Cars have changed more in the last decade than in much of their previous history. What used to be a mechanical machine driven by cables, belts and hydraulics is now, in many cases, a rolling network of computers. Modern vehicles contain dozens sometimes hundreds of Electronic Control Units (ECUs) that talk to one another over internal vehicle networks, connect to the internet for navigation and telematics, and expose interfaces for mobile apps, charging stations and third-party services. That connectivity brings huge benefits, but it also creates attack surfaces for motivated adversaries. This article explains how cars can be hacked, looks at real-world examples, and suggests what manufacturers, regulators and drivers can do to reduce risk.
Why cars are attractive targets
There are three reasons cars matter as targets:
- They’re cyber-physical systems. Vulnerabilities in a vehicle can have physical consequences not just privacy loss or data theft, but loss of control, engine shutdown, or other effects that put people at risk. Regulators in the US have long recognised that vehicle cybersecurity links directly to safety.
- They’re increasingly connected. Modern vehicles frequently have cellular modems, Wi-Fi hotspots, Bluetooth, telematics control units (TCUs), apps and integrations with infrastructure such as chargers or fleet platforms. Each connected feature is an entry point for attackers. Patches and firmware updates are not always delivered quickly or uniformly across the installed base, leaving vulnerable cars in the wild.
- They contain valuable data & services. Location history, driving patterns, personal contacts in infotainment systems and access to payment features (for tolls, charging, etc.) are commercially and tactically valuable. For criminals, cars can also be a route to larger enterprise networks (for fleet vehicles) or to ransom and extortion schemes.
The technical fundamentals: CAN bus and ECUs
At the heart of vehicle internals is the Controller Area Network (CAN bus), a message-based protocol that allows ECUs to share information quickly and reliably. Think of the CAN bus as the vehicle’s nervous system: sensors, airbag controllers, engine management, braking and infotainment all exchange short messages over these wires. Historically, CAN was designed for robustness and real-time behaviour rather than security; messages are often unauthenticated and broadcast, meaning any node on the bus can publish commands that other nodes may honour. This design makes lateral movement inside the vehicle relatively straightforward once an attacker has any access to the bus.
Common attack vectors
Here are the main ways researchers and criminals have found into cars:
1. Remote telematics & cellular modems
Cars with always-on connectivity can be accessed remotely if vulnerabilities exist in the telematics stack or upstream service. The famous Jeep Cherokee demonstration in 2015 showed how attackers could reach a vehicle over the internet via its Uconnect telematics system, take over the infotainment unit, and then pivot to critical vehicle functions. That event led to a large recall and became a wake-up call for the industry.
2. Infotainment systems & smartphone pairing
Infotainment units are complex: they run multimedia stacks, Bluetooth and Wi-Fi drivers, and often host third-party apps. Vulnerabilities here can be used to gain local code execution, extract data or bridge to the CAN bus. Researchers keep finding flaws in firmware and IVI (in-vehicle infotainment) modules that allow escalation.
3. Tyre pressure monitoring systems (TPMS), charging stations and peripherals
Peripheral devices that communicate wirelessly with the vehicle TPMS sensors, charging stations and even key-fobs can introduce attack paths. Recent research and security contest disclosures have shown how TPMS and EV charger firmware can be exploited to achieve remote code execution, and then be used to reach internal networks. A number of high-impact vulnerabilities affecting Tesla devices have been publicly documented in recent years.
4. Physical interfaces: OBD-II, USB and diagnostics
A malicious USB plugged into the infotainment system or a physical connection to the OBD-II port can give an attacker direct access. There have been documented cases where mailed USB updates and poorly controlled update processes created further risk. Physical access remains one of the simplest and most reliable ways to compromise a vehicle and it’s a go-to for thieves and hands-on attackers during servicing or in car parks.
5. Keyless entry and wireless key attacks
Relay attacks and signal capture against keyless entry systems still enable opportunistic theft. Attackers amplify, capture or replay weak radio signals to unlock and start vehicles, particularly those whose keyless systems lack robust cryptographic protections.
Case studies: real incidents that changed the industry
The Jeep Cherokee (2015)
Security researchers Charlie Miller and Chris Valasek demonstrated remote control of a Jeep Cherokee by exploiting vulnerabilities in the Uconnect telematics system. During the demonstration, they could manipulate steering, brakes, radio and other functions a dramatic proof that internet-facing features could be used to reach safety-critical systems. Fiat Chrysler issued patches and eventually recalled over a million vehicles to deploy a software update. The incident prompted regulators and manufacturers to take vehicle cybersecurity more seriously.
Tesla TPMS & Pwn2Own disclosures
In recent years security researchers have targeted Tesla systems at competitions such as Pwn2Own and in independent research. Vulnerabilities in tyre pressure monitoring and wall-connector firmware have demonstrated how non-obvious peripherals can be a bridge to greater compromise, up to and including arbitrary code execution on critical components. These public disclosures both help improve security (by forcing fixes) and highlight how EV ecosystems expand the attackers’ playground.
The real risks: safety, privacy and business impact
Safety
Unlike most IT breaches, a successful attack against a car can physically endanger occupants and other road users. If an attacker can disable brakes, cut the engine or disable steering even temporarily the consequences may be catastrophic. This is the core reason regulators treat vehicle cybersecurity as a safety issue.
Privacy
Cars are rich sensors. Location trails, call logs, destination search history and even in-car audio may be collectible by attackers. Such data can be used for stalking, targeted fraud, or sold on illicit markets.
Operational & financial impact
For fleet operators, a cyber incident can cause downtime, regulatory fines and reputational damage. For manufacturers, recalls and emergency patches are expensive; for consumers, there’s the hassle and risk of not receiving patches in a timely way.
What manufacturers should do (and increasingly must do)
The automotive industry has been moving from ad-hoc responses to more formalised security lifecycles. Key measures recommended by regulators and expert bodies include:
- Secure design & segmentation: Critical safety systems should be segmented from non-critical systems (for example, separating infotainment from the CAN bus lines that control brakes and steering). Logical segmentation and gateways that validate messages reduce attack surface.
- Secure update & vulnerability management: Vehicles should support authenticated, tamper-resistant over-the-air (OTA) updates. Manufacturers need responsible disclosure programmes, patch timelines and a process to push critical fixes quickly.
- Threat modelling & third-party vetting: Components and suppliers must be assessed for security posture many vulnerabilities come from outsourced modules and libraries used in IVI stacks or TCUs.
- Logging, monitoring and incident response: Vehicles should include secure diagnostic logging that enables detection of anomalies, ideally federated back to manufacturer or fleet-level security operations for triage.
- Regulatory compliance & transparency: Agencies such as NHTSA publish guidance and expect OEMs to apply best practices. While some guidance is non-binding, regulators are increasingly active and public pressure has driven recalls in the past.
What fleet managers and organisations should do
Fleet managers have a unique exposure because a single compromise can scale across many vehicles:
- Inventory & asset management: Know which telematics providers, firmware versions and connected services are in your vehicles.
- Segmentation & least privilege: Where possible, isolate fleet management portals and administrative access from other corporate networks.
- Patch management & testing: Establish processes for timely updates; test updates in a controlled environment before mass roll-out.
- Incident playbooks & drills: Create playbooks for compromised vehicles (how to safely stop, isolate, inspect) and run exercises with drivers and operations teams.
What drivers and owners can do today
It’s easy to feel helpless as an individual when the vulnerabilities seem technical and systemic. But there are practical steps drivers can take:
- Keep software up to date. Apply dealer or OTA updates promptly. Patching has fixed real, dangerous issues in the past.
- Treat USBs with caution. Don’t insert unknown USB sticks into your car’s ports including those supposedly sent by a manufacturer without verifying authenticity. If a manufacturer provides a USB update, confirm the process on the official website or at a dealership.
- Secure your keys. Use RFID-blocking pouches for keyless fobs if you’re concerned about relay attacks, and park in well-lit, secure areas.
- Limit device pairings. Remove unnecessary paired phones and devices from your infotainment system, and factory-reset the unit before selling or returning a car.
- Review app permissions. Be cautious with third-party apps that request vehicle access, and only install manufacturer-approved applications.
The research community and security contests: a force for good
Security researchers and events like Pwn2Own Automotive play a constructive role by disclosing vulnerabilities responsibly and demonstrating attack chains in a controlled fashion. These competitions surface complex exploit paths (for example, charging station firmware to vehicle CAN bus) that might otherwise remain hidden. The public disclosures often lead to patches, and they help the industry mature its security processes albeit while temporarily highlighting risk.
Where regulation and standards are heading
Regulators have started to treat vehicle cybersecurity the same way they treat other safety critical domains. Guidance documents, non-binding best practices and public consultations are already in place in multiple jurisdictions. Expect:
- Stronger lifecycle requirements for vulnerability disclosure, patching and post-market monitoring.
- Mandatory security management systems for OEMs and suppliers in some regions.
- Certification schemes for certain classes of vehicle and components, especially as ADAS and autonomous features proliferate.
Industry adoption often lags regulatory intent, but as incidents accumulate and public awareness grows, the pressure for enforceable rules increases.
Looking forward: electric vehicles, charging infrastructure and supply chains
Electric vehicles and their ecosystems add new dimensions. Chargers, home wall-connectors and third-party charging networks are part of the attack surface. A vulnerability in a charger firmware or a badly secured charging network can provide a pivot into the vehicle or into the broader grid. Research demonstrating exploit chains from EV peripherals to vehicle code execution shows how these ecosystems must be secured holistically not treated as isolated products.
Supply chain security is another major challenge. Modern cars contain software components and open-source libraries developed by dozens of suppliers. A weakness in one low-level module can propagate to the final product, so manufacturers need strong procurement security practices, SBOMs (software bill of materials) and supplier audits.
Final thoughts: a shared responsibility
As with many areas of cybersecurity, there’s no single silver bullet. Safer vehicles require co-ordinated action across manufacturers, suppliers, regulators and consumers. The good news is that the industry has already changed significantly since high-profile incidents such as the Jeep Cherokee demonstration; manufacturers now invest in security teams, bug bounty programmes are more common, and regulators are active.
But technology keeps evolving. As cars become more autonomous and deeply integrated with smart cities, the stakes will rise further. If we want mobility that’s both convenient and safe, we must design security in from the outset, be transparent about risks and fixes, and support timely patching and responsible disclosure. Drivers should stay informed and practice basic hygiene; fleet operators and manufacturers should adopt mature vulnerability management and incident response; and regulators should continue to push for standards that protect safety and privacy.
Cars are powerful, complex devices. Treating them as computers on wheels with all the protections that implies is the next necessary step to keep people, data and the roads safe.