Automotive tech: A vast new cyber attack surface

Software-defined vehicles are the future, but they present massive cybersecurity challenges.

Takeaways

• Automotive cyber incidents are rising sharply, with ransomware now accounting for a large share of reported attacks against the auto and mobility ecosystem.
• Modern vehicles, especially the latest software-defined vehicles (SDVs), dramatically expand the attack surface through cloud systems, OTA updates, AI, telematics, and mobile apps.
• Cybercriminals are no longer just targeting automakers; in some cases, drivers themselves have been extorted after attackers interfered with vehicle access or functionality.
• Automakers are responding through new regulations, security standards and architectural changes, but progress is uneven.
• The industry needs to treat cybersecurity the way it treats crash safety: as a baseline safety requirement, not a differentiator.

From mechanical machines to software platforms

For decades, the biggest risks associated with cars were tangible and immediate. Vehicles crashed. Engines failed. People were injured or killed. In response, and under pressure from regulatory agencies and insurers, automakers poured enormous effort into physical safety: crash testing, safety standards, recalls, airbags, and structural engineering. Over time, safety became non‑negotiable.

Today’s vehicles, however, look very different under the hood. Software-defined vehicles rely on centralized computing, continuous connectivity, over-the‑air (OTA) updates, AI‑assisted features, and constant communication with cloud services. This transformation is delivering real benefits, but it has also turned cars into rolling IT environments, complete with many of the same weaknesses found in enterprise systems.

According to multiple industry reports, onboard systems, cloud infrastructure and third-party integrations now represent the largest sources of automotive vulnerabilities, a shift that has accelerated as vehicles become more connected and software-driven.

Automotive cyberattacks by the numbers

The growth in real‑world automotive cyber incidents is already measurable. In 2025, researchers documented 494 publicly reported cybersecurity incidents across the automotive and smart mobility ecosystem worldwide. That number is widely understood to represent only a fraction of actual attacks, as many incidents go undisclosed.

Several trends stand out:

• Ransomware accounted for roughly 44% of reported automotive cyber incidents, more than double its share from the previous year.
• 67% of incidents involved telematics systems or cloud infrastructure, highlighting how exposure is increasingly concentrated in backend systems rather than physical access to vehicles.
• Most attacks were conducted remotely, requiring no physical proximity to the vehicle at all.

Researchers also found that many incidents had the potential to affect thousands or even millions of vehicles simultaneously, particularly when shared platforms or centralized services were involved. A separate report uncovered more than 1,500 supply-chain vulnerabilities in modern automotive ecosystems, presenting a major cybersecurity challenge.

Ransomware on the road

One of the most unsettling developments in automotive cybersecurity is the emergence of attacks that directly impact drivers, not just manufacturers. In several documented cases, attackers exploited vulnerabilities in connected vehicle systems or backend platforms to interfere with vehicle access or functionality, then demanded payment to restore control.

Security researchers and industry analysts have warned that as vehicles rely more heavily on remote services such as digital keys, mobile apps, subscription features, and OTA updates, the risk of consumer‑facing extortion increases. While these incidents are still relatively rare compared to enterprise ransomware attacks, they represent an early warning sign of where the threat landscape could head next.

Like attacks on connected IoT and industrial devices, these attacks blur the line between cybercrime and physical risk. Losing access to a vehicle is not just inconvenient or costly. It can have safety, financial and legal consequences for drivers.

How automakers are responding

To their credit, automakers and regulators are not ignoring the problem. In recent years, the industry has begun to formalize cybersecurity requirements in ways that mirror traditional safety regulation.

Key developments include:

• UN Regulation R155, which requires automakers to implement cybersecurity risk management systems across the vehicle lifecycle.
• UN Regulation R156, which governs secure software update processes, including OTA updates.
• ISO/SAE 21434, a global standard that defines engineering practices for automotive cybersecurity, from design through decommissioning.

Many manufacturers are also rethinking vehicle architecture itself. The shift toward centralized or zonal computing makes systems easier to manage, but it also raises the stakes, since a single compromised component could affect multiple safety‑critical functions. As a result, automakers are increasingly investing in secure boot, hardware roots of trust, continuous monitoring, and vulnerability disclosure programs.

OTA updates, once viewed primarily as a convenience, are now a central part of security strategy. Properly secured, they allow manufacturers to patch vulnerabilities quickly and at scale. Improperly secured, they become a powerful attack vector.

A familiar lesson from crash safety

There’s a clear historical parallel here. Automakers did not eliminate physical risk by assuming accidents wouldn’t happen. They reduced harm by designing for failure, accepting that crashes were inevitable and engineering systems to protect people when things went wrong.

Cybersecurity demands the same mindset. Breaches will happen. Vulnerabilities will be discovered. The real question is whether systems are designed to contain damage, recover quickly and protect drivers when, not if, something fails.

As vehicles continue to evolve into connected, AI‑powered platforms, cybersecurity will increasingly be judged not as a feature, but as a fundamental safety obligation. The manufacturers that implement that lesson early may be the ones best positioned to earn long‑term trust in a future where the next recall could arrive over the air.