Mind the Cyber Gap: Key Insights from Upstream’s 2025 Automotive Cybersecurity Report

The automotive landscape is undergoing a significant transformation, driven by increasing connectivity, electrification, and evolving cyber threats. Upstream’s 2025 Automotive & Smart Mobility Cybersecurity Report delves deep into these challenges, offering a data-driven analysis of the cybersecurity threats facing the mobility ecosystem today. In a recent webinar, Matt MacKinnon and I broke down key findings from this year’s report, highlighting the most pressing cyber risks, emerging attack vectors, and industry-wide trends shaping the future of automotive security. Here’s a closer look at the major insights shared during the discussion.

2024 marked a year of unprecedented cyber risk, with over 400 new publicly reported incidents analyzed in Upstream’s research. This includes a dramatic increase in the number of reported cyber incidents as well as threat actors operating in the deep & dark web. Threat actors are not only growing in number but also in sophistication, targeting cloud-based automotive systems, vehicle APIs, telematics infrastructure, and EV charging infrastructure at an unprecedented scale. 

One of the most alarming findings is the shift toward large-scale attacks impacting thousands or even millions of vehicles or endpoints at once. Modern attackers now focus on exploiting cloud platforms, software ecosystems, and API vulnerabilities to maximize their impact.

A New Era of Automotive Ransomware

One of the important trends revealed in the report is the growing prevalence of ransomware attacks in the automotive sector. Nearly 25% of all recorded incidents in 2024 involved ransomware, marking a significant rise in both frequency and severity. This shift is particularly concerning for OEMs, dealerships, and service providers, as cybercriminals increasingly target critical business operations, supply chains, and customer data.

A prime example of this was a ransomware attack on a major dealership management software provider in 2024. With over 15,000 dealerships relying on this platform, the attack led to a three-week service outage, over $1 billion in economic damage, and a $25 million ransom demand. This event underscored the cascading effects of cyber disruptions, impacting vehicle sales, service scheduling, and overall business continuity.

Telematics, APIs, and Cloud-Based Attacks on the Rise

The data in Upstream’s report paints a clear picture: cyber threats are rapidly shifting toward software-defined components, telematics systems, and cloud-based infrastructure. The largest attack surface expansion has been in telematics, accounting for 66% of total incidents. API-related attacks increased by nearly 30%, to 17% of total incidents 2024.

One notable case from the report demonstrated how cybersecurity researchers leveraged license plates to gain unauthorized access to vehicle control systems via compromised APIs. By exploiting weak authentication protocols, they could manipulate vehicle companion apps, unlocking doors, starting engines, and even altering vehicle ownership records within seconds. Such attacks highlight the urgent need for stronger authentication, continuous monitoring, and improved API security practices.

The Automotive Cyber Gap Poses a Challenge for All Stakeholders in the Near Future

As we discussed in our webinar and our report, 2024 introduced a significant concern in automotive cybersecurity. The cyber gap refers to the widening disconnect between regulatory compliance-driven efforts and actual cybersecurity resilience in the automotive industry. While regulations such as UNECE WP.29 and various compliance frameworks establish minimum cybersecurity requirements, they do not fully address the evolving nature of cyber threats. Attackers continuously find ways to exploit new vulnerabilities in cloud environments, APIs, and telematics systems, often outpacing the industry’s ability to respond.

One of the biggest contributors to this gap is the rapid expansion of software-defined vehicles and mobility services. As vehicles become more connected, third-party integrations, cloud infrastructures, and dealership management systems introduce additional attack surfaces. Without comprehensive, real-time threat monitoring and proactive security measures, organizations risk falling behind in the fight against cybercrime.

Regulatory compliance alone is no longer enough. To close this gap, the industry must move beyond a compliance-based approach and prioritize data-driven security solutions, AI-powered threat intelligence, and collaborative cybersecurity frameworks that span the entire mobility ecosystem.

OEMs, tier-1 suppliers, and mobility stakeholders must adopt a proactive, data-driven cybersecurity strategy that includes:

• Real-time monitoring and threat intelligence to detect and mitigate cyber threats before they escalate. AI plays a significant role in ensuring effective monitoring, detection, investigation, and response.
• API security and vulnerability management to prevent large-scale API-driven attacks.
• Enhanced ransomware defense strategies, including network segmentation, endpoint security, and threat-hunting capabilities.
• Stronger collaboration across the automotive cybersecurity ecosystem, leveraging insights from threat intelligence teams, industry groups, and security vendors.

Uncovering Threat Intel from the Deep & Dark Web

During 2024, our team tracked over 1,000 threat actors, actively engaging in automotive-focused cybercrime, including ransomware distribution, API exploitation, and stolen data sales. During the webinar we zoomed in on two primary categories of cybercriminals operating in these underground networks:

• Black Hats
  These are highly sophisticated groups that execute large-scale, profit-driven cyberattacks. Their focus has shifted towards high-value targets, including vehicle telematics cloud systems, APIs, and OEM software supply chains. Their primary goal is to compromise thousands to millions of vehicles at once, maximizing financial gain through ransomware, data theft, and API-driven exploits.
• Fraud Operators
  Unlike black hats, these actors focus on fraud and unauthorized system access, often selling cracked diagnostic tools, fake credentials, and stolen vehicle data. Our new report highlighted an increase in fraudulent listings for dealer access credentials, allowing bad actors to manipulate vehicle ownership records, service logs, and even immobilization settings.

China’s Influence on the Global Automotive Landscape

The role of China in the global automotive cybersecurity landscape has never been more significant. As a dominant player in EV production and battery manufacturing, China has gained a technological and cost advantage, with government-backed initiatives driving rapid innovation. However, this also raises cybersecurity concerns, particularly as international governments respond with new regulatory measures.

In 2024, the US Department of Commerce issued a ban on Chinese vehicles, citing concerns over cybersecurity, privacy, and national security risks. Europe has also begun taking steps in a similar direction, echoing concerns about espionage, data privacy, and supply chain vulnerabilities. This regulatory shift will undoubtedly reshape how OEMs and suppliers approach cybersecurity compliance and cross-border partnerships in the coming years.

Upstream’s 2025 Automotive Cybersecurity Report provides a comprehensive roadmap for tackling these challenges, offering in-depth data analysis, expert recommendations, and case studies from real-world incidents.