Documented Cases of Vehicle Hacking and Exploits
When researchers Charlie Miller and Chris Valasek remotely hijacked a Jeep Cherokee traveling at 70 mph on a St. Louis highway in 2015, they didn’t just prove a theoretical vulnerability—they demonstrated that modern vehicles could be commandeered from miles away. The driver, a Wired journalist who had volunteered for the demonstration, watched helplessly as the hackers disabled the transmission, killed the engine, and took control of the steering. This watershed moment forced the automotive industry and consumers alike to confront an unsettling reality: the same connectivity that makes our cars smarter also makes them vulnerable to cyber attacks.
While data brokers quietly harvest your driving habits for profit—a concern we explored in our recent examination of Who Is Buying Your Car Data? The Automotive Data Broker Industry—hackers represent a more immediate and potentially dangerous threat. Unlike passive data collection, vehicle hacking can result in physical harm, theft, and complete loss of vehicular control.
The Jeep Cherokee incident wasn’t an isolated case. In 2016, Chinese security researchers demonstrated they could remotely control a Tesla Model S from twelve miles away, activating the brakes while the vehicle was in motion. BMW faced its own security crisis when German automotive club ADAC discovered vulnerabilities affecting 2.2 million vehicles, allowing thieves to unlock doors using a simple signal amplification attack. More recently, in 2022, security researcher Sam Curry exposed flaws in multiple manufacturers’ systems that could have allowed attackers to locate, unlock, and start vehicles remotely.
These documented exploits share common attack vectors: wireless communication systems, mobile apps with inadequate authentication, and insecure API endpoints. The automotive industry’s rapid integration of connectivity features has outpaced the development of robust automotive cybersecurity protocols, creating a dangerous gap between innovation and protection.
Remote Access Vulnerabilities in Car Software
Modern vehicles contain upwards of 100 million lines of code—more than a Boeing 787 Dreamliner—distributed across dozens of electronic control units (ECUs). This complexity creates an expansive attack surface that cybercriminals can exploit through multiple entry points.
The primary vulnerability lies in the telematics systems that enable remote services like emergency assistance, navigation updates, and smartphone integration. These systems maintain constant cellular connections to manufacturer servers, creating a persistent pathway into the vehicle’s network. When improperly secured, these connections become digital highways for hackers to access critical vehicle systems.
Vehicle infotainment systems represent another significant weak point. Many modern cars allow smartphone pairing via Bluetooth and USB connections, technologies originally designed without automotive security requirements in mind. Security researchers have demonstrated how malicious code can spread from a compromised phone to the car’s Controller Area Network (CAN bus), the central nervous system that manages everything from airbag deployment to braking systems.
Keyless entry and ignition systems have proven particularly vulnerable to relay attacks. Thieves use signal amplifiers to extend the range of key fobs, tricking vehicles into believing the authorized key is nearby. According to research from the National Highway Traffic Safety Administration, these attacks require minimal technical sophistication but can compromise even luxury vehicles with advanced security features in under sixty seconds.
Over-the-air (OTA) update capabilities, while convenient for delivering software patches and new features, introduce additional connected car security risks. If the authentication and encryption protecting these update channels are compromised, hackers could potentially install malicious firmware directly onto vehicle systems, granting persistent access that survives reboots and traditional security measures.
The CAN Bus Vulnerability
The Controller Area Network bus, designed in the 1980s when vehicle cybersecurity threats were nonexistent, lacks built-in authentication or encryption. Any device connected to the CAN bus can send commands to other connected systems without verification. This architectural weakness means that gaining access to any single ECU—through the infotainment system, diagnostic port, or wireless connection—can potentially grant control over critical safety systems.
Risks from OBD-II Devices and Third-Party Apps
The same diagnostic port that mechanics use to troubleshoot engine problems has become a security liability. On-Board Diagnostics II (OBD-II) ports, mandated on all vehicles sold in the United States since 1996, provide direct access to the vehicle’s CAN bus. While intended for emissions monitoring and diagnostics, these ports have spawned an entire ecosystem of third-party devices and applications—many with questionable security practices.
Insurance companies offer dongles that plug into OBD-II ports to monitor driving behavior in exchange for potential premium discounts. Fleet management companies use similar devices to track commercial vehicles. Aftermarket performance monitors promise real-time engine data and diagnostic capabilities. However, security audits have revealed alarming vulnerabilities in many of these devices.
Some third-party OBD-II dongles transmit data over unencrypted Bluetooth connections, allowing nearby attackers to intercept sensitive vehicle information or inject malicious commands. Others store vehicle data on cloud servers with inadequate access controls, creating opportunities for unauthorized access. Perhaps most concerning, certain devices maintain persistent connections to manufacturer servers using hardcoded credentials that cannot be changed by vehicle owners.
Mobile applications that interface with connected vehicles present similar risks. Researchers have discovered that many automotive companion apps transmit authentication tokens over insecure channels, store sensitive credentials in plain text, or fail to properly validate server certificates. These oversights enable man-in-the-middle attacks where hackers intercept communications between the app and vehicle.
The Growing Third-Party Ecosystem
As the aftermarket automotive technology sector expands, the potential for car hacking grows proportionally. Unlike manufacturer-developed systems that undergo internal security reviews, third-party devices and applications face minimal regulatory oversight regarding vehicle cybersecurity threats. This fragmented ecosystem creates inconsistent security standards and multiplies the potential entry points for malicious actors.
How Manufacturers Are Addressing Security Flaws
The automotive industry’s response to remote car hacking concerns has evolved from dismissive to proactive, driven by high-profile exploits, regulatory pressure, and liability concerns. Major manufacturers have established dedicated cybersecurity teams, implemented bug bounty programs, and begun designing vehicles with security as a fundamental requirement rather than an afterthought.
General Motors created a Product Cybersecurity organization staffed by hundreds of specialists who review vehicle architecture, conduct penetration testing, and develop security protocols. Ford established a Security Advisory Council that coordinates with external researchers and government agencies to identify and address vulnerabilities. Tesla’s approach includes regular OTA security updates and one of the automotive industry’s most generous bug bounty programs, offering substantial rewards for documented security flaws.
Industry-wide initiatives like the Auto-ISAC (Automotive Information Sharing and Analysis Center) facilitate collaboration among manufacturers, suppliers, and security researchers. This organization enables companies to share threat intelligence and best practices without competitive concerns hindering collective security improvements.
Technical countermeasures being implemented include hardware security modules that encrypt sensitive data, intrusion detection systems that monitor CAN bus traffic for anomalies, and secure gateway ECUs that isolate critical safety systems from infotainment networks. Manufacturers are also adopting secure boot processes that verify firmware authenticity before execution, preventing the installation of unauthorized software.
However, challenges remain. The automotive development cycle spans years, meaning vehicles designed before recent security advances will remain on roads for decades. Legacy systems cannot always be retrofitted with modern protections, creating a long tail of vulnerable vehicles. Additionally, the complex supply chain—involving hundreds of component suppliers each developing their own systems—complicates comprehensive security implementation.
The complexity of connected car security demands constant vigilance from both manufacturers and vehicle owners. While the industry continues strengthening defenses against vehicle cybersecurity threats, understanding these risks empowers you to make informed decisions about which connectivity features to enable, which third-party devices to trust, and how to protect your vehicle from emerging threats. As cars become increasingly computerized, treating them as mobile devices that happen to transport you—rather than mechanical objects with some digital features—becomes not just prudent, but necessary for your safety and privacy.
