Transportation is no longer just about getting from point A to B. The 21st century is ushering in a new paradigm of smart mobility—an interconnected, data-driven ecosystem involving electric vehicles (EVs), autonomous driving, mobility-as-a-service (MaaS), connected infrastructure, and urban air mobility (UAM). This shift promises improved efficiency, sustainability, and user experience—but it also introduces a staggering array of cybersecurity and privacy risks.

At the heart of this transformation lies cryptography. Whether securing over-the-air software updates, authenticating vehicle-to-vehicle (V2V) communications, or protecting the privacy of location data, cryptographic protocols are essential to keeping smart transport systems secure, trusted, and resilient.

In this 73rd article of the Quantum Leap series, we examine how cryptography is fortifying the future of mobility, explore the vulnerabilities facing connected vehicles, and assess the looming threat of quantum computing to transport security.

Section I: The Rise of Smart Mobility

1. Definitions and Components

Smart mobility encompasses a range of technologies and paradigms:

Connected Vehicles (CVs): Cars that communicate with each other, infrastructure, and the cloud.
Autonomous Vehicles (AVs): Self-driving cars relying on sensors and AI to navigate.
Mobility-as-a-Service (MaaS): On-demand, multimodal transport platforms integrating public, private, and shared services.
Electric Vehicles (EVs): Vehicles powered by batteries, often networked for charging and diagnostics.
Urban Air Mobility (UAM): Drones and aerial taxis offering new forms of urban transit.

These systems rely on real-time data exchange, artificial intelligence, and remote control. Without robust cryptographic protections, man-in-the-middle attacks, malware injection, and data breaches could become catastrophic—not just for privacy but for physical safety.

2. Trends Driving Adoption

Urbanisation and traffic congestion
Climate change and the need for decarbonisation
Advances in AI and sensor technologies
Consumer demand for convenience and personalisation
Policy and regulatory support for smart infrastructure

New Zealand is actively exploring smart mobility through initiatives like Mobility as a Service (MaaS) pilots in Auckland, EV infrastructure expansion, and autonomous transport trials.

Section II: Cryptographic Challenges in Smart Mobility

1. The Attack Surface Expands

Each new sensor, interface, or connectivity layer adds potential vulnerabilities:

CAN bus intrusions can allow attackers to control brakes or steering.
GPS spoofing can mislead navigation systems.
Firmware manipulation can introduce persistent malware.
Vehicle-to-everything (V2X) systems can be impersonated or jammed.

Cryptography addresses these risks through:

Authentication (verifying the identity of systems and devices)
Encryption (ensuring data confidentiality)
Integrity (detecting tampering)
Non-repudiation (verifying actions and transactions)

2. Real-Time Constraints

Smart mobility systems are latency-sensitive. Cryptographic protocols must be lightweight and fast, especially in autonomous driving scenarios where milliseconds matter. This rules out bulky key exchanges or heavy signature schemes for some applications.

Section III: Vehicle-to-Everything (V2X) Security

1. What is V2X?

V2X refers to the communication between a vehicle and:

Vehicle-to-Vehicle (V2V)
Vehicle-to-Infrastructure (V2I)
Vehicle-to-Network (V2N)
Vehicle-to-Pedestrian (V2P)

Use cases include collision avoidance, traffic light synchronisation, hazard alerts, and emergency vehicle prioritisation.

2. Cryptographic Protocols for V2X

To secure V2X, vehicles must:

Digitally sign each message (e.g. with ECDSA or EdDSA)
Verify signatures of incoming messages in real time
Use pseudonyms to preserve driver anonymity
Periodically rotate keys to avoid tracking

The IEEE 1609.2 standard defines a security framework for V2X, including:

Public Key Infrastructure (PKI) for certificate issuance
Short-Term Certificates (STCs) for pseudonymity
Message Authentication Codes (MACs) for quick validation

These cryptographic layers ensure that a vehicle accepting instructions or alerts can trust the source.

Section IV: Over-the-Air Updates and Firmware Integrity

1. The Importance of OTA Security

Modern vehicles receive regular over-the-air (OTA) updates, just like smartphones. These updates can affect:

Navigation systems
Autopilot features
Battery management
Entertainment systems

Without cryptographic safeguards, attackers could inject malicious code, disabling safety features or enabling surveillance.

2. Securing the Update Pipeline

A secure OTA process includes:

Digital signatures to authenticate the update package (e.g. RSA, Ed25519)
Hashes to verify file integrity (e.g. SHA-256)
Secure boot to prevent unauthorised firmware from loading
TLS encryption during update transmission

Companies like Tesla and BYD implement cryptographically enforced OTA updates. A 2020 hack of a Jeep Cherokee via insecure OTA protocols highlights the stakes.

Section V: Identity and Access Management in Smart Vehicles

1. Driver and Passenger Identity

As vehicles become shared and autonomous, managing who can access what becomes crucial. Cryptographic solutions include:

Biometric authentication for drivers
DIDs and Verifiable Credentials to manage access (e.g. rental, fleet usage)
Encrypted profiles for preferences, playlists, and settings

For example, a MaaS platform could issue a verifiable credential proving that a user is over 21, allowing them to unlock an e-scooter with their digital wallet—without ever revealing their birthdate.

2. Secure In-Vehicle Networks

Vehicles host multiple interconnected systems: infotainment, powertrain, climate control, navigation. Cryptographic compartmentalisation ensures:

A compromised entertainment system doesn’t jeopardise braking systems.
Messages on the CAN bus are signed and verified.
Diagnostic tools are authenticated before access is granted.

Section VI: EV Charging Infrastructure

1. The Cryptography Behind Charging

Electric vehicles interact with public charging stations, exchanging data about:

Identity of the vehicle
Authorisation for charging
Payment methods
Load balancing and grid coordination

This interaction requires:

Mutual TLS for session encryption
Certificate-based authentication
Blockchain-based billing systems (in some pilots)

The ISO 15118 standard outlines secure charging communication, including Plug & Charge protocols where the car and charger authenticate without driver input.

2. Security Risks and Responses

Potential threats include:

Rogue charging stations stealing credentials
Fake EVs attempting free charging
Billing fraud

Cryptographic safeguards such as digital certificates, signed billing records, and real-time authentication are critical to mitigating these risks.

Section VII: Post-Quantum Cryptography and the Mobility Sector

1. Quantum Threats to Transport Security

As with other industries, smart mobility depends on asymmetric cryptography vulnerable to quantum attacks:

Vehicle keys could be cloned
OTA updates spoofed
V2X messages forged
Charging systems impersonated

Quantum computers could exploit RSA, ECC, and even some lattice-based schemes if not implemented securely.

2. Transitioning to Quantum-Resistant Systems

Key post-quantum algorithms relevant for mobility include:

CRYSTALS-Kyber (key exchange)
CRYSTALS-Dilithium (digital signatures)
FALCON (lightweight signatures for constrained environments)
SPHINCS+ (hash-based, but larger)

The NIST post-quantum cryptography standardisation process, now in its final stages, will provide guidance on algorithms suitable for vehicle ECUs, sensors, and mobile platforms.

Manufacturers will need to consider:

Firmware size limits
Computation constraints
Battery impact
Hybrid cryptography for gradual migration

Section VIII: Urban Mobility and Cryptographic Privacy

1. MaaS, Drones, and Smart Cities

Urban mobility platforms collect massive amounts of data:

Location traces
Payment history
Social patterns
Transport choices

Cryptographic tools can prevent mass surveillance and profiling:

Homomorphic encryption for data analytics
Zero-Knowledge Proofs for ride eligibility (e.g. low-income fare programmes)
Mix networks to anonymise route planning

2. Ethics, Governance, and Data Sovereignty

As mobility becomes more centralised via apps and platforms, governance frameworks must ensure:

User consent
Transparency in data usage
Right to be forgotten
Local data control

New Zealand’s Data Futures Partnership and Privacy Act 2020 offer a promising foundation. Still, cryptographic enforcement of policy—rather than policy alone—will be key.

Conclusion: The Road Ahead

As the world accelerates toward autonomous, connected, and electrified transport, cryptography will be the silent engine driving trust, safety, and privacy. From securing real-time vehicle communication to protecting user identities in a MaaS-dominated landscape, the future of mobility is a future secured by code.

The quantum threat looms large, but so does opportunity. By integrating post-quantum cryptography, privacy-preserving architectures, and user-centric identity tools, we can build transport systems that are not only intelligent—but also ethical and resilient.

In our next article, we will explore the intersection of cryptography and augmented reality (AR), examining how secure spatial computing and immersive authentication are shaping the future of work, play, and interaction.