Car Hacking Is the Next Big Cyber Threat – And Nobody’s Ready

Ransomware for Cars Is Coming—And Automakers Aren’t Ready

The average new car today contains over 150 million lines of code. That's more than a modern fighter jet.

Wait, that statement is actually outdated.

According to Statista and Goldman Sachs Research, the average new vehicle in 2025 embodies up to 650 million lines of code, a dramatic increase driven by the rise of electric vehicles, advanced driver-assistance systems (ADAS), infotainment, and autonomous driving features.

For context:

In 2010, a typical car had ~10 million lines of code. By 2020, that number had jumped to ~200 million. Luxury or high-tech vehicles (like the Ford F-150 or Mercedes S-Class) already surpassed 150 million lines years ago.

All this to drive home the obvious fact that the car is now more software-defined than ever. These software-driven vehicles, packed with internet-connected systems, have transformed from mechanical machines into highly vulnerable networked devices. 

Unlike smartphones or laptops, however, cars are life-critical systems where a cyberattack isn’t just about stolen data. It can mean remote-controlled brakes, ransomware-locked ignitions, or even weaponized acceleration.  

Security researchers have repeatedly demonstrated how easy it is to hack a connected car. 

In 2015, white-hat hackers Charlie Miller and Chris Valasek remotely killed a Jeep Cherokee’s engine on a highway, forcing Fiat Chrysler to recall 1.4 million vehicles. In 2022, a 19-year-old hacker accessed 25 Teslas across 13 countries by exploiting a vulnerability in a third-party app. And in 2023, cybersecurity firm Synopsys found that over 60% of modern cars contain critical vulnerabilities in their infotainment and telematics systems.  

Yet despite these warnings, automakers continue prioritizing convenience over security, leaving millions of drivers exposed to an emerging wave of automotive cybercrime.

The Attack Surface: How Hackers Can Take Over Your Car 

Modern vehicles are built on a foundation of interconnected electronic control units (ECUs) that manage everything from engine performance to door locks. These systems communicate via Controller Area Network (CAN) buses, which were designed in the 1980s with zero built-in security.  

1. Remote Exploits: The Wireless Backdoors  

Most new cars feature cellular, Wi-Fi, and Bluetooth connectivity. They're convenient for updates and apps, but disastrous for security. Researchers have demonstrated attacks that:  

• Unlock and start cars via vulnerabilities in keyless entry systems (Tesla, BMW, and Mercedes have all been breached this way).  
• Disable safety systems like airbags and ABS by sending malicious CAN bus messages.  
• Track vehicles in real time by intercepting GPS and telematics data.  

In 2021, a ransomware group called REvil demonstrated they could lock drivers out of their cars until a Bitcoin payment was made. 

REvil (aka Sodinokibi) was one of the most notorious ransomware groups at the time, responsible for high-profile attacks on companies like Kaseya, JBS, and Acer. While their operations primarily targeted corporate IT systems, you're not an alarmist for seeing their little 2021 'demonstration' as a preview of coming cyber-extortion tactics.

After all, the idea of ransomware affecting cars has been theoretical in cybersecurity circles, especially as vehicles become more connected. Just because REvil or any group hasn't executed such an attack in the wild doesn't mean there's no cause for concern.

2. OTA Updates: A Trojan Horse For Malware  

Over-the-air (OTA) software updates, touted as a convenience feature, are now a major attack vector. Unlike smartphones, most cars lack secure boot mechanisms, meaning a compromised update could brick the vehicle or install spyware. 

According to Upstream’s 2024 Global Automotive Cybersecurity Report, server-related incidents rose to 43% in 2023, up from 35% in 2022. These include attacks on telematics and backend infrastructure, which are critical for over-the-air (OTA) updates, remote diagnostics, and fleet management. 

In 2020, Belgian researcher Lennert Wouters demonstrated a vulnerability in the Tesla Model X key fob update mechanism (not the OTA update system). He exploited a flaw in the Bluetooth Low Energy (BLE) firmware update process of the key fob, allowing him to unlock and start the car. It may not have compromised Tesla’s servers or OTA infrastructure, but it involved pushing malicious firmware all the same - successfully.

As Startup Defense agrees, OTA update hijacking is a growing threat where attackers intercept or spoof update packages. If encryption, authentication, or integrity checks are weak, malicious firmware can be delivered to vehicles or IoT devices.

Common OTA vulnerabilities include:

• Lack of secure transmission (e.g., unencrypted HTTP instead of HTTPS)
• Weak or missing digital signatures on update packages
• Improper authentication of update servers
• Inadequate integrity checks (e.g., missing hash verification)

With OTA systems now central to vehicle safety, infotainment, and even autonomous driving features, a compromised OTA pipeline could allow attackers to execute a number of actions, from installing malware to disabling safety systems, exfiltrating user data, and ultimately undermining trust in automakers.

3. Third-Party Apps: The Weakest Link  

Your car’s infotainment system likely runs on Android Automotive or QNX, both of which have been hacked repeatedly. Worse, automakers allow third-party apps (like Spotify or weather services) to access vehicle APIs, creating new entry points for attackers.

Hackers have used compromised insurance dongles (like Progressive’s Snapshot) to send malicious CAN bus commands.   

In 2015, a team from the University of California, San Diego demonstrated that a Metromile insurance dongle (similar in function to Progressive’s Snapshot) could be exploited via SMS to send malicious CAN bus commands to a Corvette. 

They remotely activated brakes and windshield wipers by hijacking the dongle’s cellular connection and injecting commands into the vehicle’s internal network. This highlighted the risks of insecure telematics devices plugged into the OBD-II port.

An APIsec University report found that API-related attacks surged by 308% in 2022, and by 2023, they accounted for 13% of all automotive cyberattacks, making them the third most common attack vector in the industry. This rise reflects the growing reliance on APIs in connected car ecosystems and the corresponding increase in exploitable weaknesses.

Similarly, a Forbes Technology Council article also cites a 380% increase in automotive API attacks in 2022, just as the SCITEPRESS study on Android Automotive apps highlights how third-party in-vehicle apps can exploit API permissions and system weaknesses to access sensitive data or disrupt infotainment systems.

The Looming Cybercrime Wave: What’s Coming Next  

1. Ransomware For Cars  

Imagine waking up to a message on your dashboard: "Pay 0.5 BTC or your car won’t start." It may sound like science fiction, but it’s already happening in fleet vehicles.  

German firm Hellmann Worldwide Logistics wrangled a ransomware attack in late 2021, which disrupted operations and led to the leak of over 70 GB of internal data. While the attack may not have directly manipulated truck ECUs or immobilized the vehicles, it had a “material impact” on business systems all the same. 

Security firm Kaspersky predicts that personal vehicle ransomware will surge by 2025 as hackers automate attacks. 

Kaspersky’s 2025 State of Ransomware Report and other industry sources highlight a surge in automotive ransomware threats, especially as vehicles become more connected and OTA (over-the-air) updates expand the attack surface. In fact, ransomware now accounts for 45% of all automotive cyber incidents in 2025, making it the leading threat to the sector.

2. Data Harvesting On Wheels

Your car collects far more data than your phone: location history, driving habits, even cabin microphone recordings. 

The Federal Trade Commission (FTC) concluded that GM collected and sold precise geolocation and driver behavior data from millions of vehicles without adequately notifying consumers or obtaining affirmative consent. As a result, GM was banned for five years from sharing this data with consumer reporting agencies.

FTC Chair Lina Khan stated: “GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds.”

Multiple lawsuits filed in 2024–2025 allege that automakers shared driving data with insurers and data brokers (e.g., LexisNexis, Verisk) without drivers’ knowledge. In many cases, drivers were unaware they had "enrolled" in programs like OnStar Smart Driver, which silently collected data used to adjust insurance rates.

Similarly, Honda was fined $632,500 by the CPPA for violating California’s privacy laws, after the agency found that Honda collected and shared location, speed, braking, and even voice/image data without proper disclosure or consent.

Perhaps most alarming is Mozilla’s “Privacy Not Included” project, which found that 25 out of 25 car brands they reviewed collected excessive personal data, often including biometrics, location, and driving habits, and shared it with third parties. Many brands failed to meet basic privacy standards.

Of course, it's not just about collecting and sharing data, but what happens to the data collected and shared. Insurance premiums may be the least of your worries.

Cybersecurity researchers and law enforcement have documented cases where stolen vehicle data, including real-time GPS tracking, has been traded on dark web forums. 

For example, a Motoring Research report described how fraudsters used dark web-sourced identities to steal and track luxury vehicles like a Mercedes-Benz C-Class. Security firms have warned that connected car APIs and telematics systems can be exploited to access location, unlock commands, and driving history—especially when third-party apps or misconfigured cloud services are involved.

3. State-Sponsored Sabotage

Nation-state hackers see cars as soft targets for cyberwarfare.

In 2024, U.S. intelligence warned that Chinese-linked hackers were probing vulnerabilities in EV charging networks. That same year, cybersecurity researchers at Pwn2Own Automotive demonstrated real-world exploits of EV chargers, including arbitrary code execution on devices like the Autel MaxiCharger and ChargePoint Home Flex.

U.S. officials have publicly warned about Chinese state-linked groups (e.g., Volt Typhoon) targeting critical infrastructure, including transportation and EV charging systems, as part of broader cyber-espionage campaigns.

The Department of Commerce and National Security Council have equally cited risks of malicious access to connected vehicle systems developed in China, which could be used for surveillance or sabotage.

Why The Auto Industry Isn’t Ready  

Security as an Afterthought

Most automakers still treat cybersecurity like a compliance checkbox, not a life-or-death necessity.  

A 2024 global survey published in the SAE International Journal of Connected and Automated Vehicles—titled “A Global Survey of Standardization and Industry Practices of Automotive Cybersecurity Validation and Verification Testing”—recognized penetration testing as a critical component of cybersecurity validation, especially under frameworks like ISO/SAE 21434 and UN R155.

Unfortunately, the study highlights inconsistencies in adoption across regions and manufacturers, with many OEMs relying on traditional IT testing methods or limited-scope assessments.

Many car ECUs run on decade-old firmware with known vulnerabilities.  

No Standardized Protections

Unlike the NIST cybersecurity framework for IT systems, automotive security regulations are weak and fragmented.

The UN’s WP.29 regulation (adopted by the EU) mandates basic cybersecurity—but the U.S. still has no federal automotive cybersecurity laws.  

The regulation, specifically UNECE R155 (Cybersecurity Management System) and R156 (Software Updates), adopted in 2020, became mandatory in the EU for all new vehicle types from July 2022, and all new vehicles sold from July 2024. 

These regulations require automakers to implement cybersecurity risk management, incident detection, and secure software update processes across the vehicle lifecycle.

In contrast, the U.S. has no binding federal automotive cybersecurity law. The National Highway Traffic Safety Administration (NHTSA) provides voluntary guidance, but there is no mandatory federal regulation equivalent to WP.29.

Furthermore, a 2023 Automotive News report found that the automotive industry paid the least in bug bounties across all sectors tracked by HackerOne. Some major automakers (e.g., Honda) do not run any bug bounty program. Others are slow to respond or ignore vulnerability disclosures from white-hat hackers.

The Right-to-Repair Security Nightmare

Independent mechanics can’t access diagnostic tools needed to fix hacked cars, forcing owners to dealerships that lack cybersecurity expertise.  

How to Protect Yourself (For Now)

1. Disable Bluetooth when not in use (many hacks start with Bluetooth exploits).  

2. Avoid third-party dongles (insurance trackers, aftermarket infotainment).  

3. Demand transparency from automakers about data collection and security audits.  

Alright, let's get real.

If you're serious about protecting your car from cyber threats, the first thing is to treat the vehicle like a segmented network rather than a single monolithic system. 

That means isolating safety-critical components from the infotainment system, possibly adding physical hardware between the vehicle’s CAN bus segments to filter or block unauthorized commands. Think of it as installing a digital firewall between systems that don’t need to talk to each other.

You also want to reflash or strip down the infotainment software—removing unnecessary services, disabling remote diagnostics or backdoors, and ensuring only signed, cryptographically verified firmware can be installed. 

Over-the-air updates wouldn’t be accepted automatically; instead, they’d be scrutinized, even sandboxed offline before going anywhere near the car’s systems.

As far as interacting with apps and connected services, you don't want to trust the standard mobile apps offered by automakers. Too much data collection, too many blind spots. You want to avoid cloud-based services entirely when possible, using standalone interfaces like a Raspberry Pi to display local GPS data or diagnostics without handing anything over to third-party servers.

The vehicle’s OBD-II port—a known attack vector—shouldn’t be left exposed. It can't hurt to physically lock it or relocate it altogether, and if you needed to keep it accessible for diagnostics, use a read-only adapter that blocks incoming commands. That way, nobody’s sneakily writing to the car’s internal brain through a cheap plug-in device.

You might even get a little creative with location protection, using GPS spoofing detection or dummy modules to scramble tracking attempts. For keyless entry, your fobs would live in Faraday cages to block RF signals, and you’d disable passive entry if it’s known to be vulnerable to relay attacks.

At the software level, run your own lightweight intrusion detection tools; a custom setup tuned to the car’s normal behavior. 

If a strange command appears on the CAN bus, or a new network handshake is initiated, you’d know about it immediately. Every interaction would be logged: firmware updates, CAN messages, USB plug-ins—because for you, full visibility is the first layer of control.

And finally, you want to stay plugged into the scene. Follow forums, track zero-day exploits, read technical disclosures—because staying secure isn’t a fixed state but an arms race. 

We'd tell you to even operate in “ghost mode”—disabling telematics modules, blocking cellular radios, and rolling off-grid to make their car effectively invisible to outside actors - but you might say that's taking it too far.

This is all to say that tech-savvy drivers serious about their privacy approach automotive security with the same layered discipline that high-level cybersecurity professionals bring to enterprise systems. Defense in depth, minimal exposure, maximum situational awareness. And just enough paranoia to stay one step ahead.

The Bottom Line

The auto industry is woefully unprepared for the coming wave of car hacking. Until regulators force mandatory security standards, and automakers stop treating cybersecurity as an afterthought, every connected car is a ticking time bomb.  

The question isn’t if a major cyberattack will disable thousands of vehicles—it’s when.