Cybersecurity risks in modern vehicles: navigating the digital road | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales

Cybersecurity risks in modern vehicles: navigating the digital road

Understanding vulnerabilities, threats and precautions for connected cars
Softcat PPT Background Radial Aubergine Gradient RGB Softcat PPT Background Radial Aubergine Gradient RGB

Kiera Gilmore-Hardie

Cyber Security Assessor

No longer just mechanical machines, today’s vehicles are packed with software, sensors and internet connectivity, turning them into ‘Software Defined Vehicles’ (SDVs). From streaming music and live navigation to unlocking doors with a smartphone, modern cars are highly connected digital platforms, designed to make driving easier, safer and more enjoyable, redefining the driving experience.

Although convenient, there is a downside to this digital evolution. The more connected a vehicle becomes, the more opportunities there are for cyber criminals to gain access. These risks are complex, and unlike a hacked laptop or phone, threaten both data privacy and physical safety.

Modern vehicles now routinely include Bluetooth connectivity, GPS navigation, WI-Fi and mobile app integration, as well as hands-free calling, real time navigation and even remote control via smartphones. While these features offer real convenience, they also increase the potential attack surface, making vehicles attractive targets for cybercriminals. Research shows that the average data breach can go undetected for over six months, and more than half of people admit they would not know how to respond if their data was compromised. Increasing education and awareness, especially among non-technical users, has never been more critical.

Infotainment and connectivity systems: the digital dashboard

Infotainment systems are at the heart of a modern vehicle’s connectivity. Platforms like Apple CarPlay and Android Auto seamlessly connect smartphones with the dashboard through Bluetooth or USB, while manufacturer systems such as Ford SYNC or NissanConnect can control navigation, climate control and vehicle diagnostics. Advanced Driver Assistance Systems (ADAS) also rely on connected sensors and cameras to support safer driving.

These systems make driving smarter, more comfortable and more convenient, but they also introduce risk. Bluetooth, USB, Wi-Fi and cellular connections all expose multiple paths for cyber attacks. Security standards can vary widely across manufacturers, and software updates are not always applied consistently or quickly.

Security researchers have demonstrated how malware can be introduced via USB ports, how Wi-Fi vulnerabilities can be exploited and even how web-based flaws can be used to access vehicle systems – all through the infotainment system. One of the most well known examples saw researchers Charlie Miller and Chris Valasek remotely hack into a Jeep Cherokee through its infotainment computer. This security flaw could affect over 1.4 million US vehicles.  For drivers, this highlights how everyday features can sometimes expose hidden weaknesses, ready to be used by malicious actors.

Bluetooth: a convenient gateway

Bluetooth is now nearly universal, with around 87% of cars rolling off the production line including it as a standard feature. Designed for hands-free communication and media streaming, Bluetooth technology can also become an unexpected point of vulnerability.

One example is the ‘CarBlues’ exploit, which allowed unauthorised access and extraction of contacts and text messages from infotainment systems. This risk increases in rental or shared vehicles, where personal data from previous users may still be stored.  Contact lists, call logs and messages may be harvested by the next driver or a savvy hacker if they are not manually deleted.

Bluetooth connections are often persistent and not easily reset, leaving traces long after a device is disconnected. For drivers, this makes it important to regularly review and remove old devices from vehicle systems.

USB and SD card ports: small ports, big risks

USB and SD card interfaces, while essential for software updates, charging and media playback, can also serve as easy entry for malware and unauthorised data access.

Researchers have shown that malicious code can be introduced through these ports. A well-publicised attack on Mazda infotainment systems allowed sensitive data to be accessed remotely through USB access. Fiat Chrysler also faced criticism when it issued a USB security patch, leading to concerns that fake USB update drives could be used for phishing attacks.

These examples highlight the importance of limiting physical access to vehicle ports and ensuring that updates only come from trusted sources.

Cellular and Wi-Fi interfaces: remote control possibilities

Modern vehicles often include built-in cellular and Wi-Fi connectivity, which provide internet access, live traffic updates and cloud-based services. However, these features can be double-edged swords.

The Jeep Cherokee hack showed how weaknesses in cellular connections could be exploited to remotely disable critical vehicle functions, including steering and braking. Mitsubishi vehicles have also been compromised using Wi-Fi vulnerabilities. These attacks don’t just threaten personal data, but also interfere directly with vehicle operation, a threat to both privacy and safety.

Network-based attacks are on the rise, accounting for nearly half of all known vehicle cyber incidents in 2022, according to AutoCrypt’s 2023 annual report. As cars become more connected, the importance of regularly updating software, disabling unused wireless features and adhering to standards such as ISO/SAE 21434 becomes essential.

Mobile applications and remote access

Many manufacturers now offer mobile apps that enable drivers to remotely lock and unlock doors, start the engine, run diagnostics and even make payments. While convenient, these apps are frequently under-protected against cyber threats.

Vulnerabilities have been discovered in apps from major manufacturers like Nissan and Hyundai, allowing attackers to remotely access vehicles if they can exploit insufficient authentication. Simple passwords and the absence of two-factor authentication (2FA), make it easier for attackers to hijack accounts and, in some cases, gain remote control of the vehicle.

It is crucial for both manufacturers and users to recognise these risks. For users, basic steps such as enabling 2FA and using strong, unique passwords can significantly reduce risk. For manufacturers, stricter security measures and clearer guidance are essential.

Keyless fob exploitation: the invisible threat

Keyless entry systems, while convenient, are highly susceptible to relay or signal boosting attacks. In these scenarios, criminals use devices to extend the communication range between the key fob and the vehicle, tricking the car into thinking the key is nearby and allowing unauthorised access.

The statistics are troubling, showing that vehicles equipped with keyless entry are twice as likely to be stolen (Daniels & Reid 2023), and over one third of vehicle break-ins now involve keyless exploit techniques (ONS 2023). Simple precautions can help reduce risk, such as keeping fobs away from doors and windows where signals might be more easily intercepted, using signal-blocking pouches and, where possible, disabling passive entry features.

Public perception and the knowledge gap

Despite growing media attention, awareness of vehicle cybersecurity risk remains low. Surveys indicate that many drivers underestimate the volume of sensitive personal data stored in infotainment systems, and are unaware of the risks associated with mobile device connections and keyless entry systems.

Dealers and rental companies seldom provide adequate advice or warnings, and customers are rarely instructed to wipe their data before returning or selling a vehicle. Surveys reveal that personal data from previous users is often still present in vehicles, and for most people, the biggest concerns are unauthorised access to personal data and information being left behind in vehicles unknowingly.

Practical steps to reduce risk

As vehicles continue to evolve digitally, it is critical for manufacturers, dealerships, rental companies and consumers alike to take a proactive stance on cybersecurity.

  • Keep software updated: Install the latest updates for both vehicles and related mobile apps as soon as they are available.
  • Limit connectivity: Disable unnecessary wireless features (Bluetooth, Wi-Fi, etc.) when not in use.
  • Protect key fobs: Use signal-blocking pouches and store keys away from entry points.
  • Practise good data hygiene: Before returning or selling a vehicle, delete all personal data from infotainment systems and apps.
  • Use strong authentication: Enable two-factor authentication and choose strong, unique passwords for vehicle apps.
  • Ask questions: Check the data deletion protocols and cybersecurity policies of every dealership and rental company.

Driving securely into the future

The benefits of connected vehicles are undeniable, and they continue to evolve. However, with this evolution comes new responsibilities around cybersecurity. Awareness, education and vigilance are now as critical on the digital road as they are behind the wheel. As infotainment and connectivity systems progress, stakeholders must work together to ensure that the benefits of modern vehicles are not overshadowed by avoidable cybersecurity risks. Only through collective awareness and ongoing education can we drive confidently into the future secure and informed.

You can find out more about Softcat’s cybersecurity solutions here.