Real-world incidents: 2024 snapshot

According to Upstream’s 2025 report and EE Times coverage, here’s how the threat landscape evolved last year:

Attack Type	% of Incidents	Estimated Incidents (2024)	Description
Data Privacy Breaches	60%	~245	GPS history, driver profiles, payment data
Service Disruption	53%	~217	Ransomware targeting dealerships and OEMs
Vehicle Manipulation	35%	~143	Remote unlocking, ECU spoofing, infotainment exploits
Odometer Fraud	20%	~82	CAN injection, diagnostic tool abuse
API Exploits	17%	~70	Token theft, replay attacks, backend compromise
ECU Attacks	8%	~33	Firmware manipulation of safety-critical systems
EV Charger Exploits	6%	~25	Billing fraud, firmware tampering, grid disruption

Total documented incidents in 2024: 409. Cumulative incidents since 2010: 1,877

These numbers reflect only publicly reported and verified incidents. The real figures—especially for backend API exploits and EV infrastructure—may be significantly higher due to underreporting and lack of centralised disclosure mechanisms.

Speculative scenarios: Worst-case futures

Let’s step beyond the headlines and explore what could happen if attackers weaponise the whole stack of vehicle connectivity. These aren’t science fiction—they’re extrapolations based on known vulnerabilities, architectural weaknesses, and emerging threat vectors.

1. EV Charger Worm: The Automotive Stuxnet

Imagine a malware strain that propagates via EV charging ports. It exploits vulnerabilities in the TLC (Tesla Charging Language) or ISO 15118 handshake protocol, injecting malicious payloads into the vehicle’s telematics or infotainment system.

Once infected, the vehicle becomes a vector—spreading the malware to every charger it connects to. Those chargers, in turn, infect the next vehicle. Within days, entire urban fleets are compromised. There can be multiple payload options:

• Overcharging batteries to thermal runaway
• Disabling brakes or steering via ECU manipulation
• Remote immobilisation triggered by time or location
• Ransomware lockout demanding crypto payments to unlock ignition

This scenario mirrors the propagation model of Stuxnet, but with physical mobility and public infrastructure as the transmission medium.

2. API Hijack at Scale

A vulnerability in a major OEM’s backend cloud API could allow attackers to:

• Enumerate VINs
• Extract telemetry
• Push OTA updates
• Trigger remote immobilisation

Using token replay or insecure endpoints, attackers compromise thousands of vehicles simultaneously. The result? A coordinated lockout of an entire fleet—ride-hailing services, delivery vans, or public transport.

This isn’t hypothetical. In 2022, a researcher exploited insecure APIs to remotely control dozens of vehicles across multiple brands. The only thing missing was scale and intent.

3. Infotainment Rootkit via Application Store

As Android Automotive OS becomes mainstream, OEMs open app stores for third-party developers. A malicious app—disguised as a navigation plugin—exploits a sandbox escape vulnerability to gain root access. Once installed, it:

• Records cabin audio and video
• Extracts Wi-Fi credentials and cloud tokens
• Injects CAN messages to manipulate vehicle behaviour

Because the app is signed and distributed via the OEM’s store, it bypasses user scrutiny. The rootkit persists across updates and spreads via sideloading or phishing links.

4. V2X Spoofing and Phantom Traffic

Vehicles increasingly rely on V2X (Vehicle-to-Everything) communication for collision avoidance, traffic optimisation, and autonomous navigation. An attacker sets up rogue roadside units (RSUs) broadcasting false data. Possible effects are:

• Vehicles slam brakes for phantom obstacles
• Traffic rerouted into gridlock
• Emergency vehicles delayed or misdirected

This attack doesn’t require compromising the vehicle—just manipulating the environment. It’s low-cost, high-impact, and difficult to trace.

5. Fleet-Wide Ransomware via Telematics Platform

A vulnerability in a popular telematics provider allows attackers to push malicious updates to all connected vehicles. The payload encrypts infotainment systems, disables navigation, and locks out fleet managers. Victims could include:

• Logistics companies
• Municipal services
• Emergency responders

The ransom demand is issued via the fleet dashboard. Pay or lose operational control.

6. Biometric Data Leak via Cabin Intelligence

Modern vehicles collect biometric data: facial recognition for driver profiles, heart rate monitoring, and fatigue detection. A misconfigured cloud bucket exposes this data publicly. Possible consequences are:

• Identity theft
• Insurance fraud
• Targeted surveillance

This isn’t just a privacy breach—it’s a violation of bodily autonomy.

---