Is car hacking real? Risks, vulnerabilities and expert cyber security tips
Last year's cyber attack on JLR may suggest hackers are only interested in large corporations, but we all need to be aware of the threats we face
Could your car be hacked? In 2025, 612,000 UK businesses were the victims of cyber breaches and attacks, and given the way vehicles these days are digitised and interconnected almost to a fault, it’s perhaps only a matter of time until criminals turn their attention to cars.
“Cybersecurity in automotive has been around for quite a while in some form or another,” explains Paul Wooderson, chief cybersecurity engineer at Horiba MIRA – one of the leading firms in the development and testing of defences against cyber attacks. “But in the last 10 years it’s become more mainstream as vehicles have become more connected.”
Today, almost every new vehicle is connected to the internet. While some rely on embedded 4G and 5G modems to wirelessly receive data for their sat-navs, others will allow you to browse the web, watch YouTube via their infotainment systems, or unlock them via a smartphone app.
Estimates from Statista in 2023 suggested that the UK is home to more than 19 million connected cars. The figure has certainly grown exponentially since then, with each generation of new models introducing, and relying on, more and more connected services. The phrase “laptops on wheels” perhaps never rang truer.
What are the real car hacking risks?
This opens up drivers to a raft of threats. A study devised in 2010 by researchers from the University of Washington and the University of California San Diego was one of the first to show how little protection cars once had against cyber manipulation. Experts were able to remotely control and exploit a car’s electrical systems to kill the engine and even deactivate the brakes – both actions that could lead to disastrous consequences if performed in the real world.
“This idea that a cyber attack could cause safety issues was very much the catalyst for the regulations that we now have in place,” says Wooderson. The discussion eventually paved the way for 2022’s United Nations Regulation No. 155 (R155), which requires all new vehicles to implement a type-approved, structured approach to cyber safety. This includes vehicle software encryption and an incident response programme.
On a recent visit to Hyundai Group's new 200-million Euro tech base in Frankfurt, Germany, Auto Express was shown an entire laboratory devoted to ensuring Hyundai, Kia and Genesis models are as well protected from hacking as possible. The facility was also used to develop the over-the-air updates that the manufacturers apply to their cars remotely.
Talking exclusively to us, technical centre managing director Tyrone Johnson likens the situation to the development of home computers. In the early days, these didn't have virus protection, but as attacks have become more sophisticated, so has the defence. "Twenty years ago a computer didn't have virusware,” he says, “and a car is basically an internet device and can be attacked”.
Could hackers gain control of your car?
Thankfully, we’re yet to see many attacks of the kind outlined within the study by the University of Washington and the University of California San Diego; there was one isolated incident in 2015 when hackers caused a Jeep Cherokee to veer off the road on an American highway, but there's little evidence of the issue becoming any more prevalent since.
Perhaps the biggest reason for this is that, as Wooderson points, there’s little for criminals to gain by controlling a car remotely. “You have to question how many attackers are going to be interested in causing vehicles to crash. Most criminals are working for some kind of financial incentive, rather than to cause harm or disruption.”
Such motivations are perhaps more enticing to malicious foreign governments and/or terror organisations, and Wooderson admits: “The threat of nation states or very well funded foreign actors is definitely a consideration – especially in these times.”
Cybersecurity vulnerabilities in cars
Research published in October 2025 by Cornell University in America discovered that the likes of the Tesla Model 3 (as well as other connected vehicles) house “systemic protocol weaknesses and architectural misconfigurations”, opening themselves up to sophisticated digital hijacking.
The Ministry of Defence is reported to have banned some electric cars with Chinese-made components from its military bases and it is confirmed to have warned staff not to discuss sensitive information when sitting in its own fleet of cars.
Away from the world of potential espionage, a greater target for online crooks is the valuable personal data stored within our cars’ infotainment systems. Today, automotive connected services usually require some sort of personal log-in, and this kind of data is potentially lucrative to fraudsters who can gain access to accounts or sell it on the dark web to identity thieves.
Last year, a group of cyber criminals attacked a third-party data-processing firm working for Renault, stealing the names, addresses and vehicle information of many of its customers. The French maker notified those affected, reminding them “to be cautious of any unsolicited requests for personal information”.
While the data in this scenario was all stored on external servers, rather than within individual car infotainment systems, that doesn’t mean it’s impossible to access private information housed within a particular vehicle. The UN R155 regulation makes infiltrating a car’s digital systems difficult, but simply forgetting to delete your log-in or profile from the infotainment screen when selling a car can potentially leave you open to identity theft.
Research from Auto Express’ sister title Carwow in 2024 uncovered that one in three used-car buyers had stumbled across the data from previous owners stored within their new vehicle’s infotainment system. “The public awareness [of cybersecurity issues] isn’t quite there yet in the same way it is in the world of IT and mobile phones,” Wooderson says.
Cybersecurity in autonomous cars
Wooderson describes the challenge of cybersecurity as a “moving target”. While manufacturers nowadays boast “large and mature teams of cybersecurity experts performing tests themselves”, he says the prospect of semi and fully autonomous vehicles once again opens up the possibility for widespread danger and disruption.
Many of the most advanced fully autonomous driving systems are powered by a centralised AI, based not within the car itself, but in an external data centre. Given that entire autonomous fleets are all being linked together through a single system, this leaves the door open to widespread attacks that could affect not just one vehicle, but perhaps dozens.
“In practice, this could result in many things,” says Wooderson. “Entire fleets could be made unavailable. There’s also the possibility of a fleet-wide safety incident, with similar attack methods to those deployed by the US researchers years ago.” This would once again require a highly sophisticated cyber attack, but given the financial implications of shutting down an entire fleet, there’s certainly the incentive for online criminal gangs or malicious foreign actors.
“If we look at security in other sectors, it always evolves,” explains Wooderson. The cyber world we live in today has developed greatly over the past few decades and while the prospect of en masse car hacking is unlikely, it’s not out of the question. Perhaps the best advice now is to practice good cybersecurity hygiene: setting strong in-car WiFi passwords and remembering to remove all log-in details when you say goodbye to your vehicle.
“There are always new attacks, vulnerabilities and threats that we have to deal with. At the same time, there’ll always be ways to improve engineering and task methods to keep up with it,” Wooderson says. “We can’t rest on our laurels.”
JLR Cyber Attack – how it affected you
It’s easy to consider the recent attack on Jaguar Land Rover as yet another cyber incident that affected a large corporation but will have had little to no negative impact on consumers. However, although the epicentre of the attack on JLR was very much within the company, the seismic waves were felt further afield.
The ransomware that infiltrated JLR’s systems was able to completely encrypt and disable the company’s entire IT network. Given the production line’s hefty reliance on JLR’s various computer systems, this, in effect, halted vehicle manufacturing altogether.
The result? Car deliveries were delayed by the six-week shutdown period at least; however, it is also rumoured that it has pushed already-long Range Rover wait times back by several months.
Such an attack didn’t just affect those in the process of buying a JLR product, either; existing customers were left unable to service their cars because booking systems and parts supply were disrupted. This will have generated a backlog, meaning customers were forced to wait even longer to have their car looked at.
The result is that the most expensive cyber attack in British history had far-reaching consequences that stretched out beyond the serious business issues it caused JLR and its suppliers.
Manufacturers have been warned to beef up their security systems both in their manufacturing facilities and in the cars they sell because as more cyber criminals realise how potentially lucrative this type of attack can be, stories like this may soon become all the more common.
How to avoid cyber attacks and identity theft from your car
Thanks to the latest connected services, our cars are online together with the huge amounts of personal information they store. It’s important to keep it safe
Seemingly under our own noses, cars have become more interconnected and digitised over the past decade. That means we need to start treating them in the same way as we would a mobile phone or laptop, rather than a piece of old-school machinery.
With this in mind, we’ve curated some top tips to help you keep your personal details safe while you’re using your car, whenever you come to sell it, or simply if you’re handing back a hired vehicle.
Turn off services you aren’t using
If your car has bluetooth, a wi-fi connection or a wi-fi hot spot that you aren’t using, turn them off. These are potential routes into your car’s systems for hackers.
Keep your car updated
Manufacturers can respond to security vulnerabilities in their cars by making security updates to the software. It’s important that you get these updates for your car, whether they’re done at the dealer or sent over the air via wi-fi. Just like a laptop or phone, an updated car is better protected against threats.
Be careful what you plug-in or upload
When installing third-party apps to your car or to a phone you’ve connected to your car, make sure you check they are safe. Download from approved sources and don’t give unnecessary access permissions to apps. Before you plug a USB or external into your car, think about what could be on it.
Avoid public or unknown networks
If your car needs an internet connection to update or use some of its features, be wary of signing into public wi-fi networks and any network that you’re unsure about. These can give access to your car’s systems.
Use good and strong passwords
We all know it’s important to have strong passwords that aren’t used on multiple online accounts but now this applies to your car as well. Most modern cars offer an array of connected services, which allow you to control your vehicle from afar, or access certain online features from within your infotainment system.
The majority of these solutions require a log-in, which will typically house your personal information (name, address, credit card details etc). Make sure you use a good password to protect your data. The same goes for any other apps that you install on your car that have accounts with password access.
Keep your key safe
Criminals can use relay attacks that boost the signal from your key to unlock and drive away your car. But the key can also give access to the car’s digital systems so it’s doubly important to keep it safe.
Storing the key in part of your house that’s away from where your car is parked and using a Faraday bag signal blocker to store the key are sensible precautions. If you ever lose your key, get it blocked and replaced with a new one quickly.
Delete everything when you come to sell a car
You’re used to cleaning a car when you come to sell it, or when returning a hire car, and these days that goes for the car's digital systems too. It’s important to remove any personal data that could be useful to fraudsters.
Delete your sat-nav history
A sat-nav that remembers your recent destinations might be handy if you go to the same place frequently, but such a feature is a fantastic tool for fraudsters or other criminals to map out your movements.
Remove your devices from Bluetooth
When pairing your phone to a car via Bluetooth, information such as recent calls, your phone number and even your address book is all stored within the infotainment system. Make sure to delete or ‘forget’ your phone within the Bluetooth connections list before handing the vehicle over.
Sign out of all apps and streaming services
Some cars benefit from built-in apps such as Spotify, Apple Music or even Netflix. However, given that these services' log-ins typically require personal and financial information, we recommend signing out of them before returning the car to avoid this information becoming available to criminals.
Get even more from Auto Express, follow our channels...
• Google
• Reddit
• Whatsapp
