“The modern car is no longer just a mechanical device; it’s a computer network on wheels. Today’s vehicles contain more processing power than the spacecraft that took humans to the moon, with upwards of 100 million lines of code controlling everything from braking to battery management.” – Automotive Cybersecurity Summit, 2024 

This observation from industry experts perfectly captures our current reality as I lay out my thoughts on this topic. 

I love cars. 

For some people, cars evoke a passionate response, and I’m one of those people. My passion for things that move is based on their visual appeal; their performance and the experience of driving; and the freedom I’ve felt when presented with an open road regardless of the destination. 

When that open road lies in front of you, the journey – the drive – can be more important than where and when you arrive. 

The Evolving Complexity of Automotive Systems

Cars are becoming increasingly complex. Well, OK, they always have been mechanically complex, and they’ve been increasing in electronic complexity over time as well. Today’s vehicles contain more than 100 million lines of code and dozens of electronic control units (ECUs) – far more complicated than the computing systems that put people on the moon or have sent probes to travel through our solar system and beyond. 

They are certainly sophisticated nodes on the Internet of Everything (IoE). 

Modern vehicles have evolved into mobile computing platforms with extensive connectivity. Most new cars now come standard with cellular connections, Wi-Fi capabilities, Bluetooth interfaces, and over-the-air update functionality. The average new vehicle in 2025 has more than 25 different access points that could potentially be exploited by attackers. 

The Security Landscape: Then and Now 

So, what’s the security concern? Like most things related to security… it depends. 

Car computing systems aren’t yet completely interactive, so the risk of a car becoming homicidal on its own remains science fiction. But the work being done on autonomous vehicles has accelerated dramatically since 2015, introducing new attack surfaces and risks. 

Back in 2015, security researchers Charlie Miller and Chris Valasek demonstrated how a Jeep Cherokee could be accessed and controlled remotely. They succeeded in manipulating acceleration, braking, and other core functions that could harm people if the intent was malicious. 

That discovery led to Fiat Chrysler patching the vulnerability on those Jeep vehicles. You read that right: they patched the vehicles somewhat like we’ve become used to doing on regular old personal computing devices. Patching relied on the vehicle owner taking it to the dealership, which raised concerns about dealership security practices. And focusing on the supply chain and third-party risks too. 

The Current State of Automotive Cybersecurity 

Fast forward to 2025, and the landscape has changed significantly: 

1. Regulatory Requirements: The UN Economic Commission for Europe (UNECE) WP.29 regulations and ISO/SAE 21434 standards, both introduced after 2020, now mandate cybersecurity measures throughout a vehicle’s lifecycle. All new vehicle types in major markets must comply with these regulations, requiring manufacturers to implement comprehensive security management systems. 
2. Over-the-Air Updates: Most manufacturers now push security updates wirelessly rather than requiring dealership visits. While this improves patch deployment, it also creates a new attack vector that must be secured. 
3. Advanced Persistent Threats: Several major automotive-focused APT groups have emerged, specifically targeting connected vehicle infrastructure. In 2023, one such group compromised charging infrastructure in multiple European countries, demonstrating the expanding threat landscape. 
4. Vehicle SOCs: Major automakers now operate dedicated Security Operations Centers that monitor their vehicle fleets for anomalous behavior and potential intrusions in real-time. 
5. V2X Communications: Vehicle-to-everything (V2X) technology has been deployed in several urban areas, enabling cars to communicate with infrastructure and each other. While enhancing safety and efficiency, this creates new attack opportunities. 

The Insurance Connection

The insurance industry’s involvement has grown more sophisticated. What started as simple OBD-II port dongles for usage-based insurance has evolved into comprehensive telematics solutions deeply integrated with vehicle systems. 

Modern insurance telematics now often operate through manufacturer-approved APIs rather than direct access to vehicle networks. This improves security but doesn’t eliminate risk entirely. Several major insurers experienced data breaches between 2021-2024 that exposed driving behavior data from millions of policyholders. 

Beyond Individual Vehicles: Fleet and Infrastructure Concerns

Law enforcement vehicles remain particularly vulnerable targets. A 2023 incident involving a coordinated attack on police vehicles in a major metropolitan area highlighted how the risk has evolved from theoretical to practical. The attackers exploited a vulnerability in the emergency communication systems to temporarily disable multiple patrol vehicles simultaneously. 

Fleet operators now face unique challenges. The Federal Motor Carrier Safety Administration (FMCSA) issued guidance in 2024 specifically addressing cybersecurity requirements for commercial vehicle fleets, recognizing that a compromised fleet could have catastrophic consequences. 

Electric vehicle charging infrastructure represents another emerging concern. The expansion of charging networks has created a new attack surface, with several documented incidents of charging station manipulation affecting connected vehicles. 

The Autonomous Revolution

Autonomous vehicles have progressed significantly since 2015, with Level 3 systems now commercially available and Level 4 systems operating in limited-service areas. These systems introduce entirely new security paradigms and risks: 

1. Sensor Spoofing: Attacks targeting the sensors autonomous vehicles rely on (cameras, lidar, radar) have evolved from academic research to documented real-world incidents. In 2024, researchers demonstrated how subtle road markings could mislead multiple autonomous systems into dangerous behaviors. 
2. Machine Learning Vulnerabilities: The AI systems powering autonomous functions introduce unique vulnerabilities. Adversarial attacks specifically designed to confuse neural networks have become more sophisticated, potentially causing autonomous systems to misinterpret their environment. 
3. Remote Command and Control: The ability to remotely monitor and override autonomous vehicles is both a safety feature and a security concern. Strong authentication and authorization frameworks have become critical as these capabilities expand. 

Industry Response

The automotive industry has substantially improved its security posture. Most major manufacturers now: 

1. Employ Security by Design: Security requirements are integrated from the earliest design phases rather than added afterward. 
2. Maintain Robust Bug Bounty Programs: Several automakers offer rewards exceeding $500,000 for critical vulnerabilities, recognizing the value of coordinated disclosure. 
3. Implement Segmented Networks: Vehicle architectures increasingly separate critical driving functions from infotainment and connectivity systems, limiting potential attack propagation. 
4. Utilize Hardware Security Modules (HSMs): These dedicated security chips now protect the most sensitive vehicle systems against tampering. 
5. Conduct Regular Penetration Testing: Third-party security assessments have become standard practice before releasing new models or major software updates. 

Evaluating Your Risk

If you operate or support a fleet of vehicles, you need to be aware of these issues as you acquire models with certain features. If you’re already operating remote monitoring and transmission devices in your fleet, you should regularly assess their security posture. 

Evaluate your level of risk and exposure, and act accordingly to manage the risk: 

1. Inventory Connected Systems: Document all connectivity points in your vehicles and supporting infrastructure. 
2. Implement Update Policies: Ensure vehicles receive security updates promptly. 
3. Consider Monitoring Solutions: For larger fleets, consider solutions that can detect anomalous vehicle behavior. 
4. Train Personnel: Ensure drivers and maintenance staff understand basic cybersecurity hygiene for vehicles. 
5. Develop Incident Response Plans: Know how to respond if vehicle systems are compromised. 

Driving it Home

I’ll always love the cars that please the eye; pin you to your seat back with their performance; and enhance the enjoyment of an open road. If I have to actively manage and concern myself with the security of the car… likely not going to enjoy it so much. 

The automotive industry has made significant strides since 2015, but as vehicles become more connected and autonomous, the security challenges will continue to evolve. Innovation should “drive” us toward the future. Safe innovation should be encouraged. 

We’ll see what the future brings. 

“Car, take me home.” 

“I’ve detected unusual network activity. For your safety, I’ve initiated secure mode and am contacting your authorized service provider.”