Your car probably knows more about you than your phone does at this point. Modern connected vehicles track where you drive, how fast you take corners, who you call through Bluetooth, and in some cases, they’re recording conversations through in-car microphones. All of that data flows through internet-connected systems that, until recently, nobody was seriously trying to hack.
That changed fast.
In June 2024, security researchers found they could take control of any Kia manufactured after 2013 using nothing but a license plate number. They’d run the plate through publicly available tools to get the VIN, then exploit flaws in Kia’s dealer web portal to unlock doors, start the engine, and track the vehicle’s location — all in under 30 seconds. The car didn’t even need an active Kia Connect subscription. Kia patched it after responsible disclosure, and there’s no evidence anyone used this in the wild, but for a few months there, millions of vehicles were essentially unlocked for anyone who knew where to look.
How Connected Cars Actually Work
When manufacturers talk about “connected” vehicles, they’re describing cars with built-in cellular modems, Wi-Fi capability, and communication protocols that let them talk to your phone, other vehicles, traffic infrastructure, and cloud servers run by the manufacturer. This connectivity powers features people genuinely use — remote start from your phone, automatic crash notification, real-time traffic routing, over-the-air software updates, and diagnostic alerts that tell you something’s wrong before you’re stranded on the highway.
The problem is that every one of those connection points is a potential way in for someone who shouldn’t be there.
Think about it like your home network, except the network is moving at 70 miles per hour and controls your brakes. Your car’s infotainment system connects to your phone, which syncs your contacts and call history. That same infotainment system often shares a network with systems controlling the engine, transmission, and safety features. Manufacturers have gotten better about segmenting these networks, but the boundaries aren’t always as solid as they should be.
The Skoda Problem (And Why It Matters)
December 2024 brought another ugly example. Security firm PCAutomotive disclosed twelve separate vulnerabilities in the MIB3 infotainment unit used in Skoda Superb III sedans, and the same unit appears in various Volkswagen vehicles too — we’re talking about 1.4 million cars potentially affected.
The attack chain worked through Bluetooth. Once an attacker got initial access, they could execute code every time the car started, giving them persistent access to track GPS location and speed in real time, record audio through the car’s microphone, take screenshots of the infotainment display, and pull plaintext copies of every phone contact synced to the vehicle. Volkswagen and Skoda have been pushing patches, and both companies say there’s no safety risk to drivers, but the scope of what was possible is unsettling.
What makes these infotainment vulnerabilities particularly nasty is that people don’t think of their car’s touchscreen as a security risk. You pair your phone without thinking twice. You sync contacts because it’s convenient for hands-free calling. Nobody reads the privacy policy for their vehicle’s software the way they might for an app on their phone, partly because most people don’t realize there’s software to worry about in the first place.
When Hackers Go After the Supply Chain
Individual car vulnerabilities are one thing. The CDK Global attack in June 2024 showed what happens when hackers target the systems that dealerships depend on.
CDK Global provides dealer management software that handles sales, service scheduling, inventory, and financing for over 15,000 dealerships across North America. When ransomware took their systems down, dealerships including AutoNation had to fall back on paper processes. Sales slowed to a crawl. Service departments couldn’t pull customer histories. The disruption lasted weeks, and AutoNation reported a $1.50 per-share earnings hit for the quarter, contributing to a 5.2% stock drop.
CDK eventually paid $25 million to restore their systems, and full functionality came back by late July. But for about a month, a significant chunk of the North American car-buying and service experience was running on sticky notes and phone calls because one company’s security wasn’t good enough.
What Manufacturers Are Actually Doing
The automotive industry has been scrambling to catch up on security, and to their credit, the measures being implemented now are substantially better than what existed five years ago.
Encryption has become standard for data transmission between vehicle systems and manufacturer servers, which means someone intercepting that traffic can’t easily read what’s being sent. Internal vehicle networks increasingly use firewalls that separate critical driving systems from infotainment and convenience features, so even if someone compromises your Bluetooth connection, they theoretically can’t reach the brakes. Authentication systems have gotten more sophisticated too, requiring multiple verification steps before allowing remote access to vehicle functions.
Over-the-air updates represent a genuine improvement in how quickly manufacturers can respond to discovered vulnerabilities. Tesla pioneered this approach, and most major manufacturers have followed. When Kia discovered their web portal flaw, they could push fixes without requiring owners to visit dealerships. That’s a meaningful change from the old model where security patches required physical recalls.
The flip side is that over-the-air update systems are themselves potential attack vectors. If someone compromises the update infrastructure, they could theoretically push malicious code to every connected vehicle in a manufacturer’s fleet simultaneously. This isn’t a theoretical concern — it’s exactly why automotive cybersecurity now includes extensive verification systems for software authenticity.
The Importance of a Reliable Internet Connection for Cyber Security
A reliable internet connection is essential for the cyber security of connected cars. Without a good Internet connection, security measures such as firewalls and encryption may not work properly. In addition, a poor internet connection can cause important updates to be delayed, making the vehicle vulnerable to cyberattacks.
Along with a reliable internet connection, using advanced endpoint protection adds another layer of security. These systems monitor for suspicious activity, detect threats in real time, and block malware before it spreads through connected networks. This extra level of protection helps keep vehicles, manufacturers, and service providers safe from evolving cyber risks.
In this regard, Cox Internet is a trusted plan that can help keep connected cars cyber-secure. By getting a subscription to one of its plans, you can receive a high-speed internet connection needed to quickly and securely transfer data between vehicle systems and external networks. In addition, you can also get advanced security features such as a firewall and antivirus to protect against cyberattacks.
Your Part in This
Manufacturers can build security into their systems, but owners make choices that affect how vulnerable their vehicles actually are.
Software updates matter more than most people realize. When your car’s infotainment system prompts you to install an update, that update might contain patches for vulnerabilities that researchers disclosed months ago. Delaying those updates leaves known security holes open. The same applies to your phone if you’re using it to connect to vehicle systems — an outdated phone app can be the weak link that compromises an otherwise secure vehicle.
The smartphone connection deserves particular attention because it’s often the easiest attack path. Your car trusts your phone. If your phone gets compromised through a malicious app or phishing attack, that compromised device now has access to your vehicle. Basic phone security practices — keeping software updated, not installing apps from unknown sources, being skeptical of links in text messages — become vehicle security practices too.
Some people use third-party OBD-II devices for things like performance monitoring or insurance tracking. These plug directly into your car’s diagnostic port and often connect to phone apps via Bluetooth. Not all of these devices are built with security in mind, and they can provide an access point to vehicle systems that bypasses whatever protections the manufacturer built in. If you’re using one, it’s worth researching whether the manufacturer takes security seriously.
The Regulatory Picture
Governments have started paying attention, though regulation still lags behind the technology. The US National Highway Traffic Safety Administration has published cybersecurity best practice guidelines for automakers, but these remain voluntary recommendations rather than enforceable standards. The European Union has moved faster with UN Regulation 155, which requires manufacturers to implement cybersecurity management systems and demonstrate they can handle cyber threats before vehicles can be type-approved for sale.
Data privacy adds another regulatory layer. Connected cars collect enormous amounts of personal information, and that data has to be handled according to whatever privacy laws apply in a given jurisdiction. GDPR in Europe, various state laws in the US, and increasingly strict regulations in other markets all impose requirements on how manufacturers collect, store, and use the information their vehicles gather.
The challenge is that cars cross borders, get resold, and remain on the road for 15 or 20 years. A vehicle designed to meet 2024 regulations will still be driving in 2040, and nobody knows what the threat landscape or regulatory environment will look like by then. Manufacturers are building systems they hope will remain secure and compliant for decades, which is an uncomfortable amount of uncertainty.
Where This Is Heading
The security researchers who found the Kia vulnerability, the Skoda infotainment flaws, and countless other automotive weaknesses are doing exactly what the industry needs — finding problems before criminals do and giving manufacturers the chance to fix them. The responsible disclosure process, where researchers report vulnerabilities privately and give companies time to patch before going public, has prevented a lot of potential damage.
But there’s an inherent tension in connected car security. The features that make these vehicles useful — remote access, smartphone integration, cloud connectivity — are the same features that create attack surface. Every convenience comes with some security tradeoff, and manufacturers are constantly balancing what customers want against what security professionals recommend.
For anyone buying or driving a connected car today, the practical reality is that these vehicles are more secure than they were a few years ago and less secure than they’ll be a few years from now. Keep your software updated, be thoughtful about what you connect to your vehicle, and pay attention when manufacturers announce security-related recalls or updates. The automotive industry is learning, sometimes the hard way, how to build vehicles for a world where hacking isn’t just something that happens to computers.
