Automotive cybersecurity moved from lab demos to boardroom priorities in 2024, as researchers, criminals, and infrastructure bugs converged to stress-test the modern car’s software stack. From prize-winning exploits at an industry hacking contest in Tokyo to a dealership IT meltdown in the U.S. and a high-profile charger firmware fix in September, the year underscored how code now steers commerce as much as wheels do. Regulators also tightened screws, with new cybersecurity requirements taking full effect across major markets. The immediate impacts were visible: over-the-air patches, service appointments, and contingency plans rippling from factories to forecourts.
At January’s Pwn2Own Automotive in Tokyo, security teams demonstrated working exploits against vehicle components and services, including a Tesla target and third‑party infotainment and telematics gear, earning six‑figure prizes and forcing rapid vendor responses. Organizers emphasized coordinated disclosure, and affected manufacturers pushed over‑the‑air updates within days or issued advisories with patch timelines. The event highlighted growing maturity in carmaker bug‑bounty programs and the value of red‑team exercises before attackers find the same flaws. For drivers, the immediate effect was an update prompt and, increasingly, transparent release notes explaining what changed and why.
Outside the lab, criminals leaned on keyless‑entry relays and CAN‑bus injection to steal popular SUVs, prompting countermeasures from brands including Toyota and Jaguar Land Rover in early 2024. Automakers offered retrofits, hardened wiring looms, and software changes, while newer models added ultra‑wideband digital keys to blunt relay attacks. Police forces in the UK and EU reported reductions in theft for models that received the updates, though older vehicles still face elevated risk until appointments are completed. Insurers, meanwhile, adjusted premiums and requirements, pushing owners toward security upgrades and Faraday storage for legacy fobs.
The attack surface extended beyond the car itself when a June cyberattack on CDK Global forced thousands of U.S. dealerships offline, delaying sales and repair orders for days. While no vehicles were remotely controlled, the disruption showed how dealership management systems and parts networks are now part of vehicle availability and safety turnaround. On the regulatory front, UNECE WP.29 R155 requirements applied to all new vehicle registrations in many markets as of July 2024, formalizing cybersecurity management systems and incident response obligations.
Automakers say the rules helped accelerate secure‑update pipelines and supplier audits already underway. Charging infrastructure also came under scrutiny after researchers disclosed in September that a private key embedded in certain ChargePoint charger firmware could be abused to impersonate devices; the company revoked certificates and pushed updates. Utilities and fleet operators coordinated to rotate credentials and verify charger identities, minimizing downtime for drivers. The episode reinforced calls for stronger code‑signing hygiene and routine penetration testing across EV supply equipment.
Looking into 2025, industry groups are prioritizing ISO 15118‑20 implementations and continuous monitoring, aiming to make security fixes as routine—and invisible to drivers—as any other maintenance cycle.
