Beyond the Dashboard: Unseen Cybersecurity Vulnerabilities Caused by User Behaviour in Connected and Autonomous Vehicles Systems

Abstract

As Connected and Autonomous Vehicles (CAVs) become increasingly integrated into Intelligent transportation systems, cybersecurity is no longer limited to protecting onboard technologies—it must also account for the everyday digital behaviours of the users who manage and interact with these vehicles. This paper introduces the concept of the “behavior-driven cyber-risk layer” in CAVs, a hidden but critical vulnerability surface created not by system flaws, but by routine user actions surrounding the vehicle ecosystem. Although CAVs rely on advanced communication, sensors, and cloud connectivity, small human habits—such as ignoring software update alerts, connecting infotainment systems to insecure personal devices, oversharing trip information, accepting unverified apps, or reusing credentials across applications—can undermine even the most sophisticated vehicle security architectures. This study examines how these seemingly minor behaviors interact with CAVs’ security mechanisms, including Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communications, certificate-based authentication, and onboard digital systems. We show how attackers exploit predictable user routines—such as uploading navigation routes to cloud platforms, pairing phones via Bluetooth, or trusting unsolicited messages that appear to come from vehicle services—to introduce false data, manipulate trust decisions, or gain unauthorized access. Through real-world scenarios, we demonstrate how small mistakes can escalate into larger risks, enabling targeted tracking, spoofed messages, or remote access to vehicle functions. Instead of treating these behaviours as psychological tendencies, this paper frames them as operational cybersecurity weaknesses that directly affect the safety and reliability of CAVs. To illustrate, existing user awareness strategies are evaluated to highlight why they fail in high-convenience environments, where users expect seamless automation and often overlook security steps. Finally, a set of human-centered cybersecurity practices are proposed that are designed specifically for CAVs ecosystems, including simplified interface warnings, context-aware security prompts, secure-by-default connectivity options, and automated verification mechanisms that reduce reliance on user judgment. By revealing the hidden risks embedded in everyday interactions, this work emphasizes that the cybersecurity of CAVs depends not only on the technology itself, but also on how people engage with it.