The technology that lets a carmaker fix a defect overnight, without a single owner visiting a dealer, is the same technology that lets it reach into a vehicle it no longer owns. Analysts are increasingly focused on the second half of that sentence.

Over-the-air updating delivers software, firmware, fixes and data to internet-connected devices wirelessly. Tesla began deploying such updates to its Model S in 2012, which helped normalize the practice, Jason Van der Schyff, a fellow of cyber, technology and security at the Australian Strategic Policy Institute, told CNBC. It is now embedded across much of the automotive sector.

Why the industry adopted it

The commercial logic is strong and largely uncontroversial.

"The technology is increasingly welcomed as it is a quick and cost-effective way to manage systems on vehicles, over traditional methods which may have required a recall or update at routine maintenance," said Siraj Ahmed Shaikh, professor in systems security at Swansea University.

That is the core of the business case. A physical recall means contacting owners, occupying dealer service bays and paying for labor on every affected car, with completion rates that are never 100 percent. A software recall delivered over the air costs a fraction of that and reaches vehicles that would otherwise never come in. As more of a car's behavior is defined by software, more defects become fixable this way, and manufacturers have built the capability into the shift toward selling features after the sale.

What the Norwegian test found

The concern moved from theoretical to concrete late last year, when the Norwegian bus company Ruter ran tests on two buses.

One showed a specific weakness. "There is access to the control system for battery and power supply via mobile network through a Romanian SIM card. In theory, therefore, this bus can be stopped or rendered inoperable by the manufacturer," the company said.

The distinction being drawn there is important and easy to blur. This was not a criminal intrusion, and no one has reported a bus being disabled. What Ruter identified is a supplier retaining a channel into the vehicle's power and battery control systems after delivery. The risk is structural: a channel that exists for legitimate maintenance is available to whoever ends up controlling it, whether the manufacturer, a government with authority over that manufacturer, or an attacker who compromises it.

Ruter's investigation prompted Britain and Denmark to open their own. The UK Department for Transport said it was examining the issue and working closely with the National Cyber Security Centre.

Why this became a security question rather than a safety one

The buses in question were made by the Chinese manufacturer Yutong, which is what moved the story from engineering into geopolitics.

"Aside from data privacy concerns, the potential of a foreign actor sabotaging the controls of a moving vehicle is a possibility that countries like Norway, Denmark, and Britain have expressed concerns about," said Gabriel Lim, senior analyst at the S. Rajaratnam School of International Studies in Singapore, who described the technology's spread as "a unique national security concern."

In May, the American Enterprise Institute argued that protecting the automotive sector was important to limiting foreign espionage capability, recommending that the US consider additional security reviews, restrict certain foreign-made hardware and software in vehicles, and require fuller disclosure of data collection.

Shaikh cautioned against reading this as a problem with one company or one country, noting that the issue grows as the technology spreads. Other sectors adopting over-the-air updating, he said, include "other transport modes [such as] maritime and rail, aerospace (particularly drones), industrial machinery and robotics."

The commercial exposure

For vehicle manufacturers and their customers, this creates a cost that did not previously exist on the balance sheet.

Fleet buyers, and particularly public transit authorities, are procurement bodies answerable to governments. If the ability to remotely immobilize a vehicle becomes a procurement criterion, it functions as a trade barrier by another name, and one that falls unevenly on manufacturers depending on where they are headquartered. That is a market-access risk for exporters and a supply-cost risk for operators, who may face a narrower field of bidders.

There is a longer-term question for the sector as a whole. The software-defined vehicle model assumes manufacturers keep a durable connection to cars in the field, because that connection is what enables post-sale revenue. Any regulatory move to constrain that connection touches the business model, not just the security architecture.

Lim framed the obligation broadly. "It is crucial for us to be aware of this technology, and to hold entities and governments accountable for how OTA systems are applied, especially how they run quietly in the background of the technologies we use in our everyday lives."