[stefanoco]

Although all vulnerabilities affect cloud services and/or mobile apps (SaaS and similar areas) looks like this eventually leads to closely interact with the single vehicles. Which raises questions about the recent Cybersecurity UNECE Regulations R155 and R156 that any new vehicles manufacturer must take into account while submitting a new model for approval in Europe and other areas. Those regulations explicitly cover the vehicle itself and not connected cloud services. Should an urgent revision extend coverage?

[tambre]

From R155 4.3.1 "threats regarding back-end servers related to vehicles in the field" covers it? Of course the whole standard is still pretty focused on the on-vehicle side of things, but it certainly touches on it.

Surprised to see these even mentioned on HN. I've read R155 as part of my job and am responsible for implementing it.

[kdjkdjk]

nah, automotive hackers hang around here too ;)

[squeegeeninja]

The consensus among manufacturers (and auditors) is that R 155 does cover the security of vehicle backend services with its wording and intent. There are of course still active discussions about what exactly constitutes a backend service, e.g. whether a production planning system that provides data to a direct vehicle backend service should also be considered relevant under R155. But in general, this is something that manufacturers in Europe are aware of and are working towards.

[still_grokking]

We've just seen the great results of this efforts.