At least 15 million of the 29 million vehicles circulating in Spain are vulnerable to cyberattacks, a figure that places at 51.7% the proportion of cars susceptible to suffering this type of intrusions. The warning appears in a study by Lazarus Technology prepared with data from the General Directorate of Traffic and the ANFAC employers' association, in a context in which crimes linked to this phenomenon grew by 40% last year.
The threat affects an increasingly connected vehicle fleet. The risks range from the theft of personal data to access to locations visited by the driver or to messages sent from devices linked to the vehicle. The blocking of the car to demand an economic ransom is also contemplated.
More connectivity and more exposure
The increase in digital functions in vehicles is behind this growing exposure. Juan Manuel Martínez Alcalá, CTO of Lazarus Technology, warns that attacks on connected vehicles may increase in the short and medium term as their dependence on software and connectivity with cloud services intensifies.
"It is expected that in the short and medium term attacks on connected vehicles will increase as their dependence on software and connectivity with cloud services intensifies" - Juan Manuel Martínez Alcalá, CTO of Lazarus Technology
The forecast from sector consultants points in the same direction. By 2030, 95% of new cars in circulation will incorporate connectivity elements that can be hacked. The technological transformation of the automobile, defined years ago by specialists as the conversion of the car into a true computer on wheels, also expands the attack surface.
Concern among the drivers
The fear of these crimes is already present among motorists. A RACE survey conducted in February based on almost a thousand online interviews with Spanish drivers indicates that 84.47% admit to being concerned about the possibility of suffering a cybercrime related to their car.
Concern grows when asked about the concrete consequences. 75.26% fear that a hacker will block the vehicle to demand money and 87.06% express concern about the economic cost of repairing the affected software. Despite this, the reported incidence remains low.
"Only 3.4% of respondents stated they had been a victim of a cybercrime related to their car or knew someone who had been" - Spokespersons for RACE
How the accesses are produced
Specialists recall that a current car does not depend on a single electronic system. Miguel Tarascó Acuña and Antonio Vázquez Blanco, researchers at Tarlogic, explain that these vehicles do not usually have a single control unit, but several, with separate functions for wifi and bluetooth, for the USB ports and for other elements of the vehicle, such as directional headlights.
That architecture multiplies the entry points. A year ago, Tarlogic warned that a Chinese-origin chip called ESP32, present in multiple electronic devices, contained a hidden functionality in the Bluetooth system with undocumented commands that could be used for attacks.
Researchers emphasize that the infotainment system usually synchronizes with the driver's mobile phone. That can open the door to access contacts, locations, home address, or messages if a criminal manages to exploit a vulnerability. In cases where the victim is a person of interest, the objective may be the theft of information for subsequent blackmail.
"The 'infotainer' usually synchronizes with the driver's mobile phone, so the criminal can access sensitive user information" - Miguel Tarascó Acuña, researcher at Tarlogic
Background and limits of the threat
Precedents exist. In Toyota Rav 4s manufactured between November 2018 and September 2022, criminals managed to access an ECU by removing one of the headlights. With this, they could start the car, deactivate the GPS, and then transport it to Gambia. The manufacturer later corrected that problem.
Also in 2015, some hackers managed to remotely stop, and against the will of the driver, a Jeep Cherokee that was driving on a highway in the United States. That model is sold in Spain, which made that case a reference within the cybersecurity sector applied to automobiles.
The experts qualify, however, that causing an accident by manipulating a vehicle is much more difficult than stealing data or blocking functions. They maintain that the malicious actor usually seeks a direct benefit and that forcing an accident does not fit that logic, in addition to increasing the risk of being tracked.
Updates and response of the manufacturers
The response capability depends on the type of failure. When the vulnerability is in the software, the solution can arrive through an update. If the problem is of hardware, the process becomes complicated and already depends on the manufacturer detecting it, notifying the owners, and replacing the affected component.
The expansion of the connected car has turned cybersecurity into a central factor of the automobile. With more digital functions, more data exchange, and increasingly widespread connectivity, the protection of these systems ceases to be a technical issue reserved for specialists and comes to fully affect millions of drivers.