Intelligent Connected Vehicles (ICVs) are a core component of modern transportation systems, and their security is crucial as it directly relates to user safety. Despite prior research, most existing studies focus only on specific sub-components of ICVs due to their inherent complexity. As a result, there is a lack of systematic understanding of ICV vulnerabilities. Moreover, much of the current literature relies on human subjective analysis, such as surveys and interviews, which tends to be high-level and unvalidated, leaving a significant gap between theoretical findings and real-world attacks. To address this issue, we conducted the first large-scale empirical study on ICV vulnerabilities. We began by analyzing existing ICV security literature and summarizing the prevailing taxonomies in terms of vulnerability locations and types. To evaluate their real-world relevance, we collected a total of 649 exploitable vulnerabilities, including 592 from eight ICV vulnerability discovery competitions, Anonymous Cup, between January 2023 and April 2024, covering 48 different vehicles. The remaining 57 vulnerabilities were submitted daily by researchers. Based on this dataset, we assessed the coverage of existing taxonomies and identified several gaps, discovering one new vulnerability location and 13 new vulnerability types. We further categorized these vulnerabilities into 6 threat types (e.g., privacy data breach) and 4 risk levels (ranging from low to critical) and analyzed participants' skills and the types of ICVs involved in the competitions. This study provides a comprehensive and data-driven analysis of ICV vulnerabilities, offering actionable insights for researchers, industry practitioners, and policymakers. To support future research, we have made our vulnerability dataset publicly available.

翻译：智能网联汽车（ICV）是现代交通系统的核心组成部分，其安全性至关重要，直接关系到用户的人身安全。尽管已有相关研究，但由于ICV固有的复杂性，现有研究大多仅关注其特定子组件。因此，目前对ICV漏洞缺乏系统性的理解。此外，当前许多文献依赖于人类主观分析，例如调查和访谈，这些分析往往较为宏观且未经验证，导致理论发现与现实攻击之间存在显著差距。为解决这一问题，我们开展了首次针对ICV漏洞的大规模实证研究。我们首先分析了现有的ICV安全文献，并从漏洞位置和类型两个维度总结了主流的分类法。为了评估这些分类法在现实世界中的相关性，我们共收集了649个可被利用的漏洞，其中592个来自2023年1月至2024年4月期间举办的八届ICV漏洞发现竞赛（Anonymous Cup），覆盖了48款不同车型。其余57个漏洞由研究人员日常提交。基于此数据集，我们评估了现有分类法的覆盖范围，发现了若干空白，并识别出一个新的漏洞位置和13种新的漏洞类型。我们进一步将这些漏洞归类为6种威胁类型（例如，隐私数据泄露）和4个风险等级（从低到严重），并分析了竞赛参与者的技能以及所涉及ICV的类型。本研究为ICV漏洞提供了全面且数据驱动的分析，为研究人员、行业从业者和政策制定者提供了可操作的见解。为支持未来研究，我们已将漏洞数据集公开。