Digital Highways and Cyber Byways: A Comprehensive Look at Car Hacking Vulnerabilities Across Manufacturers

Breached Company

18 Aug 2025 — 13 min read

Bottom Line: The explosive growth of connected vehicle technology has created a massive attack surface for cybercriminals. From Tesla's sophisticated computer systems to Kia and Hyundai's basic ignition vulnerabilities, virtually every major automaker has faced significant security challenges as cars transform from mechanical machines into rolling computers.

The Scale of the Problem

The automotive cybersecurity landscape has deteriorated dramatically over the past five years. According to Upstream's 2025 Global Automotive Cybersecurity Report, researchers identified over 100 ransomware attacks targeting the automotive ecosystem in 2024, along with more than 200 data breaches. The scope is staggering: by 2025, over 400 million connected cars will be in operation, and 95% of all vehicles manufactured in 2025 will have internet connectivity capabilities.

The numbers tell a stark story about the industry's vulnerability:

99% increase in cyberattacks on automotive vehicles from 2019 to 2020
380% growth in attacks on automotive APIs in 2022
95% of automotive cyber incidents are carried out remotely
Over 20 million hack attempts related to automotive systems were registered in 2023

Tesla: The Double-Edged Sword of Innovation

Tesla, as the pioneer of software-first vehicle design, presents a fascinating case study in automotive cybersecurity. The company's approach of treating cars like smartphones has created both opportunities and vulnerabilities.

The Pwn2Own Success Stories

Tesla has become a regular target at Pwn2Own hacking competitions, with security firm Synacktiv consistently demonstrating exploits against Tesla systems:

2024: Synacktiv earned $200,000 for an integer overflow exploit targeting Tesla's electronic control unit (ECU) with CAN bus control, plus a new Tesla Model 3
2023: The same team won $530,000 in prize money and another Tesla Model 3 for discovering vulnerabilities
2025: A high-severity VCSEC vulnerability was disclosed that allowed attackers to execute malicious code remotely, potentially disabling safety features and manipulating driving functions

The Paradox of OTA Updates

Ironically, Tesla's strength in over-the-air updates also represents its cybersecurity salvation. Tesla led recalls in 2024 with 5.1 million vehicles affected, but all could be addressed through over-the-air updates rather than requiring physical service visits. This represents the ultimate evolution of the recall process—turning costly dealer visits into seamless background updates.

Internal Threats

Tesla also faced its biggest insider threat in 2023, when an employee leaked sensitive safety and customer data. This incident highlighted that even the most technologically advanced automaker isn't immune to traditional insider threats.

The Luxury Car Vulnerability Epidemic

High-end manufacturers have discovered that their sophisticated systems create equally sophisticated attack vectors.

BMW: Multiple Attack Surfaces

BMW has faced several significant security challenges:

2015: A cybersecurity hole left more than two million BMWs vulnerable in what may have been the most serious breach the auto industry had faced at the time
2018: Researchers from Tencent Keen Security Lab discovered 14 flaws affecting high-profile BMW models including the i Series, X Series, 3 Series, 5 Series, and 7 Series
2022: BMW was among 16 manufacturers affected by a comprehensive study that found vulnerabilities allowing researchers to control car functions and start or stop engines

Mercedes-Benz and the Premium Brand Problem

Mercedes-Benz has also been caught in the crossfire of automotive cybersecurity research. Security experts announced multiple vulnerabilities affecting millions of vehicles from Mercedes-Benz, BMW, Rolls-Royce, Ferrari, Ford, Porsche, and Toyota. The luxury segment's emphasis on connectivity and premium features has inadvertently created more attack surfaces for malicious actors.

The Underground Economy: Radio Wave Hacking and Organized Crime

Beyond the publicized vulnerabilities and manufacturer recalls lies a darker world where sophisticated criminal organizations use cutting-edge technology to systematically steal high-end vehicles. This underground ecosystem combines traditional organized crime with advanced hacking techniques, creating a multi-billion dollar industry built on automotive cybersecurity exploitation.

The Science of Signal Interception

The most prevalent method in professional car theft today is the relay attack, a sophisticated technique that exploits the convenience features of modern keyless entry systems. Criminal organizations have turned this into a precise science:

How Relay Attacks Work:

Two-person operation: One criminal stands near the target vehicle while another positions themselves within range of the key fob (often inside the victim's home)
Signal amplification: Devices can capture and relay key fob signals from over 100 meters away
Real-time relay: The first device captures the key fob signal and transmits it to the second device by the car, fooling the vehicle into thinking the key is present
Rapid execution: The entire process takes 20-30 seconds, allowing thieves to unlock and start vehicles silently

The Technology Behind the Crime

The equipment used by professional car theft rings has become increasingly sophisticated and accessible:

Available Hardware:

Commercial devices can be purchased for as little as £100 ($130) online through legitimate channels like Amazon and eBay
Professional equipment used by locksmiths and dealerships has been stolen or legally purchased by criminal organizations
Software-defined radios (SDR) allow criminals to capture, analyze, and replay various radio frequencies
Specialized tablets designed for automotive diagnostics have been repurposed for criminal use

Black Hat Networks and Criminal Infrastructure

Modern car theft operations mirror legitimate businesses in their organizational structure and technological sophistication. Black hat hackers often work with organized crime organizations for easy money, creating a professional ecosystem dedicated to automotive cybercrime.

Criminal Organization Structure:

Developers: Create and maintain hacking software and tools
Resellers: Distribute tools and techniques to local criminal cells
Operators: Execute the actual vehicle thefts
Logistics coordinators: Handle vehicle transportation and illegal export
Document forgers: Create fraudulent registrations and VIN changes

High-Profile Criminal Operations

Recent law enforcement actions have revealed the scope and sophistication of these operations:

European Operation (2022): French, Latvian, and Spanish authorities arrested 31 suspects in a car theft ring that targeted keyless vehicles from two French manufacturers, using fraudulent software marketed as an "automotive diagnostic solution" to bypass keyless systems. The operation seized over €100 million, 12 bank accounts, real estate, and three luxury cars.

New York "Operation Master Key" (2021): A complex auto theft ring was dismantled after stealing over 225 vehicles, using "bootleg code lists" to create keys and altering computer settings to weaponize vulnerabilities in the automotive industry. The operation included VIN number changes, false registrations, and international resale networks.

Canadian Organized Crime Networks: Canadian crime networks operate like "criminal car dealerships," with corrupt employees at ports, trucking companies, and vehicle registration agencies providing inside information to crime bosses, including key fob information and VIN data.

Manufacturer Database Infiltration

One of the most concerning aspects of modern automotive cybercrime is the infiltration of manufacturer and dealer databases:

Inside Information Networks:

Corrupt port workers photograph VINs and collect key fob information when new vehicles arrive
Dealership employees share customer information and vehicle registration data
Service Ontario agents (in Canada) have been embedded within government vehicle registration systems
Key code access: "Sometimes the bad guys can get the key code," allowing criminals to create legitimate keys for specific vehicles

The CAN Bus Attack Vector

Professional thieves have moved beyond simple relay attacks to directly compromise vehicle computer systems:

Controller Area Network (CAN) Bus Exploitation:

Direct system access: Criminals use tablets to access a vehicle's "nervous center" where "you can pretty much do things such as delete keys, program new keys, and just basically speak to the vehicle"
Rapid reprogramming: Experts can demonstrate gaining access to a vehicle's mainframe and reprogramming a key in "less than a minute"
Physical access points: Thieves target the OBD-II diagnostic port or other access points to connect directly to vehicle systems

Global Criminal Networks and Money Laundering

The scale of automotive cybercrime extends far beyond simple theft, connecting to international terrorism and money laundering operations:

International Scope:

Trade-based money laundering: Organized auto theft rings are "involved in international trade-based money laundering, and raising money for drug-trafficking and terrorism"
Terrorist financing: Transnational gangs send "SUVs stolen in Canada, to carry out terrorist bombings in the Middle East," with terrorists preferring "big North American luxury SUVs, such as Cadillac Escalades and Chevy Suburbans" because "they can stuff lots of explosives into them"
Global shipping networks: Stolen vehicles are transported through compromised ports to destinations worldwide

The Economics of Cybercrime

The financial scale of automotive cybercrime is staggering:

Annual Canadian losses: Auto thefts cost $1 billion across Canada per year, with fraudulent auto insurance claims costing about $1.6 billion per year in Ontario alone
U.S. national impact: Over one million cars were stolen in 2022, the highest number since 2008, representing about two vehicles stolen every minute
Criminal profits: Individual operations can generate hundreds of millions in illegal revenue

Law Enforcement Challenges

Combating sophisticated automotive cybercrime presents unique challenges:

Technical Complexity:

Constantly evolving methods: "The criminal organizations and the suspects are always looking for what the security protocols are and how to defeat them"
Legal acquisition of tools: Many hacking devices can be legally purchased, making it difficult to regulate access
International coordination: Criminal networks span multiple countries, requiring complex international cooperation

Detection Difficulties:

No physical evidence: Relay attacks leave no broken windows or damaged locks
Rapid execution: Thefts occur so quickly that detection and response are nearly impossible
Inside information: Corrupt employees within legitimate organizations provide advance intelligence

Consumer Protection Strategies

Given the sophistication of these criminal operations, traditional security measures may be insufficient:

Advanced Protection Methods:

Faraday pouches: Store key fobs in signal-blocking containers
Physical barriers: Use steering wheel locks and other old-school deterrents that high-tech criminals may not expect
Garage parking: Increase distance between keys and potential signal interception
PIN-to-drive features: Enable additional authentication requirements where available

The Arms Race Continues

The battle between automotive security and cybercriminal innovation represents an ongoing technological arms race. As manufacturers implement new security measures, criminal organizations adapt with increasingly sophisticated tools and techniques.

This underground economy demonstrates that automotive cybersecurity isn't just about individual vulnerabilities or corporate recalls—it's about defending against well-funded, technically sophisticated criminal enterprises that view connected vehicles as lucrative targets in a multi-billion dollar illegal industry.

The Mass Market Vulnerability Crisis

The 16-Manufacturer Study: A Wake-Up Call

In 2022, a group of seven security researchers conducted a comprehensive study that exposed vulnerabilities across 16 major car manufacturers: Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota.

The researchers' findings were alarming:

Using only the VIN number (visible on windshields), they could start/stop engines, remotely lock/unlock vehicles, flash headlights, honk horns, and retrieve precise vehicle locations
For Kia vehicles specifically, researchers could remotely access the 360-view camera and view live images from inside the car
They could lock users out of remote vehicle management and even change car ownership
The attacks worked on Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles

Honda and Nissan: API Vulnerabilities

The research revealed that Honda, Nissan, Infiniti, and Acura vehicles were particularly vulnerable to remote attacks through compromised APIs. Researchers could "remotely unlock, start, locate, flash, and honk any remotely connected" vehicles from these manufacturers, completely unauthorized, knowing only the VIN number.

The Kia/Hyundai TikTok Disaster

Perhaps no automotive cybersecurity incident has captured public attention like the "Kia Challenge" that went viral on TikTok in 2022.

The Vulnerability

The issue stemmed from a fundamental design flaw: Kia vehicles manufactured from 2011 to 2021 and Hyundai vehicles from 2016 to 2021 that used steel keys (rather than key fobs with push-button start) lacked immobilizers. This electronic security device, standard in most vehicles and mandatory in Canada, prevents the engine from starting unless a proper key is inserted.

A TikTok video posted on July 12, 2022, showed how thieves could use a USB connector on the exposed ignition switch to start these vehicles. The technique spread rapidly across social media, with perpetrators identifying themselves as "Kia Boys" or "Kia Boyz."

Real-World Consequences

The TikTok challenge has had devastating real-world impacts:

At least 8 fatalities according to the National Highway Traffic Safety Administration
At least 14 reported crashes linked to the challenge
Tens of thousands of vehicles stolen nationwide
Prince George's County, Maryland: 617 Kia and Hyundai vehicles stolen in 2022, with 108 already stolen by early 2023

The Manufacturer Response

Both Kia and Hyundai eventually responded with software updates:

February 2023: Companies began rolling out free software updates to extend alarm duration from 30 seconds to one minute
Hardware requirement: Updates require the key to be in the ignition switch to turn the vehicle on
Free steering wheel locks provided to affected vehicle owners
2022+ models: All newer vehicles include immobilizers as standard

Electric Vehicle Specific Vulnerabilities

As the automotive industry transitions to electric vehicles, new categories of vulnerabilities have emerged.

Charging Infrastructure Attacks

The 2024 Pwn2Own automotive event in Tokyo revealed that electric vehicle chargers present significant attack surfaces. Researchers demonstrated 24 unique zero-day vulnerabilities on the first day alone, many targeting EV charging infrastructure.

Battery Management and Grid Integration

Electric vehicles' connection to the power grid creates new attack vectors. Cybercriminals can potentially:

Gain access to the broader electric grid through compromised vehicles
Manipulate charging schedules to destabilize power systems
Access payment and personal information stored in charging systems

Manufacturer Response Strategies

The Over-The-Air Solution

Progressive manufacturers have embraced OTA updates as a primary defense mechanism:

Over 34% of vehicles recalled in 2024 can be fixed via OTA updates, up from 21% in 2023
Tesla leads this approach with all 5.1 million recalled vehicles in 2024 addressable through OTA updates
GM uses its OnStar infrastructure to push critical updates to millions of vehicles simultaneously

Traditional Recall Methods

Many manufacturers still rely on traditional recall methods:

Dealer visits for critical firmware updates that affect safety systems
USB drive distribution for vehicles without reliable OTA capability
Hardware replacements when software fixes aren't sufficient

Industry Collaboration

The automotive cybersecurity market is responding rapidly:

Market projected to reach $22.2 billion by 2032, up from $3.2 billion in 2022
Major acquisitions: Panasonic acquired cybersecurity firm Blue Planet for $150 million in 2023
Regulatory pressure: UNECE WP.29 regulations mandating cybersecurity requirements for new vehicles

The Regulatory Response

International Standards

UNECE WP.29 regulations implemented in early 2024, mandating cybersecurity and software update requirements for new vehicles globally
US NHTSA guidelines issued in 2023, focusing on improving cybersecurity posture of automotive manufacturers
EU Cyber Resilience Act setting cybersecurity requirements for Products with Digital Elements

US Government Action

In response to rising cybersecurity risks, the US Department of Commerce proposed a rule in September 2024 to ban connected vehicles using certain hardware or software from China or Russia, highlighting the national security implications of automotive cybersecurity.

Vehicle Types and Vulnerability Patterns

Luxury Vehicles: More Features, More Problems

Luxury vehicles from BMW, Mercedes-Benz, Audi, and others face unique challenges:

Extensive connectivity features create more attack surfaces
Premium infotainment systems often run complex software with more vulnerabilities
Advanced driver assistance systems present safety-critical attack targets

Mass Market Vehicles: Scale Amplifies Impact

Mainstream manufacturers like Honda, Toyota, Ford, and GM face different challenges:

Higher vehicle volumes mean vulnerabilities affect more people
Cost pressures may lead to security compromises
Diverse technology implementations across model ranges create inconsistent security

Electric Vehicles: New Technology, New Risks

EVs present unique vulnerability patterns:

Software-heavy architectures similar to Tesla's approach
Charging infrastructure dependencies create new attack vectors
Grid integration capabilities extend attack surfaces beyond the vehicle

Looking Forward: The Evolving Threat Landscape

AI-Powered Attacks

Threat actors are rapidly adopting AI technologies to amplify the scale and impact of their activities, forcing automakers to enhance their defenses with equally sophisticated AI-powered security systems.

Supply Chain Vulnerabilities

The automotive industry's complex supply chain creates numerous entry points for attackers:

Tier 1 suppliers face increasing scrutiny for cybersecurity practices
Software dependencies from third-party providers create hidden vulnerabilities
Development partner compromises (like the EDS Automotive GmbH attack affecting BMW, Audi, Tesla, VW, and Porsche partners) demonstrate supply chain risks

The Connected Ecosystem Challenge

As vehicles become nodes in larger connected ecosystems, the attack surface expands beyond the car itself:

Smart city infrastructure integration
Vehicle-to-everything (V2X) communications
Cloud service dependencies for critical vehicle functions

Recommendations for Consumers

Immediate Actions

Keep software updated: Install all available OTA updates and visit dealers for critical security patches
Use physical security: Consider steering wheel locks for vulnerable Kia/Hyundai models
Monitor accounts: Regularly check vehicle app accounts for unauthorized access
Park strategically: Choose well-lit, high-traffic areas when possible

Long-Term Considerations

Research security practices when purchasing vehicles
Consider manufacturer track record on cybersecurity responsiveness
Understand connectivity features and their associated risks
Plan for security updates throughout the vehicle's lifecycle

The Verdict

The automotive industry's rapid technological transformation has created an unprecedented cybersecurity challenge. From Tesla's sophisticated computer systems being exploited at Pwn2Own competitions to teenagers stealing Kias with USB cables learned from TikTok, the vulnerability landscape spans the spectrum from cutting-edge to surprisingly basic.

No manufacturer has been immune to security challenges. BMW, Mercedes-Benz, Tesla, Honda, Toyota, Ford, GM, Kia, Hyundai, and virtually every other major automaker has faced significant cybersecurity incidents in recent years. The 380% increase in automotive API attacks and the 95% rate of remote exploitation demonstrate that physical access is no longer required for automotive attacks.

The industry's response has been mixed but increasingly urgent. Progressive manufacturers like Tesla have turned cybersecurity challenges into competitive advantages through sophisticated OTA update systems, while others still struggle with basic security implementations. The $22.2 billion projected cybersecurity market by 2032 reflects both the scale of the challenge and the industry's commitment to addressing it.

As vehicles become increasingly connected, the cybersecurity challenge will only intensify. The cars of tomorrow will be rolling computers first and transportation devices second, requiring a fundamental shift in how the automotive industry approaches security. The question isn't whether vulnerabilities will be discovered—it's how quickly manufacturers can respond when they are, and whether consumers will accept the trade-offs between connectivity convenience and security risks.

The road ahead requires unprecedented collaboration between automakers, cybersecurity experts, regulators, and consumers to ensure that our increasingly connected vehicles remain safe, secure, and trustworthy.