As electrification in the automotive industry becomes standard and the roll-out of software-defined vehicles (SDVs) gains extra mileage, technology complexity is becoming a key issue for the industry, with compliance complexity, long development cycles and artificial intelligence (AI) hype emerging as key barriers to progress, according to a study of UK automotive software developers.

The Under the hood: The SDV developer report from the QNX division of BlackBerry comes as automakers are having to navigate change, accelerate innovation, and deliver safer and smarter vehicles as SDVs become more complex.

The study comes on the back of the UK government’s £2.5bn Drive35 programme, launched in July 2025 to accelerate zero-emission vehicle production, R&D, and supply chain transformation.

The topline findings of the report reveal that UK automotive software developers are grappling with complex regulatory demands, adapting to AI-driven transformation and seeking new ways to bridge the gap between consumer expectations and delivery timelines. In addition, the research highlighted the strain of long development cycles and integration complexity, while pointing to opportunities for original equipment manufacturers to rethink software strategies.

In particular, the UK’s regulatory landscape was flagged as being increasingly complex for UK automotive software developers. It noted that in 2024, over 500 new regulations and legislative proposals were introduced globally affecting in-car technology, and that it was “unsurprising” that 43% of respondents cited regulatory compliance as the biggest challenge in the software development process.

QNX believes that such complexity has left UK automotive software developers divided on the impact of new laws, with 39% saying regulations have accelerated timelines and an equal 39% reporting delays. Of those regulations, UK respondents ranked cyber security regulations, such as the Cyber Resilience Act, UNECE WP.29 and ISO/SAE 21434 (47%), software update and OTA compliance (44%), and data privacy regulations such as General Data Protection Regulation (37%), as the most challenging for their teams.

Further compounding the impact of regulation on timelines and development processes were recent software recalls, and failures that were creating bottlenecks and forcing change.

The survey found that over half (57%) of UK automotive software developers said their teams’ approaches to software development had changed as a result of recalls, with 40% reporting “major” changes. Those delays are further complicated by development bottlenecks with respondents citing long cycles (41%), debugging and testing (39%), and integration complexity (39%) as significant pain points.

Cyber security was poised to have increasing influence on the UK automotive sector and the roll-out of SDVs. More than two-thirds (68%) of the firms surveyed picked cyber security capability as the most critical skill for automotive software developers in the near term. The date also pointed to high demand for skills in functional safety (50%), AI/ML integration (50%) and real-time systems (47%).

Strengthening these skills will be critical to overcoming the main barriers to SDV success, QNX stressed, with UK respondents pointing to cyber security vulnerabilities (55%), regulatory uncertainty (45%) and consumer trust (38%) as the issues most likely to derail roll-out efforts.

The survey also highlighted a number of overhyped features and unrealistic expectations currently at work in the SDV market. It said that while a “sizeable chunk” of UK respondents believes full vehicle autonomy (49%) and AI-driven personalisation (48%) will shape SDVs by the end of the decade, they also view these features as receiving more attention than is warranted at this stage. UK automotive software developers also observed that such unrealistic expectations (51%) were creating a disconnect between consumers and software delivery timelines.

QNX said the findings suggest that industry priorities may be skewed towards advanced features at the expense of addressing fundamental development challenges. Notably, 82% of UK developers believe a deliberately minimalist, lower-tech vehicle could achieve commercial success – highlighting demand for differentiated offerings that value simplicity. Despite the perception that AI features are currently overhyped, the research also revealed that developers are optimistic about the role of AI in automotive software, with 93% expecting it to play a transformational or significant role in the next three to five years.

“These findings confirm the challenges that UK automakers face, with regulatory pressures, cyber security skills shortages and rising consumer expectations all combining to stall progress,” said Thomas Cardon, QNX director of EMEA automotive sales.

“AI will be part of the solution, but it’s no quick fix,” he said. “The manufacturers leading the way in the UK are the ones using automation to ease bottlenecks, embedding compliance into their processes, and focusing engineering talent on innovation that delivers safer, more secure and more reliable vehicles.”

That suggests anyone could set up similar hardware somewhere else in the world and likely obtain their own collection of sensitive information. After all, the researchers restricted their experiment to only off-the-shelf satellite hardware: a $185 satellite dish, a $140 roof mount with a $195 motor, and a $230 tuner card, totaling less than $800.

“This was not NSA-level resources. This was DirecTV-user-level resources. The barrier to entry for this sort of attack is extremely low,” says Matt Blaze, a computer scientist and cryptographer at Georgetown University and law professor at Georgetown Law. “By the week after next, we will have hundreds or perhaps thousands of people, many of whom won’t tell us what they’re doing, replicating this work and seeing what they can find up there in the sky.”

One of the only barriers to replicating their work, the researchers say, would likely be the hundreds of hours they spent on the roof adjusting their satellite. As for the in-depth, highly technical analysis of obscure data protocols they obtained, that may now be easier to replicate, too: The researchers are releasing their own open-source software tool for interpreting satellite data, also titled “Don’t Look Up,” on Github.

The researchers’ work may, they acknowledge, enable others with less benevolent intentions to pull the same highly sensitive data from space. But they argue it will also push more of the owners of that satellite communications data to encrypt that data, to protect themselves and their customers. “As long as we’re on the side of finding things that are insecure and securing them, we feel very good about it,” says Schulman.

There’s little doubt, they say, that intelligence agencies with vastly superior satellite receiver hardware have been analyzing the same unencrypted data for years. In fact, they point out that the US National Security Agency warned in a 2022 security advisory about the lack of encryption for satellite communications. At the same time, they assume that the NSA—and every other intelligence agency from Russia to China—has set up satellite dishes around the world to exploit that same lack of protection. (The NSA did not respond to WIRED’s request for comment).

“If they aren’t already doing this,” jokes UCSD cryptography professor Nadia Heninger, who co-led the study, “then where are my tax dollars going?”

Heninger compares their study’s revelation—the sheer scale of the unprotected satellite data available for the taking—to some of the revelations of Edward Snowden that showed how the NSA and Britain’s GCHQ were obtaining telecom and internet data on an enormous scale, often by secretly tapping directly into communications infrastructure.

“The threat model that everybody had in mind was that we need to be encrypting everything, because there are governments that are tapping undersea fiber optic cables or coercing telecom companies into letting them have access to the data,” Heninger says. “And now what we’re seeing is, this same kind of data is just being broadcast to a large fraction of the planet.”