Compliance, Privacy and Post-Quantum Cryptography: Insights from ESCAR 2025
Are our data really safe in modern cars? How will we manage AI? From compliance to quantum cryptography, here are the key lessons and surprising insights I took away from ESCAR 2025.
Last week, I had the chance to attend ESCAR 2025, the world’s leading conference on automotive cybersecurity.
It’s one of those rare events where you meet so many real experts in one place.
Don’t get me wrong, the presentations and lectures were really interesting, but meeting people who are in the industry for 10+ years and talking to them is really what makes this experience unique.
Compliance, Compliance, Compliance
Compliance means following the laws, regulations, and standards that apply to your organization or industry.
In Cybersecurity, it ensures that security practices meet specific legal and industry requirements.
It all started with lectures about compliance, which was great because that’s what I am really interested in.
I know many professionals don’t really like it, because it’s less technical, but you won’t sell any product without being compliant with current regulations. Especially in the automotive industry.
The EU AI Act
I especially enjoyed Maike Massierer’s presentation on the EU AI Act, which focused on ensuring the safe and ethical use of AI in safety-critical automotive products.
She illustrated, with concrete examples, why AI systems’ vulnerabilities must be tightly managed as exploiting them can have disastrous consequences, especially in safety-relevant systems.
I won’t dive into all the details here, but my takeaway is this:
The EU AI Act isn’t revolutionary. It makes mandatory what companies should already be doing, ensuring end-to-end security of their systems and, yes, including AI-based systems.
Privacy in Danger
Another crucial topic at the conference was the lack of privacy in modern systems. Since privacy legislation is a key part of the CISSP exam, I already had a solid understanding of various laws and regulations. But Lior Zur Lotan took it to another level.
How much personal data are you willing to trade for the convenience of connected cars?
Let me know in the comments.
His paper, Behind the Dashboard: (Lack of) Automotive Privacy, not only clearly explains the aims and principles of the General Data Protection Regulation (GDPR) other privacy legislation around the world. It also reveals what data they were able to extract from an actual car.
They literally picked up a car from a junkyard and, using a simple and direct approach, recovered highly sensitive information about the former owner: phone number, contact list, relationships, and nearly a year’s worth of GPS history.
These results shocked me.
Not because I thought it was impossible, but because of how easy it was.
Key takeaway: Just because regulations exist doesn’t mean your privacy is protected.
Post-Quantum cryptography
Last but certainly not least, one of the most crucial topics at the ESCAR conference was Post-Quantum Cryptography.
I particularly enjoyed the invited talk “Exploring Quantum Key Distribution for Automotive Security: Scenarios, Architectures, and Challenges Ahead” by Prof. Dr. Hans-Joachim Hof.
Professor Hof answered many of my questions, including the most important one: Why should we even care about Post-Quantum Cryptography in the first place?
Isn’t it a little paranoid to spend resources on building systems resilient to something that hasn’t even been invented yet? Moreover, we don’t know when it will become relevant.
Do you think most companies are taking Post-Quantum threats seriously enough?
Share your opinion below.
We just assume that Q-Day will come, sooner or later.
So, what’s the point?
The answer is actually quite simple: once Q-Day arrives, it’s already too late.
Asymmetric cryptographic algorithms such as RSA would be broken.
Just imagine what that would mean, the entire PKI infrastructure is built on asymmetric cryptography.
The whole internet relies on a chain of trust.
All of that… broken.
And you can’t replace it in a single day.
And if that isn’t enough to worry about, there’s another concept you should know: “Harvest now, decrypt later.”
What prevents malicious actors from collecting encrypted data today and decrypting it once they have the technology to break current algorithms?
The answer is simple: nothing.
That’s why we need to start preparing now.
Conclusion
In my opinion, the overall message of the conference was loud and clear.
Legislation is catching up with extremely quickly evolving AI-based systems.
Protecting privacy is extremely challenging, and with the functionality of modern cars, it heavily affects the automotive industry, too.
We need to get ready for a Q-day.
Overall, I found the conference to be a great experience. I enjoyed the lectures and the opportunity to meet so many industry experts, because you can read and study as much as you want, but there’s something different about talking to real professionals.
Was that vehicle data extracted from an Apple Carplay / Android Auto vehicle infotainment system?
It always surprises me when people connect their phones to the infotainment system in hire cars. Will they remember to do a delete befofe handing the hire car back? And even if they do delete their phone from the car, is that data really erased securely?