100 Million Lines of Code on Wheels
A modern premium vehicle is among the most complex computing systems most people will ever own. A current-generation Mercedes-Benz S-Class contains over 100 electronic control units (ECUs) running an estimated 100 million lines of code — more than a Boeing 787 Dreamliner (6.5 million lines) and an F-35 fighter jet (8 million lines of on-board flight software) combined. These ECUs manage everything from engine control and braking to infotainment, navigation, keyless entry, tire pressure monitoring, and advanced driver assistance systems (ADAS). They communicate via internal networks — primarily the CAN bus (Controller Area Network), a protocol designed in 1986 that lacks authentication, encryption, or any concept of message origin verification.
The connectivity surface of these vehicles has expanded dramatically. A typical 2026 connected car communicates via cellular (4G/5G for telematics and OTA updates), Wi-Fi (for hotspot and device pairing), Bluetooth (for phone integration and key fobs), dedicated short-range communications or C-V2X (for vehicle-to-vehicle and vehicle-to-infrastructure messaging), and USB ports (for media and device charging). Each interface represents a potential entry point. Upstream Security’s 2025 Global Automotive Cybersecurity Report documented a 39% year-over-year increase in automotive cyber incidents (from 295 in 2023 to 409 in 2024), with over 1,800 publicly reported events since 2010. Sixty percent of 2024 incidents affected thousands to millions of mobility assets, and massive-scale incidents tripled from 5% to 19% of all cases. The automotive attack surface is not shrinking — it is expanding with every connected feature added.
The financial stakes match the technical exposure. The global automotive cybersecurity market was valued at $3.1 billion in 2022 and is projected to exceed $14 billion by 2030, growing at a compound annual rate of nearly 21%, according to Grand View Research. This growth reflects not just voluntary investment but regulatory compulsion: as of July 2024, all new vehicles sold in markets governed by the 63 contracting parties to the UNECE 1958 Agreement must comply with cybersecurity regulations that did not exist five years ago.
The Attack Surface: From Remote Takeover to Fleet-Scale Exploits
The most consequential demonstration of automotive hacking remains Charlie Miller and Chris Valasek’s 2015 remote takeover of a Jeep Cherokee. Working through the vehicle’s Uconnect infotainment system (accessible via the Sprint cellular network), they remotely controlled the vehicle’s steering, braking, and transmission — while the driver was on a highway. The resulting recall of 1.4 million vehicles by Fiat Chrysler — followed by class action litigation that reached the U.S. Supreme Court — remains a landmark event that catalyzed the entire automotive cybersecurity industry.
Since then, the research community has documented an expanding catalog of attack vectors. Tesla vehicles, the most connected cars on the road, have been a frequent target for researchers — not because they are less secure than competitors (Tesla’s bug bounty program and OTA patching capability are industry-leading) but because their connectivity creates a larger and more accessible research surface. At Pwn2Own Vancouver 2024, researchers from Synacktiv exploited an integer overflow vulnerability in Tesla’s Vehicle Controller Secondary (VCSEC) module — which manages TPMS communications, door locks, and startup procedures — to achieve arbitrary code execution and CAN bus control, earning $200,000 and a Tesla Model 3. In a separate 2024 study presented at the USENIX Security Symposium, University of Michigan researchers demonstrated data fabrication attacks on collaborative vehicular perception systems, where injected false objects triggered hard braking and collisions in real-world testing at the Mcity facility. Chinese security firm Keen Security Lab has published multiple Tesla vulnerability disclosures, including a 2016 remote attack via the cellular interface that compromised the gateway ECU and manipulated the CAN bus — a vulnerability Tesla patched via OTA update within 10 days.
The emerging threat frontier is fleet-scale attacks. When millions of vehicles from the same manufacturer share identical software stacks and receive updates from the same OTA infrastructure, a single compromised update server or supply chain breach at a tier-one software supplier could theoretically affect an entire fleet simultaneously. Upstream Security’s 2025 analysis quantifies the risk: telematics and application server attacks surged from 43% of all incidents in 2023 to 66% in 2024, making backend infrastructure the dominant attack vector in automotive cybersecurity. Compromising the server that manages vehicle communications provides potential access to every connected vehicle in the fleet.
Advertisement
The Regulatory Framework: WP.29 and ISO 21434
The regulatory response to automotive cybersecurity has been more decisive and comprehensive than in most other technology sectors. UNECE Regulation No. 155 (commonly referred to as WP.29) mandates that all new vehicles sold in markets governed by the 63 contracting parties to the 1958 Agreement — covering the EU, UK, Japan, South Korea, Australia, and Russia, but notably excluding the United States and China — must have a certified Cybersecurity Management System (CSMS). The regulation requires manufacturers to demonstrate cyber risk management across the entire vehicle lifecycle: design, production, post-production monitoring, and incident response.
WP.29 compliance is not optional or aspirational — it is a type approval requirement. Since July 2024, no new vehicle type can be registered for sale in UNECE markets without a CSMS certificate issued by a designated approval authority. This has forced every major automaker to establish dedicated cybersecurity organizations. Volkswagen Group established harmonized cybersecurity management systems across all its brands with coordinated incident response processes, BMW invested in automotive cybersecurity startups including Upstream Security and built dedicated vehicle security capabilities, and Toyota formalized cybersecurity risk management processes and partnered with firms like Keyfactor for V2X certificate infrastructure. Tier-one suppliers like Continental, Bosch, and ZF Friedrichshafen have built cybersecurity practices that mirror what automakers require for compliance.
ISO/SAE 21434, published in August 2021, provides the engineering framework that underpins WP.29 compliance. The standard defines cybersecurity engineering requirements across the vehicle development lifecycle — from threat analysis and risk assessment (TARA) during concept phase through cybersecurity testing during validation, to vulnerability management during post-production. For suppliers, ISO 21434 is increasingly a procurement requirement: major OEMs will not source ECUs, sensors, or software from suppliers who cannot demonstrate 21434-aligned cybersecurity processes. This supply chain pressure is propagating cybersecurity requirements deep into the automotive supplier ecosystem, including tier-two and tier-three suppliers who previously had zero cybersecurity considerations in their engineering processes.
OTA Updates, V2X, and the Autonomy Challenge
Over-the-air (OTA) software updates are both the automotive industry’s most powerful cybersecurity tool and a significant attack surface. Tesla pioneered the use of OTA updates to patch security vulnerabilities, add features, and modify vehicle behavior remotely — a capability that allowed Tesla to respond to the Keen Security Lab vulnerabilities within 10 days, compared to traditional recall processes that take months and achieve incomplete compliance. By 2025, virtually all major automakers offered OTA update capability: Mercedes-Benz, BMW, Ford, GM, Stellantis, and Hyundai all have OTA platforms in production vehicles.
The security challenge is that the OTA infrastructure itself must be robustly secured. An attacker who compromises the OTA signing keys or the distribution infrastructure could push malicious firmware to an entire fleet. The required protections — hardware security modules (HSMs) for code signing, certificate-pinned TLS for update delivery, verified boot chains on vehicle ECUs, rollback protection, and real-time anomaly detection — add cost and complexity. Argus Cyber Security (acquired by Continental for $430 million in 2017) and Harman’s SHIELD platform provide aftermarket and OEM-integrated solutions for OTA security, intrusion detection, and vehicle security operations centers (VSOCs).
Vehicle-to-Everything (V2X) communication introduces the next frontier of automotive cybersecurity risk. V2X enables vehicles to communicate with other vehicles (V2V), infrastructure like traffic signals (V2I), pedestrians’ devices (V2P), and network services (V2N). The benefits — collision avoidance, traffic optimization, emergency vehicle preemption — are significant, but V2X creates a new wireless attack surface where spoofed messages could trigger false collision warnings, manipulate traffic flow, or create phantom vehicles. The U.S. Department of Transportation’s V2X deployment plan — “Saving Lives with Connectivity,” released in August 2024 — targets V2X deployment across 20% of the National Highway System by 2028, with Security Credential Management Systems (SCMS) using public key infrastructure to authenticate V2X messages. But the scalability of PKI to billions of messages per day across millions of vehicles remains an unsolved engineering challenge that will define the next decade of automotive cybersecurity.
Frequently Asked Questions
What is hacking the highway?
Hacking the Highway: Cybersecurity Risks in Connected and Autonomous Vehicles covers the essential aspects of this topic, examining current trends, key players, and practical implications for professionals and organizations in 2026.
Why does hacking the highway matter?
This topic matters because it directly impacts how organizations plan their technology strategy, allocate resources, and position themselves in a rapidly evolving landscape. The article provides actionable analysis to help decision-makers navigate these changes.
How does the attack surface: from remote takeover to fleet-scale exploits work?
The article examines this through the lens of the attack surface: from remote takeover to fleet-scale exploits, providing detailed analysis of the mechanisms, trade-offs, and practical implications for stakeholders.
Sources & Further Reading
- UNECE Regulation No. 155 — Cybersecurity and CSMS
- ISO/SAE 21434 — Road Vehicles Cybersecurity Engineering
- Upstream Security 2025 Global Automotive Cybersecurity Report
- Upstream Security — Key Insights from the 2025 Report
- Miller & Valasek — Remote Exploitation of an Unaltered Passenger Vehicle (2015)
- Pwn2Own Vancouver 2024 — Tesla ECU Exploit via VCSEC Integer Overflow
- VicOne — Tesla TPMS Zero-Click RCE Vulnerability Analysis
- University of Michigan — Data Fabrication Attacks on Collaborative Vehicular Perception (USENIX 2024)
- Grand View Research — Automotive Cybersecurity Market Size & Share Report
- Keen Security Lab — Remote Attack on Tesla Motors (2016)
- U.S. DOT — Saving Lives with Connectivity: V2X Deployment Plan (2024)
- IEEE Spectrum — This Car Runs on Code
- Argus Cyber Security / PlaxidityX (Continental)
- Tesla Bug Bounty Program
- UNECE WP.29 — World Forum for Harmonization of Vehicle Regulations
