller area network (CAN), the backbone of vehicle bus systems, remains intrinsically insecure due to its lack of authentication and encryption, making it highly susceptible to message injection and denial-of-service by low-cost tools. Similarly, OEM implementations of BLE-based passive entry systems have proven vulnerable to replay and spoofing attacks with minimal hardware.
In the Indian context, the transition to connected mobility is advancing rapidly under national mandates such as FAME II, PM e-DRIVE, and the National Electric Mobility Mission Plan (NEMMP). However, field-level assessments of Indian and international vehicle models—including ICE cars, electric two-wheelers, and fleet EVs—reveal critical gaps in CAN architecture connected to critical ECUs, Cloud API and Endpoints and RF controls. Notably, many of these vulnerabilities materialized after vehicle homologation, propagating through OTA updates or third-party app integrations. This reality underscores the inadequacy of static, pre-market cybersecurity assessments in effectively mitigating operational risk. This paper introduces a novel, scalable methodology that addresses this critical gap by enabling empirical, attack-informed validation, aligned with both Indian priorities and international best practices