Welcome back aspiring cyberwarriors!
The automotive industry took its first step into the digital era back in 1967, when Germany introduced the Volkswagen Type 3 equipped with Bosch’s D-Jetronic electronic fuel injection system. At the time, this was a quiet revolution. A single electronic subsystem began assisting what had previously been a purely mechanical machine. Few engineers could have imagined how far this idea would go.
Fast forward to today, and the modern vehicle is no longer just a machine with an engine and wheels. It is a distributed computer system on wheels. Software now controls nearly every function in most cars, ranging from engine behavior and braking logic to infotainment systems, climate control, seat positioning, and even windshield wipers. Driving a car today means interacting with dozens, sometimes hundreds, of microcontrollers silently coordinating in the background. As with every major technological leap, this progress comes with a cost. The more software determines how a machine behaves, the more exposed that machine becomes to information security threats. This problem escalated dramatically with the rise of so-called connected cars. Vehicles are no longer isolated systems. They talk to mobile applications, cloud services, charging infrastructure, navigation platforms, and manufacturer backends.
We have reached a point where hackers can remotely influence or even fully control real vehicles. This is no longer a science-fiction scenario or a dramatic exaggeration invented by Hollywood screenwriters. What used to look like a scene from Fast & Furious has turned into a real and well-documented security problem.
In this article, we examine the main types of automotive cyberattacks and the risks associated with them. We will also look at how different countries are attempting to counter these threats, and what results those efforts are producing in practice.
Millions of Lines of Code and Thousands of Errors
To understand why cars have become such attractive targets, we need to look inside them. A modern vehicle is operated by numerous electronic control units, commonly referred to as ECUs. Each ECU is responsible for a specific subsystem, such as engine control, braking, steering assistance, battery management, or infotainment. A contemporary car can contain up to 150 ECUs. Together, they execute an estimated 100 to 150 million lines of code. This number alone should raise eyebrows.
For comparison, the Boeing 787 Dreamliner relies on roughly 10 to 15 million lines of code. The Lockheed Martin F-35 stealth fighter uses about 25 million. A typical personal computer operating system contains around 40 million lines. Even the Space Shuttle, which carried astronauts into orbit and back, operated on approximately 400,000 lines of code. Meanwhile, automotive firmware continues to grow at a staggering pace. According to industry forecasts, by 2030 the total volume of code in modern vehicles will approach 300 million lines.
From an information security perspective, this is an alarming trend. In the automotive sector, developers typically find around 1,000 errors per million lines of code. Roughly five percent of these errors result in serious security vulnerabilities. That figure is actually considered acceptable by industry standards. When you apply it to a modern vehicle, however, it suggests that thousands of exploitable weaknesses may be buried in the software of a single car. Considering that the average vehicle remains in service for 20 to 25 years, many of these vulnerabilities will eventually be discovered and abused. Often, they emerge long after the vehicle has left active manufacturer support, which is usually when the consequences are most severe.
How does the industry respond when things go wrong? In the United States alone, tens of millions of vehicles are recalled every year. In 2025, European regulators recorded 334 vehicle recalls through the Safety Gate system. These recalls included both traditional mechanical failures and software-related issues that weakened cybersecurity. Importantly, this is only the visible portion of the problem. The situation is further complicated by the fact that physical access is no longer necessary to attack modern vehicles. Almost every new car includes at least one modem used for remote diagnostics, emergency services, mobile applications, or convenience features such as remote engine start. Each of these interfaces represents a potential entry point for attackers.
In some regions, connectivity is not optional. Under the European Union’s eCall system, vehicles must be connected to emergency services. By 2030, analysts estimate that more than 900 million connected vehicles will be operating worldwide. As cars become embedded in larger digital ecosystems, their attack surface expands accordingly.
The Scale Is Unclear
Automotive cybersecurity became a public issue in 2015 after a now-famous hack of a Jeep Cherokee. Security researchers remotely disabled the vehicle while it was being driven by exploiting a vulnerability in its infotainment system. Steering, braking, and acceleration were affected. That single experiment opened what many researchers describe as a Pandora’s box. Vulnerabilities began surfacing in Wi-Fi modules, Bluetooth stacks, NFC implementations, and telematics units across multiple manufacturers. One of the most detailed overviews of these issues was presented by Bosch engineer Martin Schmiedecker, who systematically documented how automotive attack surfaces had grown over time. Since then, numerous successful attacks have been demonstrated, mostly by ethical hackers. However, the real question remains unanswered. How many malicious attacks go unnoticed or unreported?
Social platforms are filled with videos showing vehicles from brands such as Mercedes, Tesla, and Jeep being stolen in under a minute. These are not isolated stunts. They strongly suggest a widespread and ongoing abuse of automotive weaknesses. Yet authorities, manufacturers, and insurers rarely publish reliable statistics. As a result, the true scale of automotive hacking remains hidden. One revealing example emerged in early 2023, when Hyundai and Kia released software updates for more than eight million vehicles in the United States. The updates were a response to a wave of thefts inspired by TikTok videos that demonstrated how certain 2010 to 2021 models could be started without keys.
So what types of attacks threaten automotive systems today? Broadly speaking, they fall into three main categories. Each deserves close examination.
Attacks with Physical Access
Modern vehicles rely on shared communication buses to transmit data between sensors, controllers, and diagnostic systems. Protocols such as CAN allow multiple ECUs to communicate through a common interface. In theory, these architectures are carefully designed. In practice, physical constraints related to wiring, cost, and component placement often lead to compromises. As a result, attackers can sometimes physically access a vehicle and connect directly to internal buses.
One of the earliest public warnings came from Ian Tabor, a cybersecurity researcher and automotive consultant at EDAG. Over several days, criminals targeted his Toyota RAV4. They ultimately stole it by connecting a JBL Bluetooth speaker to the vehicle’s system bus through the headlight wiring. In April 2023, similar thefts in the United States involved the use of a Nokia 3310 phone, a device never intended for hacking, yet capable of interacting with automotive control systems.
A common technique involves drilling a small hole near a wheel to reach the CAN bus. If protections are weak, attackers can reprogram ECUs to unlock doors or start the engine. This method, known as CAN Injection, has been demonstrated on vehicles such as Maserati, Toyota Land Cruiser, and Lexus. Certain components are especially vulnerable. Headlights, LiDAR units, and radar sensors are often connected directly to internal buses. Because many manufacturers use similar wiring layouts, these weaknesses appear across multiple brands.
Architectural flaws further amplify the risk. In some vehicle designs, sensors and safety-critical systems share proximity or communication paths. For example, if a radar sensor shares access with the electronic braking system, compromising the sensor may allow an attacker to reset the braking ECU. In a worst-case scenario, this could cause a sudden stop at speed. Manufacturers rely on Security Access authentication to protect ECUs. The process involves seed-and-key exchanges designed to ensure that only authorized testers or programmers gain access.
Unfortunately, implementation quality varies widely. Weak algorithms, predictable random number generation, undocumented backdoors, and unsecured bootloaders are common problems.
These weaknesses are exactly what criminals exploit when using improvised tools like old phones or consumer electronics.
Telematics Attacks
Telematics systems enable many of the features drivers now take for granted, such as remote door unlocking, vehicle tracking, and climate control. At the same time, they allow attackers to operate from a distance. One of the most widespread techniques is the relay attack against keyless entry systems. This attack requires no advanced hacking skills and can be completed in under a minute using commercially available equipment. Two attackers work together. One stands near the car, while the other approaches the key fob. Signals from the fob are captured, amplified, and relayed back to the vehicle. The car believes the key is nearby and unlocks.
Researchers have demonstrated that even modern ultra-wideband systems, including those used by Tesla, are not immune.
Other wireless interfaces also pose risks. Electric vehicle charging infrastructure relies on the Open Charge Point Protocol, which has been abused in denial-of-service attacks. Additional attack surfaces include cellular connections, Wi-Fi, Bluetooth, RFID systems, and tire pressure monitoring sensors.
Researcher Thomas Sermpinis presented a talk on a real-world scenario involving the hacking of supercars from a well-known manufacturer. These vehicles were equipped with built-in network connectivity features for personalized customer support and a dedicated ECU responsible for cellular and internet connectivity. The telematics units were connected to the head unit via a certain interface (this could have been RS-485, a serial interface, BroadR-Reach, or something else). The image below roughly illustrates the described architecture. Many components are directly connected to the head unit.
Because the ECUs expose numerous publicly accessible services (SSH and others), they should be isolated using hypervisors within the head unit or by some other means. A gateway should also be implemented to filter requests coming from the telematics unit.
In this case, however, several ECUs are directly connected to both the gateway and the head unit. If the head unit is compromised, an attacker gains direct access to the battery management system (BMS), the inverter, and the entire battery pack. This means nothing prevents the hacker from performing an ECU reset of the BMS or a combined reset of all batteries, effectively cutting them off from the vehicle. And then stop the car.
The researcher was able to successfully carry out such an attack. As an additional proof of concept, Sermpinis demonstrated an example involving the blind-spot detection sensor. When an ECUReset command was sent, the sensor began flashing due to a full power-off/power-on cycle. This is not as dangerous as resetting the batteries, but it can confuse the driver. The driver may believe there are objects in the blind spot and perform unnecessary maneuvers. Similar issues may also arise with adaptive cruise control when the lane-change assist system is in use.
Attacks on Applications and Platforms
Modern vehicles are deeply tied to manufacturer platforms. These systems allow companies to enable or disable features, track vehicles, and manage fleets. They also introduce centralized points of failure. In 2022, researcher @_specters_ discovered that Nissan and Infiniti backend systems could be controlled by modifying a single authorization parameter using Burp Suite. Changing accountSource from customer to dealer granted administrative privileges. This allowed remote control over connected vehicles, including door locks and engine state.
In early 2022, ethical hacker David Colombo compromised dozens of Tesla vehicles worldwide by analyzing the TeslaMate application. Weak API protections allowed him to open doors, activate keyless driving, and control climate settings.
Sam Curry uncovered similar vulnerabilities across platforms used by Kia, Honda, Acura, Hyundai, Genesis, Ferrari, and Spireon. SQL injections, authorization bypasses, and flawed regex implementations allowed full control over fleet management systems affecting millions of vehicles.
How Real Are the Risks?
So far, there is no confirmed public evidence of large-scale criminal attacks using manufacturer infrastructure. However, the absence of evidence does not imply the absence of compromise. History suggests that silent breaches are often discovered years later. Some experts warn about ransomware-style attacks targeting entire fleets. While extorting individual drivers makes little sense, disabling a brand’s vehicles could pressure manufacturers directly. What is already undeniable is the scale of data exposure. Millions of customer records have been leaked due to misconfigured systems. A Mozilla study described modern cars as a “privacy nightmare,” noting that most manufacturers share or sell user data and fail basic security standards.
How the Automotive Industry Is Countering Cybersecurity Threats
The starting point in the fight against such threats was the creation of the Automotive Security Research Group in 2017. By 2021, it had developed the industry standard ISO/SAE 21434 for automotive cybersecurity. At the same time, a special UN working group on the harmonization of vehicle regulations introduced two important regulations:
UN Regulation No. 155 – Cybersecurity.
UN Regulation No. 156 – Software Updates.
These regulations are already in force and require manufacturers to ensure the protection of every new vehicle throughout its entire life cycle. A certification system based on the “zero trust” concept is planned. Under this model, software suppliers, application developers, service providers, and other industry participants will receive certificates granting them access to vehicle systems.
According to some forecasts, thanks to these measures the global automotive cybersecurity market will grow to $22.2 billion by 2032. The annual growth rate of this critical sector is expected to be around 22%.
Expectations vs. Reality
Forecasts are one thing, but how ready is the automotive industry in reality to invest in cybersecurity? According to surveys, many manufacturers are aware of these problems, yet still fail to find effective ways to address them. The surveys showed that 63.5% of executive respondents are only weakly involved in the implementation of new standards such as UNECE WP.29 R155/156 and ISO 21434.
Top executives in the automotive industry do not perceive sufficient return on their investments in cyber intelligence. In addition, they struggle to set priorities due to confusion in the terminology used to describe threats. At the same time, 34% of respondents identified the integration of infotainment systems and connectivity technologies from software suppliers as the main risk to the supply chain.
One can only hope that the aforementioned UN regulations will help automakers establish effective cybersecurity processes, as this is precisely the goal of both frameworks. However, they are formulated in broad terms and leave room for interpretation. The requirements of R155 apply only to new vehicle models released after July 1, 2022. Tens of millions of older vehicles fall outside the scope of the standard. Manufacturers are not obliged to ensure their cybersecurity and, with high probability, will phase out support and stop issuing updates after a few years, much as happens with smartphones. As a result, vehicle hacking is likely to remain commonplace.
How to Improve Automotive Information Security
This deserves a detailed analysis and a separate article, but to conclude this piece it is worth outlining at least the core, most essential measures.
1. Segmentation and isolation. Automakers must design segmented and isolated in-vehicle networks to prevent unauthorized access to safety-critical systems.
2. Use of hardware security modules (HSMs). These are integrated into vehicles to handle cryptographic operations, secure key storage, and authentication. Such modules help ensure the integrity and confidentiality of data circulating inside the vehicle and transmitted to external systems.
3. Regular over-the-air (OTA) security updates. Similar to those released for smartphone operating systems.
4. Encryption. This is crucial for protecting data transmitted between vehicles, servers, and external devices.
5. Limiting data collection and anonymizing sensitive information. Manufacturers must strike a balance between gathering the data necessary for automotive innovation and avoiding the exploitation of users as mere data sources.
6. Implementing advanced infrastructure protection practices. Securing modern vehicles goes beyond protecting the information security of individual cars. It is a comprehensive challenge that extends to all corporate assets.
Summary
Car hacking sits at the cutting edge of the cybersecurity field. For those who want to move beyond theory and understand these systems hands-on, our three-day course focuses on real automotive attack techniques, including CAN protocol exploitation and the use of Software Defined Radio (SDR), explaining you how modern vehicles are actually compromised and defended.
Source: HackersArise
Source Link: https://hackers-arise.com/automobile-hacking-main-types-of-cyberattacks-and-risks/