How to protect your car from hacking | Kaspersky official blog

It’s been ten years since two researchers — Charlie Miller and Chris Valasek — terrified a Wired journalist (and then the whole world) with their remote hack of a Jeep Cherokee speeding down the highway. It played out like something straight out of a Stephen King novel — a possessed car gone rogue. The wipers started moving on their own, buttons stopped responding, the radio blasted uncontrollably, and the brake pedal went dead. We’ve covered that case in detail plenty before: here, here, and here.

Since then, cars have continued to evolve rapidly to integrate an ever-wider array of features. Digital electronics now control almost everything — from the engine and fuel systems to autopilot, passenger safety, and infotainment. That also means every interface or component can become a hacker’s entry point: MOST, LIN, and CAN buses, OBD ports, Ethernet, GPS, NFC, Wi-Fi, Bluetooth, LTE… But hey — on the bright side, the latest CarPlay lets you change your dashboard wallpaper!

Jokes aside, the most serious attacks no longer target individual vehicles, but rather their manufacturers’ servers. In 2024, for example, Toyota lost 240GB of data, including customer information and internal network details. A single compromised server can expose millions of vehicles at once.

Even the United Nations has taken note, and for once didn’t stop at “expressing concern”. Together with automakers, the UN has developed two key regulations — UN R155 and UN R156 — setting high-level cybersecurity and software update requirements for vehicle manufacturers. Also relevant is the ISO/SAE 21434:2021 standard, introduced in 2021, which details methods to mitigate cyber-risks throughout vehicle production. Though the above, technically, are recommendations, automakers have a strong incentive to comply: mass recalls can cost tens or even hundreds of millions of dollars. Case in point: following the incident mentioned earlier, Jeep had to recall 1.4 million vehicles in the U.S. alone — and faced a whopping $440 million in lawsuits.

Surprisingly, the UN’s efforts have had real impact. In the last two years, the strict new rules have already led to the discontinuation of several older models, simply because they were designed before the regulations came into force. The discontinued models in 2024 include the Porsche 718 Boxster and Cayman (July), Porsche Macan ICE (April), Audi R8 and TT (June), VW Up! and Transporter 6.1 (June), and Mercedes-Benz Smart EQ Fortwo (April).

What exactly can hackers do?

There are plenty of ways cybercriminals can cause trouble for drivers:

• Creating dangerous situations. Disabling brakes, blasting loud music, or triggering other distractions (as in the Jeep case) can serve as psychological pressure or direct physical threats to anyone inside the vehicle.
• Stealing telematics data. This can be used to launch a targeted attack on specific individuals. In 2024, millions of Kia vehicles were found vulnerable to remote tracking via a dealer portal. With just a license plate number, attackers could locate the car in real time, lock or unlock the doors, start or stop the engine, and even honk the horn. Similar issues have affected BMW, Mercedes, Ferrari, and other manufacturers. Researchers also discovered that by compromising smart alarm systems they could listen to what’s going on in the interior of the car, access vehicle history, and steal owners’ personal data.
• Stealing the car itself. For example, by using devices such as CAN injectors, which connect to the vehicle’s CAN bus (through the headlight circuit, for example) and send commands that mimic signals from the real key.
• Stealing payment data. You might wonder why a car would hold the owner’s credit card info? Well, one was needed to pay for BMW’s heated seat subscription, for example. But while that particular scheme was scrapped after a public backlash, the “everything-as-a-service” trend continues. For example, in 2023, Mercedes-Benz offered electric car drivers the option to pay extra for faster acceleration. The feature would shave 0.9 seconds off the 0–100km/h time for an annual fee of US$600–900!

How real is the threat to your car?

First, let’s determine which category your vehicle falls into. Kaspersky ICS-CERT experts roughly divide all cars into three groups:

Obsolete vehicles — no risk

Vehicles in this group have no interaction with external information systems via digital channels. Their control units are minimal, and the only interface (if any) is the diagnostic OBD port. They can’t be hacked remotely, and there are no known cases of cyberattacks against them — the only real threat is traditional theft. Even if you install a modern multimedia head unit or an emergency response system, those modules remain isolated from the car’s internal components, preventing any attack on critical systems.

Legacy vehicles — highest risk

These models come in-between older cars with nothing to hack (“when cars were car”, etc.), and today’s “computers on wheels” packed with sensors and interfaces. Most of their systems and controls are digital. They typically include a telematics unit for wireless connectivity, a powerful infotainment system, and intelligent driver-assistance features.

Together, these modules form a poorly protected information network where the ability to remotely adjust vehicle settings or control certain systems creates plenty of potential attack vectors. Owners often replace the outdated factory head units with new ones from third-party manufacturers — which rarely prioritize cybersecurity.

Such models are the most vulnerable to serious cyberattacks — including those that can endanger the driver’s or passengers’ lives. But no one is planning serious security updates for them anymore. That ill-fated Jeep mentioned earlier falls squarely into this category.

Modern vehicles — medium risk

The latest models take into account lessons learned from past mistakes, as well as newly developed standards and regulations. Manufacturers now use segmented network architectures with a central gateway that filters traffic to isolate critical systems from the components most exposed to attack — the infotainment and telecom modules.

Major automakers (General Motors was among the first, plus Tesla, Ford, Hyundai, BMW, Mercedes, Volkswagen, Toyota, Honda, and component makers like Bosch and Continental) now have dedicated cybersecurity teams and conduct penetration testing.

However, this doesn’t mean these cars are completely secure. Researchers regularly find new vulnerabilities even in the most advanced models, because their attack surface is far larger than that of older vehicles.

By the way, Kaspersky has developed its own car cybersecurity solution — Kaspersky Automotive Secure Gateway, so our top-tier protection will soon be available for vehicles too.

What to look out for when buying a car?

When buying a new vehicle these days, consider not only the technical specs but also its cybersecurity. Start by checking online for reports of cyberattacks on specific models or their manufacturers — such incidents rarely go unnoticed.

If possible, find information about the following:

• The information network architecture of the car
• The presence of a central security gateway
• Separation of the car’s network into security domains
• Support of CAN-message encryption

You should also ask the dealer the right questions:

• What cybersecurity systems are built into the car?
• How often are software updates released for this model, and how are they installed?
• How can unused smart functions be disabled?

How do you set everything up correctly if you already have a car?

Start with the manufacturer’s mobile app (if one exists).

• Set a strong, unique password that doesn’t contain any personal information. For help with this, see Creating an unforgettable password.
• Strengthen your account security with two-factor authentication or passkeys, if available.
• Regularly check the activity log and the list of devices connected to your account.
• Disable any unused features in both the app and the car.

Next, tighten up the privacy settings in the car itself.

• Turn off telemetry collection where possible.
• Limit access to microphones and cameras.
• Clear your travel history and saved contacts before selling the car.

And let’s not forget about managing connected devices.

• Regularly review paired Bluetooth devices.
• If possible, prohibit Bluetooth pairing without confirmation.
• Remove connections to the devices of previous owners or passengers.
• Disable automatic connection to unknown Wi-Fi networks.

A few final tips:

• Keep your car’s software up to date: install firmware updates as soon as they’re released. Enable automatic notifications for available updates in the car settings.
• Monitor telemetry access: regularly check what data your car collects and who it’s shared with. Many of the latest cars let you limit personal data collection.

What to do if you suspect your car is hacked?

First, ask yourself: “What’s the evidence?” and check for the following signs of compromise:

• Vehicle features unexpectedly turning on and off
• Rapid battery drain with no obvious cause
• Strange notifications in the vehicle’s mobile app
• Inability to control the car normally

If you suspect a hack, do the following:

• Disconnect the car from the internet. Remove the SIM card if possible, or contact your mobile operator to block data transfer for the number linked to the vehicle.
• Change passwords for the car’s mobile app. If possible, terminate all sessions tied to your account (often an option in the settings), or review all connections and remove any unknown devices.
• Take photos of any alerts the car displays.
• If you’ve entered payment card details in the car, block the card immediately.
• Contact an authorized dealer for diagnostics.
• Contact the vehicle manufacturer’s support.
• If you suspect data theft, report it to the police.

Note that for private owners, the most likely threats are tracking and theft. However, for organizations that operate fleets (taxis, car-sharing, transportation or construction equipment companies), the risks are significantly higher. For a deeper dive into current automotive cybersecurity trends, check out our report on the Kaspersky ICS CERT site.

Want to learn more about other threats to car owners? Browse our relevant posts:

• How millions of Kia cars could be tracked
• I know how you drove last summer
• Spies on wheels: how carmakers collect and then resell information
• Automotive apps: who gets your car keys?
• Hacking smart car alarm systems

Kaspersky official blog – ​Read More