Modern cars are essentially computers on wheels. Depending on the model, a new vehicle rolling off the line today might contain upwards of 100 electronic control units, tens of millions of lines of code, and a permanent connection to the internet via built-in SIM cards. That is extraordinary engineering. It is also an extraordinary attack surface. The conversation around automotive cybersecurity car hacking in 2026 is no longer a theoretical one — it is happening, it is escalating, and the motor trade needs to understand it.
What Does a Connected Car Actually Look Like From a Hacker’s Perspective?
To a cybersecurity researcher (or a criminal), a modern connected car looks like a mesh of wireless entry points. There is the key fob and its rolling-code signal. There is Bluetooth pairing, which persists even after a phone is removed from the contacts list. There is the onboard Wi-Fi hotspot. There is the OTA (over-the-air) update channel the manufacturer uses to push software patches. And then there is the most underappreciated one: the telematics unit, the always-on cellular connection that reports diagnostic data, enables remote locking, and feeds usage-based insurance apps.
Each of those channels represents a potential doorway. The car’s internal network, typically running on a CAN bus architecture, was not designed with security in mind. It was designed for speed and reliability. Commands sent across a CAN bus carry no authentication. If you can get onto the bus, you can tell the car to do almost anything its software is capable of doing.
Real-World Examples of Car Hacking That Should Concern Every Technician
The famous Jeep Cherokee remote hack from 2015 feels like ancient history now, but the principle has only become more relevant as cars have grown more connected. Closer to home, relay attacks on keyless entry systems have become so routine in the UK that insurers routinely flag them in policy small print. The Metropolitan Police reported over 90,000 vehicle thefts in London in a recent 12-month period, with relay attacks and signal amplifiers accounting for a significant proportion of keyless car thefts.
More recently, security researchers have demonstrated vulnerabilities in telematics APIs used by major manufacturers. In 2022 and 2023, researchers found they could query manufacturer portals with nothing more than a vehicle identification number and gain access to account details, location history, and remote command functions on vehicles from multiple brands sold in the UK. These were disclosed responsibly and patched, but the point stands: the attack surface is wide and the fixes are reactive.
In 2026, the concern has shifted toward software-defined vehicles (SDVs), where core vehicle functions including steering assist, braking calibration, and power delivery are governed by software that can be updated remotely. A compromised OTA update channel on an SDV is not just a privacy problem. It is a road safety problem.
What This Means for Mechanics and Auto Electricians
This is where it gets practical for workshop technicians. Automotive cybersecurity car hacking in 2026 is starting to intersect directly with diagnostic work, and there are a few things worth knowing.
First, OBD port access is a legitimate attack vector. A device plugged into the OBD-II port during a diagnostic session has full access to the CAN bus. Rogue dongles sold as insurance trackers or cheap telematics units have been used to intercept signals and facilitate theft. If a customer brings a vehicle in with an aftermarket dongle they do not fully understand, it is worth flagging. Some shops are now doing a quick sweep for unauthorised devices as part of the vehicle intake process.
Second, when carrying out software updates or ECU reprogramming, technicians should ensure they are working with manufacturer-approved tools and genuine firmware. Using a cracked or unofficial update file is not just legally questionable under the Computer Misuse Act; it risks introducing compromised code into a vehicle’s systems. The Society of Motor Manufacturers and Traders (SMMT) has been pushing for clearer industry guidance on this front, and it is worth staying close to their communications.
Third, the rise of vehicle cybersecurity has created a new service opportunity. Some independent workshops are beginning to offer basic security audits, checking for unauthorised telematics devices, reviewing connected app permissions with the customer, and advising on physical security measures like steering locks and OBD port blockers. It is a niche that will only grow.
What Dealers Need to Think About
For franchised and independent dealers, the risk is slightly different. Used vehicles increasingly come with historical data attached: trip logs, paired phone contacts, location history, and sometimes stored payment card details from motorway toll or drive-through integrations. GDPR obligations mean dealers should be carrying out a proper data wipe on infotainment and telematics systems before reselling a vehicle. The Information Commissioner’s Office has published guidance on personal data in second-hand devices, and vehicles increasingly fall within scope of those principles. Failing to clear a previous owner’s data before sale is a liability waiting to happen.
There is also the question of warranty and software liability. As SDVs become the norm, the line between a mechanical fault and a software fault blurs. Dealers need clarity from manufacturers about what constitutes a cybersecurity-related defect and whether it falls under the vehicle warranty or a separate software agreement.
What Car Owners Should Know (and What You Can Tell Them)
For motorists, the immediate practical steps are fairly simple. Keep keyless fobs in a signal-blocking pouch or tin when at home. Do not leave a paired phone’s Bluetooth history in a vehicle you are selling. Review which third-party apps have been granted remote access to the vehicle through the manufacturer’s connected services platform, and revoke anything that is not actively used.
The NCSC (National Cyber Security Centre) has begun publishing consumer guidance on connected device security that is broad enough to cover automotive systems. It is worth pointing customers toward that resource if they raise concerns.
Where the Industry Is Heading
The UN Economic Commission for Europe’s WP.29 regulation, which mandates cybersecurity management systems for all new vehicle type approvals in the UK and Europe, came into force for new models back in 2022 and covers all new vehicles sold from 2024 onwards. It requires manufacturers to identify and manage cyber risks across the vehicle’s entire lifecycle, including post-sale. This is a meaningful baseline, but it places the compliance burden on OEMs rather than the aftermarket. You can read more about the UK’s alignment with these standards via the gov.uk vehicle cyber security guidance page.
For the independent motor trade, the practical takeaway is to stay informed, invest in proper manufacturer-approved diagnostic tooling, and start thinking about vehicle cybersecurity as a genuine part of the service conversation. The cars coming into your workshop are no longer just mechanical objects. They are networked endpoints. Treating them accordingly is not paranoia. It is good practice.
Frequently Asked Questions
Can a modern car really be hacked remotely?
Yes, in certain circumstances. Security researchers have demonstrated remote access to vehicle systems via telematics APIs and wireless interfaces on multiple occasions. Manufacturers patch these vulnerabilities, but connected vehicles do carry a genuine, if currently low-probability, remote attack risk.
What is a relay attack and how does it steal keyless entry cars?
A relay attack uses two devices to amplify the signal from a key fob inside a house, tricking the car into thinking the key is nearby and unlocking. It is one of the most common forms of car theft in the UK and can be mitigated with a Faraday pouch or a traditional steering lock as a deterrent.
Should mechanics worry about cybersecurity when diagnosing cars?
Increasingly, yes. The OBD port is a direct gateway to the vehicle’s CAN bus, making it a potential attack vector. Technicians should use approved diagnostic tools, be cautious about unknown aftermarket dongles found plugged in, and only flash ECUs with verified, legitimate firmware.
Do dealers have to wipe personal data from a used car before selling it?
Under GDPR, dealers have an obligation to ensure a previous owner’s personal data is not passed on inadvertently to a new buyer. This includes clearing navigation history, paired phone contacts, and any linked accounts in the infotainment or connected services system before resale.
What regulations cover automotive cybersecurity in the UK?
UN Regulation No. 155 (WP.29), to which the UK is aligned, requires vehicle manufacturers to implement a cybersecurity management system for all new models. It applies to all newly sold vehicles from 2024 onwards and governs the entire vehicle lifecycle including post-sale software updates.
Leave a Reply