Connected vehicles offer convenience and new features, but they also introduce cybersecurity risks. Over the past decade, hackers have proven that cars can be compromised remotely – sometimes with dangerous results. Below, we explore real-world car hacking incidents, discuss how owners can protect their vehicles, and examine future trends in automotive cybersecurity.
Real-World Car Hacking Incidents
In 2015, researchers famously hacked a Jeep Cherokee remotely on the highway, using a vulnerability in its Uconnect telematics system to send commands that killed the engine and even disabled the brakes. This first-of-its-kind car hacking incident prompted a safety recall of 1.4 million vehicles by Fiat Chrysler to patch the flaw.
Several high-profile cases have demonstrated the reality of automotive cyberattacks:
- Jeep Cherokee (2015): White-hat hackers Charlie Miller and Chris Valasek remotely compromised a 2014 Jeep Cherokee over the internet. Exploiting an open vulnerability in the Jeep’s Uconnect infotainment system, they took control of critical functions – from the radio and windshield wipers to cutting the engine and disabling the brakes. The chilling demonstration (conducted with a journalist on the highway) vividly illustrated how a malicious actor could seize a moving vehicle. In response, Fiat Chrysler issued a recall for 1.4 million vehicles to update the software and close the hole, marking the first-ever recall for a cybersecurity issue.
- Nissan Leaf (2016): Researchers uncovered a flaw in the NissanConnect EV app for the Nissan Leaf electric car that allowed remote access using only the vehicle’s VIN (Vehicle Identification Number). Because the API lacked proper authentication, an attacker who knew a Leaf’s VIN could issue commands and retrieve data. In a proof of concept, experts showed they could turn the Leaf’s climate control on or off and download driving history (like trip distance and battery usage) from anywhere in the world. Fortunately, the functions were limited (no driving controls), but privacy and battery life were at risk. Nissan reacted by temporarily disabling the NissanConnect service and later updating it to require authentication.
- Mitsubishi Outlander (2016): Another SUV, the Mitsubishi Outlander PHEV, was found to have a critical weakness in its smartphone control system. Unlike most cars that use cellular networks for remote apps, the Outlander uses a Wi-Fi hotspot in the vehicle for its companion app. Security researchers discovered the default Wi-Fi password was easy to crack (the key was in the owner’s manual and could be brute-forced in days). By breaking into the car’s Wi-Fi network from nearby, an attacker could communicate with the Outlander’s systems. The researchers demonstrated they could remotely turn lights on/off, tamper with the AC and charging, and even disable the car’s theft alarm. With the alarm off, a thief could potentially unlock the vehicle and access the onboard diagnostics port to program a new key. Mitsubishi initially downplayed the issue but later worked on a fix, advising owners to temporarily disable the Wi-Fi feature as a precaution.
- Tesla Model S (2016): Tesla’s vehicles have been a frequent target for security teams – not because they are weak, but because Tesla actively encourages research and issues fixes quickly. In one notable case, a team of Chinese researchers from Tencent’s Keen Security Lab remotely hacked a Tesla Model S. They tricked the owner into connecting to a malicious Wi-Fi hotspot and exploited a vulnerability in the car’s web browser to jump into the internal network. Once in, they were able to send unauthorized commands to the Tesla without any physical access. The hackers showed they could do everything from unlocking the doors and adjusting the seats to activating the brakes while the car was driving. This attack – carried out from 12 miles away – was a wake-up call that even a high-tech car could have exploitable flaws. Tesla responded within days by pushing an over-the-air software update to patch the bug and added cryptographic code signing to prevent such exploits in the future. The company also publicly thanked the researchers, underlining its proactive stance on cybersecurity.
These incidents had significant impacts. Automakers faced recalls and negative publicity, but they also learned invaluable lessons. For instance, the Jeep Cherokee hack “sparked a significant conversation about car cybersecurity” inside the auto industry, accelerating efforts to secure vehicle software. Manufacturers like Nissan and Mitsubishi had to rapidly overhaul poorly secured systems (APIs, Wi-Fi access, etc.), and Tesla’s quick fix demonstrated the advantage of cars that can update automatically. Each breach prompted carmakers to tighten defenses and take cybersecurity more seriously to protect consumers.
Additional Security Measures for Connected Car Owners
While automakers work to secure cars on the design side, car owners can also take steps to protect their connected vehicles from cyber threats. Here are some practical security measures drivers should consider:
- Keep Vehicle Software Up-to-Date: Just as you update your phone or computer, make sure to install any software updates or recalls for your car’s systems. Automakers regularly issue patches to fix security vulnerabilities, especially for infotainment units, navigation, and telematics. Apply these updates promptly – many modern cars can download updates over-the-air or at a dealership service center. Up-to-date software ensures you have the latest protections in place.
- Use Secure Networks (Avoid Public Wi-Fi): Be cautious about how your car connects to the internet. If your vehicle has Wi-Fi or connects to mobile apps, avoid using public or unsecured Wi-Fi networks for your car’s connectivity. Hackers on the same network could intercept data or inject malicious traffic. Ideally, stick to your car’s built-in cellular connection or your phone’s hotspot with a strong password. If you must use Wi-Fi, consider using a VPN for an extra layer of encryption.
- Secure Your Car’s Accounts and Apps: Many connected cars come with companion smartphone apps or online accounts (for remote start, locating the car, etc.). Protect these just like any other sensitive account. Use strong, unique passwords or PINs for your car’s app and Wi-Fi hotspot, avoiding defaults or simple codes. Enable two-factor authentication if the automaker offers it. This helps ensure that only you can access your vehicle’s connected features.
- Install Only Trusted Apps or Devices: Some cars allow installing third-party apps on the infotainment system, and aftermarket devices (like OBD-II dongles for diagnostics or insurance) can be plugged into your vehicle. Be selective and use only trusted, reputable apps and devices. A malicious app or gadget could introduce malware or create a backdoor into your car’s network. Similarly, don’t plug in unknown USB drives to the car’s ports. Stick to official app stores and well-reviewed products, and unplug devices that you don’t need from the OBD-II port.
- Monitor for Unusual Activity: Just as you might watch for strange behavior on your computer, pay attention to your car’s behavior and alerts. Warning signs could include infotainment glitches, unexpected restarts, or unfamiliar devices paired to your vehicle’s Bluetooth/Wi-Fi. Some vehicles can log system events – if you are tech-savvy, review your car’s system logs or use an OBD-II scanner to check for error codes that appear unexpectedly. If the car has a dashboard indicator for security (some vehicles alert if there’s an attempted unauthorized access), don’t ignore it. In general, know what “normal” looks like for your car’s electronics so you can spot anomalies.
- Perform Regular Security Check-ups: Incorporate cybersecurity into your vehicle’s maintenance routine. When you visit the dealership or mechanic, ask if they can scan for any software anomalies or updates. A qualified technician can inspect the vehicle’s electronic control units (ECUs) for signs of tampering or run diagnostics to ensure everything is operating as intended. This might catch potential issues early. It’s similar to running antivirus scans on a PC – periodic professional checks can reveal subtle problems.
- Protect Key Fobs from Relay Attacks: Not all car hacks involve high-tech software – thieves can exploit keyless entry systems using relay devices. Relay attacks extend the range of your key fob signal to unlock and start your car from outside your home. To defend against this, store your car keys in a signal-blocking pouch or box (a Faraday bag) when not in use. “A simple but effective way to stop auto bandits from purloining your key fob signal is to use a Faraday bag or pouch,” advise security experts. These pouches are lined with material that blocks wireless signals. By using one, you prevent thieves from wirelessly relaying your fob’s signal to your car. Additionally, consider old-fashioned physical protections: steering wheel locks and car alarms can deter thieves, including those using electronic methods.
By following these steps – keeping software current, practicing good digital hygiene, and staying vigilant – car owners can significantly reduce the risk of cyber intrusions. Essentially, treat your car’s connected systems with the same care you would your smartphone or laptop. Small precautions can go a long way in safeguarding your “computer on wheels.”
Future Trends in Automotive Cybersecurity
As vehicles become more connected and automated, they run on complex software and exchange vast amounts of data – making robust cybersecurity as essential as seatbelts and airbags in protecting driver safety.
The automotive industry is rapidly evolving, and so are the cyber threats and defenses associated with connected cars. Below are key trends and developments shaping the future of automotive cybersecurity:
Emerging Threats on the Horizon
Modern cars are not only connected to the internet; they’re beginning to communicate with each other and with infrastructure (vehicle-to-vehicle and vehicle-to-infrastructure communication). With this increased connectivity, attack surfaces multiply. Studies find that the vast majority of vehicle cyber incidents – about 95% – are now carried out remotely over wireless networks. This means attackers from anywhere in the world could target vehicles (or the servers they connect to) without ever touching the car.
One concerning trend is the possibility of large-scale or coordinated attacks. If a common software component is vulnerable, a single hacker could potentially exploit it across many thousands of vehicles. For example, researchers from Keen Lab recently discovered a flaw in Tesla’s backend systems that could have allowed them to remotely access and send commands to a fleet of Teslas at once (had it not been quickly fixed). This hints at a future where hackers might attempt to breach cloud-connected vehicle platforms to affect multiple cars simultaneously – essentially turning connected cars into a “botnet on wheels” if defenses fail.
Ransomware and cyber-extortion are also looming threats. So far, ransomware has hit the automotive industry’s corporate IT systems (for instance, plant operations and customer data) more than vehicles themselves. In fact, in 2024 over 100 ransomware attacks targeted the automotive and smart mobility sector (manufacturers, fleets, etc.), disrupting operations and services. It’s not a stretch to imagine that a hacker could someday target connected cars or smart car services with ransomware – for example, locking drivers out of their vehicles or disabling certain features until a ransom is paid. While no such widespread vehicle ransomware attack has occurred yet, security experts are keeping a close eye on this possibility.
Another area of concern is the privacy and data security of connected vehicles. Cars are collecting enormous amounts of data about drivers and trips – location history, driving behavior, biometric data from in-cabin cameras, and more. A breach that exposes this sensitive information is a serious threat. Recent analyses note that modern vehicles transmit a vast volume of personal and operational data, raising significant privacy issues if that data is not properly secured. Future cyberattacks might aim not just to control cars, but to steal or misuse the data they generate (much like hackers target personal data on computers). This could lead to identity theft, tracking of individuals, or misuse of vehicle sensors (for example, stalkers hacking a car’s GPS to follow someone).
Additionally, as autonomous driving technology advances, securing the sensors and AI systems in self-driving cars becomes critical. Researchers have already shown possible attacks like spoofing LIDAR or camera systems with deceptive signals (e.g., projecting fake obstacles or road markings). Such attacks could trick an autonomous vehicle into reacting inappropriately, with safety consequences. While these are more theoretical at the moment, they highlight that future cybersecurity will need to protect not just the car’s networking and software, but its perception of the physical world.
Advancements in Vehicle Security Technology
On a positive note, the industry is not standing still. Recognizing these threats, automakers and tech companies are investing in advanced cybersecurity technologies to fortify vehicles. One major area of development is in-car intrusion detection and prevention systems. Much like intrusion detection systems (IDS) for corporate networks, vehicles are starting to incorporate security modules that constantly monitor the CAN bus and other in-vehicle networks for any anomalous messages or behavior. These systems learn what normal car communications look like, and if an out-of-spec command appears (say, a command to turn the steering at high speed coming from the infotainment unit), they can flag or block it. For instance, some newer vehicles have a secure gateway that acts as a firewall between externally accessible systems (like telematics or infotainment) and critical driving systems. This segmentation helps ensure that even if, say, the radio unit is compromised, the critical brake or steering commands cannot easily be injected without authorization.
Data encryption and authentication are becoming standard throughout the car’s electronics. Critical data buses and wireless links are increasingly protected with encryption to prevent eavesdropping or tampering. Similarly, commands and software updates now often require cryptographic authentication. A real-world example is Tesla’s response to the Keen Lab hack – after that incident, Tesla implemented stronger code-signing and integrity checks on its firmware updates. Now, the car will reject any update or code that isn’t properly signed by the manufacturer, thwarting attempts to load malicious firmware. Across the industry, manufacturers are adopting a “secure by design” philosophy: everything from the key fob signal to the infotainment apps should have layers of encryption and verification. As one industry article put it, “data encryption protects the vehicle’s information, while secure management of software updates ensures improvements don’t introduce new vulnerabilities”. In practice, this means future cars will have secure boot processes (to make sure the car only runs genuine, untampered software each time it starts), encrypted car-to-cloud communications, and even encrypted storage for the car’s data logs.
We’re also seeing the rise of AI and machine learning in automotive cybersecurity. AI can help in two ways: it can harden vehicles by enabling features like driver behavior analysis for authentication (for example, the car might notice if an unusual person or method is trying to start the car, and ask for a second factor authentication), and it can detect attacks by recognizing patterns that suggest a cyber-intrusion. Machine learning models might run in the background of future cars, intelligently distinguishing a benign glitch from an actual attack in progress. On the flip side, defenders are aware that attackers might use AI too (perhaps to find vulnerabilities faster), so the race is on to stay ahead with smarter defensive tech.
Another promising advancement is the concept of secure “over the air” update frameworks. Over-the-air updates themselves are now seen as a security feature – they allow automakers to rapidly deploy patches to millions of cars when a new threat is discovered, reducing the window of exposure. However, those update channels must be extremely secure to prevent abuse. Automakers are now designing update systems with multiple safeguards (encryption, authentication, fail-safes to revert a bad update) so that hackers cannot hijack the update mechanism. Moving forward, your car might regularly receive silent security updates just like your antivirus software does on a PC.
Automakers and Regulators on the Defensive
Automotive cybersecurity is not just about technology – it’s also about industry practices and regulations. In the wake of the early car hacks, the auto industry has significantly ramped up collaboration and information-sharing. In 2015, major automakers formed the Automotive Information Sharing and Analysis Center (Auto-ISAC), a collective platform to share threat intelligence and best practices. Today, if one company or research team discovers a serious new vehicle vulnerability, that knowledge can be disseminated through Auto-ISAC so that other manufacturers can take preventive action. This is a big shift for an industry that historically was very siloed – now there’s recognition that cybersecurity is a common challenge where cooperation benefits everyone.
Automakers are also increasingly engaging with the cybersecurity research community. Many have launched bug bounty programs to reward independent hackers who report flaws responsibly. Tesla was one of the pioneers (even awarding cars to researchers who proved severe exploits), and soon others followed – General Motors, Fiat Chrysler, Ford, Toyota, and more now have programs inviting hackers to test their systems within legal boundaries. As noted in one report, “a number of automakers have announced bug bounty programs in recent years, including Tesla, GM and most recently, Fiat Chrysler”. By paying ethical hackers for their findings, companies can fix issues before criminals discover them. This approach has already led to dozens of vulnerabilities being patched behind the scenes without harm to drivers.
From a governance perspective, regulators are stepping in to ensure cybersecurity in vehicles is taken seriously. In the United States, the National Highway Traffic Safety Administration (NHTSA) has published cybersecurity best-practice guidelines for automakers, and while not mandatory yet, they signal what is expected. Even more impactfully, Europe and other regions have introduced new regulations (UNECE WP.29 regulations R155 and R156) that make cybersecurity part of a car’s type approval (the certification needed to sell a car). Starting in July 2022, any new vehicle model in the European Union must have a certified Cybersecurity Management System in place (and by July 2024 this applies to all new cars sold). In essence, automakers now must demonstrate that they are managing cyber risks throughout the vehicle’s lifecycle and have processes to detect and respond to incidents. They also must ensure secure software update mechanisms are built-in – recognizing the importance of OTA updates for safety. These regulations push manufacturers to implement a “defense-in-depth” strategy: everything from design, production, and post-sale monitoring is audited for cybersecurity. We can expect other countries to adopt similar rules, and international standards like ISO/SAE 21434 (an automotive cybersecurity engineering standard) are guiding development teams on how to bake security into every step of car design and maintenance.
Lastly, automakers are treating cybersecurity as a continuous effort. Many companies have created dedicated automotive security teams and even executive positions (Chief Product Security Officer) to oversee vehicle cybersecurity programs. They conduct regular security testing, hire external firms to attempt “penetration tests” on their cars, and participate in cross-industry drills. The goal is not just to react to known hacks, but to be proactive – anticipating potential attack strategies and hardening new features before they launch. For example, as advanced driver-assistance and autonomous driving features roll out, manufacturers are working closely with cybersecurity firms to test those systems against possible attacks (like sensor spoofing or AI manipulation). The industry knows that consumer trust is on the line. A survey cited widely in the media found a large share of consumers worry about car hacking, and that willingness to embrace connected car features increases when people feel the security issue is being addressed. This has put pressure on car companies to not only improve security, but also be transparent about their efforts.
The Road Ahead
In the coming years, automotive cybersecurity will remain a cat-and-mouse game as attackers look for new weaknesses and defenders innovate new protections. The good news is that both awareness and investment in vehicle security have never been higher. Cars are essentially becoming “computers on wheels,” and the industry is starting to treat them with the same level of cybersecurity scrutiny as laptops, servers, or smartphones. We will likely see smarter cars that can detect and maybe even self-heal from attacks, backed by manufacturers who can send instant updates.
For drivers, the hope is that most cyber defenses operate behind the scenes – much like modern cars quietly protect you with anti-lock brakes and stability control without intervention, they will also fend off cyber threats without bothering the driver. Still, owners will play a role by staying informed and practicing good security habits (as highlighted earlier).
Automotive cybersecurity is now a critical aspect of vehicle safety. The real-world hacks that have occurred were invaluable lessons, prompting rapid improvements. By learning from these incidents, implementing strong protections, and preparing for future risks, automakers and owners together can ensure that the exciting benefits of connected and autonomous vehicles are delivered safely – keeping cybercriminals off the road.
