From Vehicle Hacking to Ecosystem Risk
In 2015, security researchers Charlie Miller and Chris Valasek demonstrated how a 2014 Jeep Cherokee could be remotely compromised through a vulnerability in its cellular-connected infotainment system. They were able to manipulate several vehicle functions, including air conditioning, radio, wipers, and, at low speeds, the transmission. The vulnerability led to a recall affecting 1.4 million vehicles and became one of the first major cyber security-driven recalls in the automotive industry.
Ten years later, the JLR incident showed a different side of the same problem. The attackers did not need to compromise an individual vehicle to cause large-scale disruption. By affecting corporate IT systems, the incident interrupted manufacturing operations and created consequences across a wider industrial network.
These two cases are different in method, but they point to the same direction. Automotive cyber security has moved from protecting individual vehicles to securing the full digital and operational ecosystem around them.
The Attack Surface Has Expanded
According to Upstream’s Global Automotive and Smart Mobility Cyber security Report, 92% of automotive cyber attacks in 2025 were conducted remotely, while 86% required no physical proximity to the vehicle. The report also states that telematics and cloud systems were involved in 67% of disclosed incidents, and ransomware-related attacks reached 44% of the total.
These numbers should be treated as industry report data, not universal statistics. Still, they reflect a clear trend: attackers are increasingly targeting the connected systems around vehicles, not only the vehicles themselves.
For organisations operating in or supplying the automotive industry, the most relevant risks now often sit in four areas:
1. Mobile Apps and Cloud APIs
Vehicle companion apps have become a core part of the user experience. They allow drivers to unlock doors, start charging, check battery status, locate vehicles, and manage other remote functions.
That also makes them a security-critical layer.
If an app account, API, or cloud backend is compromised, attackers may be able to access functions that were once limited to the physical vehicle. Upstream reports that, in 2025, attackers reached vehicle command-and-control systems through companion apps, locked users out, manipulated remote functions, and demanded ransom to restore access.
For businesses, the lesson is broader than automotive. Any connected product with a mobile app, cloud backend, customer account, API, and remote-control functionality has a similar risk profile.
2. Telematics and Manufacturer Infrastructure
Modern vehicles depend on telematics systems, cellular connectivity, cloud platforms, and APIs that connect the vehicle to manufacturers, service providers, dealerships, and fleet platforms.
This creates value for users and businesses. It enables diagnostics, predictive maintenance, remote updates, fleet visibility, and new digital services.
It also creates more entry points.
A weakness in authentication, API access, identity management, cloud configuration, or supplier connectivity can become a pathway into a much larger environment. The JLR incident is a strong example of how cyber risk in corporate IT can have operational consequences far beyond office systems.
For automotive manufacturers and suppliers, cyber security is no longer only a product security issue. It is also an enterprise architecture, supplier risk, cloud security, and operational resilience issue.
3. Supplier Chains and Third-Party Access
Automotive companies operate through complex supplier networks. Software vendors, component manufacturers, logistics providers, dealers, fleet platforms, payment providers, and cloud service partners may all connect to parts of the wider ecosystem.
This makes third-party access a critical security concern.
Many incidents do not start with a highly technical vehicle exploit. They begin with compromised credentials, weak access controls, phishing, exposed systems, or poorly governed supplier connections.
For organisations in the automotive supply chain, this means security assessments should not stop at internal infrastructure. They should also cover vendor access, remote administration, data exchange, incident response dependencies, and contractual security requirements.
4. EV Charging Infrastructure
Electric vehicle charging infrastructure introduces another layer of risk. Charging stations are connected devices that may handle payment data, identity information, charging authorisation, and communication with both vehicles and backend platforms.
In October 2025, CVE-2025-12357 was published for a man-in-the-middle vulnerability affecting the SLAC pairing protocol used in ISO 15118-2 EV charging communication. The specific vulnerability requires close proximity, but the wider implication is more structural.
Chargers are no longer simple power delivery points. They are connected systems handling money, identity, software, and electricity. As charging networks scale, they become part of the same connected-system risk landscape as vehicles, mobile apps, cloud platforms, and fleet infrastructure.
AI Adds Another Layer of Complexity
AI is also changing the automotive cyber security landscape.
On the attacker side, generative AI can help automate phishing, accelerate reconnaissance, support vulnerability discovery, and make social engineering more convincing.
On the defender and product side, vehicles and connected mobility systems increasingly use AI for driver assistance, voice interaction, in-cabin monitoring, diagnostics, and automation. Each integration can improve functionality, but it can also introduce new data flows, new decision points, and new dependencies.
Upstream identifies AI-driven vehicle architectures as one of the forces expanding the automotive attack surface.
For businesses, the important point is not that AI is inherently unsafe. The point is that AI-enabled systems need the same security discipline as other critical software components: threat modelling, access control, testing, monitoring, and clear governance.
The Regulatory Floor Has Risen
For organisations operating in or supplying the European market, cyber security is also becoming a regulatory requirement.
UNECE Regulation No. 155 requires vehicle manufacturers to operate a certified Cyber security Management System covering the vehicle lifecycle. Its companion regulation, UNECE Regulation No. 156, focuses on software update management, including over-the-air updates. Since July 2024, these requirements have applied to new vehicles produced for relevant markets.
NIS2 also broadens cyber security obligations across the EU. Depending on their role, automotive suppliers, fleet operators, connected-product manufacturers, digital service providers, and other organisations in the wider mobility ecosystem may fall within its scope.
In Lithuania, the updated Law on Cyber security came into force on 18 October 2024. The National Cyber Security Centre under the Ministry of National Defence completed the initial register of in-scope entities in 2025, identifying more than 1,400 organisations. These organisations face cyber security management, incident reporting, risk management, and technical security obligations, with implementation timelines depending on the date of official notification.
Compliance does not equal resilience. However, it has become the baseline for partner due diligence, supplier selection, and customer trust across regulated and connected industries.
What Organisations Should Assess Now
The most important step is to stop treating automotive cyber security as a narrow vehicle security issue.
For manufacturers, suppliers, fleet operators, EV infrastructure providers, and connected-product companies, the assessment should cover the full environment around the product.
This includes:
- Corporate IT systems and identity management;
- Cloud platforms and APIs;
- Mobile applications and customer accounts;
- Telematics and remote access systems;
- Software update processes;
- Supplier and third-party access;
- Incident response procedures;
- NIS2, R155, R156, and other relevant compliance requirements.
Security testing should also reflect how attackers operate. That means looking beyond isolated systems and assessing how weaknesses can combine across apps, APIs, cloud infrastructure, users, vendors, and operational processes.
Automotive Cyber Security Is Now Connected-System Cyber Security
The automotive industry is becoming more software-defined, more connected, and more dependent on digital infrastructure. That brings better user experiences, operational efficiency, data visibility, and new business models.
It also increases exposure.
The JLR incident showed how a cyber attack on corporate systems can affect production, suppliers, and the wider economy. Upstream’s automotive cyber security data points to the same trend from another angle: attackers are focusing on remote, connected, cloud-based, and software-driven parts of the ecosystem.
For automotive and connected-system businesses, the question is no longer only whether the vehicle is secure. The question is whether the whole digital environment around it is resilient enough.
Organisations operating connected vehicles, supplying the automotive industry, managing EV infrastructure, or preparing for NIS2 obligations should assess their exposure now.
A structured NIS2 gap analysis, compliance roadmap, penetration test, cloud security review, or independent security assessment can help identify where the biggest risks sit and what should be prioritised first. Contact our team.
