Modern vehicles are no longer purely mechanical machines—they are sophisticated computers on wheels packed with infotainment systems, telematics units, cellular connectivity, and over-the-air (OTA) update capabilities. While these features deliver convenience, safety, and entertainment, they have also created significant remote attack surfaces that security researchers and hackers continue to exploit.
The Infotainment System: The Primary Entry Point
One of the most common gateways for remote attacks is the vehicle’s infotainment or telematics head unit. These systems often maintain constant connections to cellular networks for navigation, streaming, and remote services.
A landmark demonstration occurred in 2015 with the Jeep Cherokee. Security researchers Charlie Miller and Chris Valasek showed how they could remotely access the Uconnect system over the internet, rewrite its firmware, and then send malicious commands across the vehicle’s internal Controller Area Network (CAN) bus. This allowed them to control critical functions including transmission, brakes, steering (to a limited degree), climate controls, wipers, and more—even while the vehicle was driving on a highway. The vulnerability impacted approximately 1.4 million Fiat Chrysler vehicles, leading to a major recall and manual software patching process.
The core issue in many such cases is insufficient isolation between the entertainment system and the safety-critical components of the car. Once attackers gain a foothold in the head unit, they can often reach deeper systems.
Cloud Services, APIs, and Dealer Portals
Many modern cars can be controlled via smartphone apps for locking, unlocking, remote start, and tracking. These features rely on manufacturer cloud services and APIs that have repeatedly proven vulnerable.
In 2024, researchers exposed serious flaws in Kia’s web portals that allowed anyone with a vehicle’s license plate (converted to VIN) to locate, unlock, start, and control millions of vehicles from model years 2022–2025. The problem stemmed from weak access controls and overly permissive dealer-level tokens that did not properly verify ownership. Similar weaknesses have appeared in other brands through dealer management systems and mobile applications lacking robust authentication, such as missing or weak two-factor authentication.
Cellular, Wireless, and Modem Vulnerabilities
Vehicles equipped with persistent 4G/5G cellular modems present another major risk. Researchers have demonstrated how IMSI catchers (fake cell towers) can track vehicle locations, disrupt connectivity, force fallback to less secure modes, or intercept communications. These attacks often target widely used modem chipsets found across multiple manufacturers.
Additional wireless vectors include factory Wi-Fi hotspots, Bluetooth pairing flaws, and keyless entry systems susceptible to relay attacks, signal jamming, or code replay techniques. While many key fobs use rolling codes, sophisticated attacks can still bypass them under the right conditions.
The Insecure Foundation: The CAN Bus
At the heart of nearly every modern vehicle lies the Controller Area Network (CAN) bus—the communication protocol that allows electronic control units (ECUs) for the engine, brakes, doors, airbags, and other systems to talk to one another. Designed decades ago for reliability and speed in harsh automotive environments, CAN lacks native encryption or authentication.
This means that once an attacker gains any foothold—whether through the infotainment system, a compromised telematics unit, or even a malicious OBD-II device—they can inject forged messages to spoof commands or disrupt vehicle operations.
Why These Vulnerabilities Persist
Several systemic factors contribute to ongoing risks:
- Legacy protocols meeting modern connectivity
- Pressure to deliver new features quickly, often at the expense of security
- Complex supply chains where multiple vendors provide components and software
- Difficulty in updating millions of vehicles already on the road
As a result, remote cyberattacks on vehicles have increased sharply in recent years, with many incidents targeting telematics systems and cloud APIs.
Moving Toward Better Security
Automakers are gradually improving defenses through better network segmentation, firewalls between infotainment and critical systems, stronger API authentication, encrypted communication buses, and more frequent OTA security updates. Industry standards from the United Nations and ISO are also pushing manufacturers toward “secure by design” practices.
For vehicle owners, practical steps include keeping software updated, using strong unique passwords with two-factor authentication on manufacturer apps, avoiding unnecessary aftermarket connectivity devices, and storing key fobs in Faraday pouches to block relay attacks.
As cars become increasingly software-defined, the gap between convenience and security must close. The incidents documented so far serve as clear warnings: connected vehicles require the same rigorous cybersecurity standards applied to smartphones, computers, and critical infrastructure. Until then, the flaws that allow remote access will continue to represent a real and evolving threat.
About The Author
