Despite increasing law-enforcement efforts in the past year, the automotive industry remains at grave risk of cyber-attack with ransomware, data breaches and operational disruptions, which reached a historic high in 2024.

Those are the findings highlighted in a new in-depth analysis produced by auto cyber-security specialist, VicOne.

The company, provider of security solutions to automakers and suppliers, says criminal hackers have been responsible for attacks on the automotive sector, resulting in tens of billions in estimated damages over the last two years.

Its special report, Shifting Gears: VicOne 2025 Automotive Cybersecurity Report, also suggests that more than 77% of automotive vulnerabilities were found within onboard or in-vehicle systems.

The rise of battery-electric vehicles are providing fresh attack surfaces for cyber malefactors to exploit in areas such as battery charging, operating systems and fleet management.

Critical weaknesses are being exposed in charging infrastructure, from insecure payment protocols to outdated communication standards, potentially affecting both vehicles and even whole power grids.

On top of this, while artificial intelligence (AI) can enhance in-car features and operational efficiency, it also introduces further vulnerabilities such as prompt injection and compromised training data that challenge traditional security methods. In cybersecurity, prompt injection refers to a type of attack targeting AI systems, especially large language models (LLMs) like ChatGPT. It involves crafting malicious or manipulative inputs – prompts –that trick the AI into behaving in unintended or unauthorized ways.

Cyber criminals are employing dark-web channels to exchange sophisticated exploit techniques and stolen vehicle data, raising the stakes for manufacturers and consumers alike.

From 2015 onward, for example, several security researchers have demonstrated vulnerabilities in Tesla's software. In 2016, Chinese researchers from Keen Security Lab remotely controlled a Tesla's brakes and infotainment system. In 2019, another team hacked the Model S key fob encryption to unlock and start the car. Tesla has generally responded quickly with over-the-air (OTA) software updates to patch vulnerabilities.

There has been a rise in "quishing" scams, where fraudulent QR codes are placed on EV charging stations. Unsuspecting users scanning these codes are directed to malicious websites designed to steal personal and financial information.

The ongoing shift toward software-defined vehicles (SDVs) and AI-enhanced features to the evolving landscape of BEV charging and the escalating vulnerabilities found in vehicle telematics systems, "the automotive industry is racing into unknown cyber-risk territories.," notes the report.

Any vehicle that has to be plugged into a public charging infrastructure, such as BEVs and PHEVs, exposes this risk, whether drawing from the grid or returning excess energy to it as with V2G compatible.

A total of 215 automotive cyber-security incidents were recorded in 2024, with Cloud and backend vulnerabilities as the most frequent attack surfaces and typically involved ransomware attacks, data breaches and social engineering or phishing attacks, according to VicOne data.

Vehicle hijacking, supply-chain vulnerabilities, keyless entry exploits and vehicle-electronics virtualization attacks mainly targeted onboard systems and over-the-air (OTA) vulnerabilities.

Criminals use relay devices to capture and extend the signal from key fobs, tricking the car into unlocking and starting. Any car equipped with keyless entry/start systems is especially vulnerable, and there are widespread reports of incidents in Europe and North America.

Supply-chain attacks are also growing more complicated and devastating, with criminals last year clearly hitting suppliers and third-party component providers as the weak link to exploit. For example, a ransomware attack on dealership software provider CDK in June 2024 disrupted operations at more than 15,000 dealerships in the U.S. and Canada.

VicOne’s analysis of criminal-underground message exchanges suggests that multi-layered, widespread attacks on automobiles and the industry are growing more likely. It says this indicates a shift from today’s manual car-modding hacks to more harmful and larger-scale attacks such as user impersonation and account theft.

The total count of automotive-related vulnerabilities (CVEs) (specific number of vulnerabilities throughout the automotive eco-system) published in 2024 reached 530 vulnerabilities, another annual gain and just two short of twice as many as in 2019.

Vulnerabilities are now shifting from chipset-related issues to CVEs involving in-vehicle infotainment platforms and operating systems, in addition to BEV-charging infrastructure.

Discovering New Vulnerabilities Every Day

The cybersecurity company says that at the world’s largest zero-day vulnerability discovery contest, Pwn2Own Automotive 2025, which took place at Automotive World last January in Tokyo, security researchers from 13 countries discovered 49 unique zero-day vulnerabilities across primarily operating platforms, infotainment and vehicle charging systems.

The large language models used in generative AI are said to be especially attractive targets for cybercriminals because of their dependency on critical enterprise data, use of hard-to-control self-learning and propensity for errors.

VicOne’s report points to insecure plugin designs, improper output handling and adversarial attacks are among the prominent operational risks to be addressed in the adoption of AI.

Max Cheng, VicOne chief executive officer, says: “We are amid a transformative era of mobility, as innovations such as AI are helping automakers differentiate their vehicles, accelerate time to market and enhance customer experience. A proactive, multilayered approach to cyber-security across all levels of the supply chain will help the automotive industry stay ahead of evolving threats and thrive in pursuing the unprecedented opportunities ahead.”